Gergely, Thanks for any testing you can do. I'm not sure if a SPARC processor is an important testing component or not, I suppose your VMs will help determine this since you'll be using x86. If there's any testing I can do to help things along, please let me know. Yes, I'm (very) scared of rsyslog as a maintainable solution, the configs for syslog-ng are *so* much easier to read and understand. I'll try 3.3 and report back how threading helps things out, I'm glad to hear that it's been pretty stable for you, that was my major concern in testing 3.3 since eventually we'll need this to be in production with our basic (from a config complexity standpoint) requirements. I'll report back how 3.3 works out for me after I get it compiled and up today. Regards, --Mike -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Gergely Nagy Sent: Tuesday, April 26, 2011 12:19 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops (A few preliminary answers follow - I'll have another look at this later tonight from home, once I tested a few things on my local solaris vm) "Mishou Michael" <Michael.Mishou@csirc.irs.gov> writes:
I'm going to experiment with syslog-ng and the loggen tool to find a point at which a single syslog-ng instance starts dropping inbound UDP traffic with a simple configuration writing to disk. Once I have that number, I have a few options:
1. Experiment with syslog-ng 3.3 and the new threaded code to see if I have performance gains. I'm hesitant to push Alpha code in production, if anyone has any experience with 3.3 in semi-production environment running consistently I'd love to hear it.
I've been running 3.3 on most systems I administer (2 of my own servers + a few I administer for friends; and all of my virtual machines). It's been serving me fine for the past 4 months now. However, most of my systems are also linux systems, where syslog-ng is much better tested (and I'm not using UDP at all). Personally, I'd give it a test run, as current 3.3 is fairly stable.
3. Give up on syslog-ng until 3.3, or move to some other solution. Not sure what I could do here, rsyslog is the other major contender I guess, not sure what gains I would get. Could also do native syslog server and post-process to different buckets/relay which is what we mainly use syslog-ng for.
I wouldn't consider rsyslog. It's a nightmare to maintain that, and an even bigger nightmare to get it to perform well in any but the most trivial situations. (Or it might be just me being too used to good documentation and readable config files, but I'm fairly sure it's not just that :P) -- |8] ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html