On Tue, 2006-08-22 at 08:04 -0500, King, John (Greg) (LMIT-HOU) wrote:
I am currently using the stock syslog daemon from RedHat but it appears to not be able to keep up so I am looking at syslog-ng to improve things. The data below is to provide a baseline of what I am currently seeing and what I have attempted to do. Then if anyone would let me know if syslog-ng would be able to improve the performance and what measures I can take to achieve the improved performance that would be great.
Logs have to be rotated each hour due to the amount of traffic. On average I am successfully logging 25,888 events per minute. That goes higher during the early morning login times.
I have set the following sysctl params:
net.core.rmem_max = 33554432 net.core.wmem_max = 33554432 net.core.rmem_default = 65536 net.core.wmem_default = 65536 net.ipv4.tcp_rmem = 4096 87380 33554432 net.ipv4.tcp_wmem = 4096 65536 33554432 net.ipv4.tcp_mem = 33554432 33554432 33554432
syslog-ng is more complex than plain syslogd, especially when it comes to complex regexp based filtering. the 2.0.x branch should be way better performance wise, than the 1.6.x series. What I spotted in your settings is that probably rmem_default set at 64k might be a bit small, you can increase its value with syslog-ng's so_rcvbuf() option (available in 2.0.x only) With your message rate I'd suggest about 512k-1MB receive buffer for the UDP receiver. -- Bazsi