Out of curiosity, how many messages per second was the stock syslogd able to process with minimal loss?  What method did you employ to determine loss?  I am setting up a similar logging solution with NG using the db-parser module which takes considerable CPU.  I plan on using Cisco server load balancing to round-robin load balance on N number of syslog nodes to achieve zero loss, but I&#39;m concerned that detecting loss will be difficult.<br>
<br>--Martin<br><br><div class="gmail_quote">On Sat, May 30, 2009 at 12:43 PM, Jan Schaumann <span dir="ltr">&lt;<a href="mailto:jschauma@netmeister.org">jschauma@netmeister.org</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">Sandor Geller &lt;<a href="mailto:Sandor.Geller@morganstanley.com">Sandor.Geller@morganstanley.com</a>&gt; wrote:<br>
<br>
&gt; This is somewhat expected as syslog-ng parses incoming messages. So my<br>
&gt; I guess is that syslog-ng can&#39;t drain fast enough the receive buffer,<br>
&gt; and the kernel simply drops messages not fitting in the buffer.<br>
<br>
</div>Exactly.<br>
<div class="im"><br>
&gt; It would be good to know whether the source side or the destination<br>
&gt; side is the limiting factor. As you&#39;re using local files myguess is<br>
&gt; the former.<br>
<br>
</div>I&#39;m quite sure the source side is the problem.  Ie, I/O to the file on<br>
disk ought to be reasonably fast (otherwise stock syslogd would have the<br>
same problems).  As you noted, the additional processing that syslog-ng<br>
does for every message it receives seems to cause it to not be able to<br>
process them fast enough to drain the buffers.<br>
<div class="im"><br>
<br>
&gt; &gt;        flags(flow-control)<br>
&gt; &gt;<br>
&gt; &gt; in the log definition.<br>
&gt;<br>
&gt; AFAIK with files/ UDP flow-control is a no-op.<br>
<br>
</div>Ah, good to know.<br>
<div class="im"><br>
&gt; Unfortunately this can&#39;t happen. You can use the &#39;no-parse&#39; option to<br>
&gt; skip initial parsing the messages which could improve performance.<br>
&gt; This means you can&#39;t use the template above as the variables won&#39;t get<br>
&gt; defined.<br>
<br>
</div>I&#39;ll have to give that a try, if only to determine what, if any,<br>
performance difference it causes.<br>
<div class="im"><br>
&gt; Generally when it comes to parsing then syslog-ng could be<br>
&gt; CPU-limited. In this case you should consider deploying multiple<br>
&gt; syslog servers, and share the load. Ideally flow-controlling could be<br>
&gt; turned on the client side as well (using TCP).<br>
<br>
</div>Yes, those are the long-term plans. :-)  Well, we can&#39;t switch all<br>
clients to TCP, since many of them are network/storage devices etc. only<br>
capable of logging via UDP.<br>
<br>
For the time being, though, I need to lay the ground work of getting<br>
syslog-ng as a suitable replacement for the stock syslogd used on our<br>
servers.<br>
<br>
Thanks for your help.  I&#39;ll keep poking at this...<br>
<font color="#888888"><br>
-Jan<br>
</font><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br>