[syslog-ng]Help on fine tunning/bottlenecks

Huelbe Arizon Garcia huelbe@zaz.com.br
Fri, 5 Oct 2001 12:33:45 -0300 

Hello,

[First of all, I would like to apologize for the long message...]

In our company, we have lots of Network Access Servers (aka NAS) which we
would like to have syslog. We tried to use the original syslog packed with
Linux and we found it was 'dropping' a lot of information. Then, we changed
to syslog-ng a few months ago. The results are much better, but the logs are
still incomplete.

It seems to have some 'bottleneck': when I put an equipment sending logs
both to my main syslog server (which runs syslog-ng and receives syslog from
all NAS) and other box running only common syslog (receiving external syslog
only from this equipment), this second Linux box gets much more information
than the first one (almost twice more events/lines).

Well, I would like to ask for some tips to find the bottleneck or some
configuration fine-tunning. I'll appreciate all comments.

Here is my scenario:

Main log server:
 Linux 2.2.14-5.0
 Intel Pentium II 450Mhz 64 Mbytes RAM
 hda: QUANTUM FIREBALL CR6.4A, 6149MB w/418kB Cache (System disk) IDE
 hdc: QUANTUM FIREBALLlct15 30, 28629MB w/418kB Cache (Log files disk) IDE

The syslog-senders (NAS):
 There are about 70 NAS, each sending up to 15Mbytes/day (about 115.000
lines) of syslog messages. When the log file is cut/rotated (at midnight
sharp), the log file has about 600Mbytes

The syslog-ng
 Version 1.5.9

 Options configured:

 options
    {
    long_hostnames(off);
    use_dns(no);
    log_fifo_size(10000);
    gc_busy_threshold(10000);
    gc_idle_threshold(500);
    };




After running syslog for 20 hours, 'top' shows:

  9:35pm  up 175 days, 14:48,  1 user,  load average: 0.38, 2.28, 2.59
29 processes: 28 sleeping, 1 running, 0 zombie, 0 stopped
CPU states:  3.3% user,  1.3% system,  0.0% nice, 95.2% idle
Mem:    64104K av,   58496K used,    5608K free,    9852K shrd,    4800K
buff
Swap:  265032K av,    4304K used,  260728K free                   42520K
cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
21337 root      20   0   512  472   176 S       0  3.5  0.7 108:16 syslog-ng


(The load average is a little higher than normal as I ran grep/wc commands
to check some statistics in this mail)


Regards,

Huelbe Garcia.