[syslog-ng]newbie Solaris question
Balazs Scheidler
bazsi@balabit.hu
Mon, 25 Jun 2001 08:03:36 +0200
On Sat, Jun 23, 2001 at 08:38:21AM -0700, T. Esting wrote:
>
> Drew, et al -
>
> Thanks for writing back and for the sync() parameter suggestion. I tried
> setting sync(0) and that does indeed work for low-volume situations.
> However, the penalty for doing it this way seems to be exacted during
> high-volume situations, e.g. several hundred messages per second. I have a
> rather simple test program that I run while looking at my output file:
>
> #include <syslog.h>
> #include <unistd.h>
>
> main( int argc, char **argv) {
>
> if (argc == 2) {
> int i, loop = 0;
> loop = atoi(argv[1]);
> if (loop != 0) {
> openlog( "EER-TEST: ", LOG_PID, LOG_LOCAL5);
> for (i = 1; i <= loop; i++) {
> syslog( LOG_INFO, "testing, 1, 2, 3 ... %d", i);
> }
> }
> }
> }
>
> This attempts to simulate an nmap scan or DoS-type attack against my
> firewall; I am hoping to lose as few log messages as possible in these
> scenarios. With the stock Solaris syslog (brain-dead as it may be), I am
> able to run this program with arguments of 1000 or 2000 and not lose any
> messages. After setting sync(0) so that I wouldn't lose any messages in
> low-volume situations, I ran the same tests and, although syslog-ng kept up
> with a burst of 100 or 200 messages, 1000 turned out to be way too much;
> over 300 messages were lost. I'm hoping to find the sweet spot for tuning
> syslog-ng, since it obviously has many superior features to the standard
> syslog daemon that ships with Solaris, but I'm running into some roadblocks.
try increasing log_fifo_size()
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1