[syslog-ng]buffer limitations and TCP compression

Andreas Schulze syslog-ng@lists.balabit.hu
Tue, 18 Mar 2003 09:20:11 +0100


Jason Haar wrote:
> 
> Can someone explain to me how the tcp/udp destination options handle 
> network outages/congestion? If I set my fifo to 10000, does that mean if 
> the remote server is down (I assume this only affects TCP - not UDP 
> BTW), the "client" will hold up to 10000 records before dropping... the 
> oldest? Just what does happen then?

As fas as I know, the messages are dropped silently.

> Also, does anyone think adding a compress option to the tcp destination 
> option is a good idea? It could really cut down on the traffic (esp if 
> you could force a *minimum* fifo queue size - to increase your chance of 
> repeated data). It could make centralized logging over WANs much more 
> attractive.

I think compression isn't the factor for centralized logging
in WAN environments.
Imagine your normal messages size is approx. <512Bytes.
How many messages you must create/send to flood a 64KB/128KB
leased line?

The important factor in centralized logging is in most cases
the perfomance of the center (the log server).
Compression will decrease log servers performance.

We are logging >5000 devices with >15.000.000 messages per day
to a centralized syslog-ng server over WAN.
Problems we observed are mostly on the central size. The WAN
isn't really the bottleneck in most scenarios.

-- 
Best regards --Andreas Schulze
                [phone: +49.5246.80.1275, fax: +49.5246.80.2275]

| I believe, it was Dennis Ritchie who said something like:
|   "C is rarely the best language for a given task,
|    but it's often the second-best".
| The implication being that: "[...]"
|     http://www.ioccc.org/1990/dds.c