[syslog-ng]syslog-ng vs (of all things) Win2k + IIS

Balazs Scheidler bazsi@balabit.hu
Tue, 10 Oct 2000 17:15:04 +0200


> > You had better make sure that the disk on the destination is faster
> > than the sum of the logging rates of all the other hosts, or the
> > syslog-ng on the destination machine will start throwing entries away,
> > and *then* you'll really be embarrassed :)
> 
> Why does syslog-ng "throw messages away?" Shouldn't they be buffered
> instead of discarded? Surely memory can keep up.  It is unacceptable for
> messages to be thrown away.  You might as well just use UDP and `hope'
> all messages arrive.

You can control the size of the output buffer with the log_fifo_size()
option. Of course this size is not preallocated, it's just the maximum
number of entries to be buffered. The default value is 100.

> Syslog-ng could be more efficient still by allocating large chunks of
> memory (maybe using obstacks) for each destination and then
> batch-writing them (say, when an alarm expires).  I imagine that
> syslog-ng spends a lot of time in system calls because it writes each
> message individually.

Yes, this may be a place for improvement.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt