Yes, i know it is not specific enough ... But nobody here can tell me exactly the frequency of the logs that will be sent :-/ One thing is sure : it wont be 1 message per server per day, but something like 500 /server /days ... Do you want to know something else ? -----Message d'origine----- De : syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]De la part de kenneth.gullberg@foreningssparbanken.se Envoyé : mardi 4 octobre 2005 10:00 À : syslog-ng@lists.balabit.hu Objet : SV: [syslog-ng] Architecture Question' im afraid that the only answer you are going to get is: Depends on what kind of traffic you expect to be seeing.. 7000 machines logging 1 message every minute is nothing but if you are expected to receive 1 message / second / server then you need a different setup.. You need to be more specific! -----Ursprungligt meddelande----- Från: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] För CIKALA Frederic ROSI/DOSI Skickat: den 4 oktober 2005 09:34 Till: syslog-ng@lists.balabit.hu Ämne: [syslog-ng] Architecture Question' Hello everyone' I'm new to this mailing list and i do not know syslogNG yet Actually, i have to prepare a server that will centralize a lot of logs, from about 7000 other servers. I've read that syslogNG is a great tool that can do a lot of interresting things. Therefore, i chose this application for my project but i do not know if it needs big ressources to be launched ... In fact, i'm wondering about the hardware i'll have to buy in order to make this project Maybe someone of this list has got a greater opinion about what i'll have to buy for example "at least a 3gHz cpu, with 2 gig of ram ..." It could be usefull', thank you ^^ *********************************** Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur. *********************************** This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not receiver of this message, please cancel it immediately and inform the sender. *********************************** *********************************** Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur. *********************************** This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not receiver of this message, please cancel it immediately and inform the sender. ***********************************
On 10/4/05, CIKALA Frederic ROSI/DOSI <frederic.cikala@francetelecom.com> wrote:
Yes, i know it is not specific enough ... But nobody here can tell me exactly the frequency of the logs that will be sent :-/ One thing is sure : it wont be 1 message per server per day, but something like 500 /server /days ... Do you want to know something else ?
All that we can say is that you should make sure throughput to/from the network and to/from disk is good, and that you have lots of CPU for log analysis and possibly a GUI front end. At first glance memory seems to be less of a concern for loghost apps but all the UNIXes I know of use memory to cache I/O so maybe lots of memory is a good idea too. You're really on your own here, but any modern server-class machine is probably a good start. If you grow beyond it you can set up a tiered architecture or set up a counter-strike server on the old machine (god I haven't played that for years, I just don't know what you kids are playing these days).
Hello, 7000 other servers sound like quite a large amount of machines to be handled only in one collision domain.
Yes, i know it is not specific enough ...
They try to be a little bit more specific.
But nobody here can tell me exactly the frequency of the logs that will be sent :-/
42. See, it completely depends on what exactly you're logging. What are the servers running?
One thing is sure : it wont be 1 message per server per day, but something like 500 /server /days ...
That's 3500000 a day or ~40/s if they would be evenly distributed, which they are not of course. You should build a system that can at least handle 10 times the calculated average message to handle peak situations. So that's 400/s. If you take an average COTS Xeon 2-CPU box with roughly 3GHz CPUs, you will be able to reliably handle 10000 messages/s when using TCP and about 5000 - 7000 messages/s when logging via UDP.
Do you want to know something else ?
What is your task exactly? No one give someone a job to integrate and handle messages of 7000 boxes onto a syslog server without a clear specification. Regards, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
participants (3)
-
catenate
-
CIKALA Frederic ROSI/DOSI
-
Roberto Nibali