On Sat, Jun 23, 2001 at 08:38:21AM -0700, T. Esting wrote:
Drew, et al -
Thanks for writing back and for the sync() parameter suggestion. I tried setting sync(0) and that does indeed work for low-volume situations. However, the penalty for doing it this way seems to be exacted during high-volume situations, e.g. several hundred messages per second. I have a rather simple test program that I run while looking at my output file:
#include <syslog.h> #include <unistd.h>
main( int argc, char **argv) {
if (argc == 2) { int i, loop = 0; loop = atoi(argv[1]); if (loop != 0) { openlog( "EER-TEST: ", LOG_PID, LOG_LOCAL5); for (i = 1; i <= loop; i++) { syslog( LOG_INFO, "testing, 1, 2, 3 ... %d", i); } } } }
This attempts to simulate an nmap scan or DoS-type attack against my firewall; I am hoping to lose as few log messages as possible in these scenarios. With the stock Solaris syslog (brain-dead as it may be), I am able to run this program with arguments of 1000 or 2000 and not lose any messages. After setting sync(0) so that I wouldn't lose any messages in low-volume situations, I ran the same tests and, although syslog-ng kept up with a burst of 100 or 200 messages, 1000 turned out to be way too much; over 300 messages were lost. I'm hoping to find the sweet spot for tuning syslog-ng, since it obviously has many superior features to the standard syslog daemon that ships with Solaris, but I'm running into some roadblocks.
try increasing log_fifo_size() -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1