[syslog-ng]newbie Solaris question

Balazs Scheidler bazsi@balabit.hu
Mon, 25 Jun 2001 08:03:36 +0200


On Sat, Jun 23, 2001 at 08:38:21AM -0700, T. Esting wrote:
> 
>   Drew, et al - 
> 
>   Thanks for writing back and for the sync() parameter suggestion.  I tried
> setting sync(0) and that does indeed work for low-volume situations. 
> However, the penalty for doing it this way seems to be exacted during
> high-volume situations, e.g. several hundred messages per second.  I have a
> rather simple test program that I run while looking at my output file:
> 
> #include <syslog.h>
> #include <unistd.h>
> 
> main( int argc, char **argv) {
> 
>    if (argc == 2) {
>         int i, loop = 0;
>         loop = atoi(argv[1]);
>         if (loop != 0) {
>           openlog( "EER-TEST: ", LOG_PID, LOG_LOCAL5);
>           for (i  = 1; i <= loop; i++) {
>             syslog( LOG_INFO, "testing, 1, 2, 3 ... %d", i);
>             }
>         }
>    }
> }
> 
> This attempts to simulate an nmap scan or DoS-type attack against my
> firewall; I am hoping to lose as few log messages as possible in these
> scenarios.  With the stock Solaris syslog (brain-dead as it may be), I am
> able to run this program with arguments of 1000 or 2000 and not lose any
> messages.  After setting sync(0) so that I wouldn't lose any messages in
> low-volume situations, I ran the same tests and, although syslog-ng kept up
> with a burst of 100 or 200 messages, 1000 turned out to be way too much;
> over 300 messages were lost.  I'm hoping to find the sweet spot for tuning
> syslog-ng, since it obviously has many superior features to the standard
> syslog daemon that ships with Solaris, but I'm running into some roadblocks.

try increasing log_fifo_size()

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1