Thanks for the suggestion. Sending it over to the docs team. ----- Original message -----
Hmm. the numbers you are seeing are indeed low, with sufficient buffer sizes I could get up to the 20k message/sec range with syslog-ng...
It's better now, having adjusted the buffer sizes way up. I'd like to recommend a change to the documenation. In section 7:
http://www.balabit.com/sites/default/files/documents/syslog-ng-admin-guide_e...
The issue of buffer size is addressed like this:
"This section provides tips on optimizing the performance of syslog-ng. Optimizing the performance is important for syslog-ng hosts that handle large traffic... When receiving lots of messages using the UDP protocol, increase the size of the UDP receive buffer on the syslog-ng hosts."
I would suggest that with the default Linux kernel values for UDP receive buffer size, adjusting the UDP receive buffer size is necessary to get performance above "crappy". That is, this isn't just a necessity for "high volume" sites; it should probably be a recommended practice for anyone planning on accepting UDP syslog messages on a Linux host. Making this more prominent in the documentation might save a lot of people from the rude surprise that comes with the default buffer sizes.
Things are running much better now having made these changes. I'm going to write up the performance test I did in a little more detail and stick it online somewhere, hopefully saving someone else a little bit of time in the future.