Martin Holste <mcholste@gmail.com> wrote:
Out of curiosity, how many messages per second was the stock syslogd able to process with minimal loss?
Between 15K and 18K / s.
What method did you employ to determine loss?
Effectively: n1=$(netstat -s -p udp | awk '/dropped due to full socket/ { print $1 }') sleep 5 n2=$(netstat -s -p udp | awk '/dropped due to full socket/ { print $1 }') (In reality, there's a tool that works much like sar(1) does and I can query it for stats, but underneath it happens to use the above logic.)
I am setting up a similar logging solution with NG using the db-parser module which takes considerable CPU. I plan on using Cisco server load balancing to round-robin load balance on N number of syslog nodes to achieve zero loss
What's your plan for handling the messages on the N nodes? Will they all just log to their own filesystem, write to a shared filesystem, write into a database, forward to another system, ... ? -Jan