[syslog-ng]syslog-ng performance problems

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Thu, 2 Sep 2004 14:22:36 +0200


Hallo

I have replaced the original syslog with syslog-ng.
everything works fine. the only problem I have is that
syslog-ng uses between 50% and 70% of the cpu.
I think that it is a configuration problem because the
old syslogd never uses more than 10% of the cpu. 

thank you for your help
stefan

here are my configuration files:

traditional syslog:

# /etc/syslog.conf      syslog configuration
file.###################################

# output to local file "messages" for automatic log file analysis
*.err;auth,daemon,mark,kern.debug;mail,user.notice      /var/adm/messages

# display emergencies on all terminals (uses WALL)
*.emerg         *

#print time on console every 20mins (not needed if you have contool)
#mark.*                 /dev/console

kern.info       ifdef(`LOGHOST', /var/log/kernlog, @loghost)
user.info       ifdef(`LOGHOST', /var/log/userlog, @loghost)
mail.info       ifdef(`LOGHOST', /var/log/maillog, @loghost)
daemon.info     ifdef(`LOGHOST', /var/log/daemonlog, @loghost)
auth.info       ifdef(`LOGHOST', /var/log/authlog, @loghost)
lpr.info        ifdef(`LOGHOST', /var/log/lprlog, @loghost)
news,uucp.info  ifdef(`LOGHOST', /var/log/newslog, @loghost)
cron.info       ifdef(`LOGHOST', /var/log/cronlog, @loghost)

## other "local" messages not yet used
local0,local1.info              ifdef(`LOGHOST', /var/log/local0log, @loghost)
local2,local3,local4.info       ifdef(`LOGHOST', /var/log/local2log, @loghost)
local5.info                     ifdef(`LOGHOST', /var/log/local5log, @loghost)
local6.info                     ifdef(`LOGHOST', /var/log/local6log, @loghost)
local7.info                     ifdef(`LOGHOST', /var/log/local7log, @loghost)

# Put all alerts (& higher) into a seperate log:
*.err   ifdef(`LOGHOST', /var/log/alertlog, @loghost)
###########################################################################

syslog-ng:
#
# Syslog-ng configuration for SUN Solaris
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# Copyleft      2004 Stefan Wenger
# $Id: syslog-ng.conf.sample,v 1.2 1999/11/15 12:30:41 bazsi Exp $
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.
#

options {
          keep_hostname(yes);
          time_reopen (1);
          time_reap(300);

          use_dns(yes);
          use_fqdn(no);
          use_time_recvd(yes);

          dns_cache(yes);
          dns_cache_expire(3600);
          dns_cache_expire_failed(10);

          sync(4);
          gc_idle_threshold(300);
          gc_busy_threshold(1000);
          log_fifo_size(16777216);
          log_msg_size(8192);
          chain_hostnames(no);

          owner(root);
          group(nobody);
          perm(0644);
          dir_perm(0755);
          create_dirs(yes);
        };

source src { sun_streams("/dev/log" door("/etc/.syslog_door")); internal (); };
source net { udp(); };

destination alertlog { file("/var/log/alertlog"); };
destination messages { file("/var/adm/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };

destination kernlog { file("/var/log/kernlog"); };
destination userlog { file("/var/log/userlog"); };
destination maillog { file("/var/log/maillog"); };
destination daemonlog { file("/var/log/daemonlog"); };
destination authlog { file("/var/log/authlog"); };
destination lprlog { file("/var/log/lprlog"); };
destination newslog { file("/var/log/newslog"); };
destination cronlog { file("/var/log/cronlog"); };

destination local0log { file("/var/log/local0log"); };
destination local2log { file("/var/log/local2log"); };
destination local5log { file("/var/log/local5log"); };
destination local6log { file("/var/log/local6log"); };
destination local7log { file("/var/log/local7log"); };

destination fallbacklog { file("/var/log/fallbacklog"); };

destination loghost { udp("loghost"); };
#destination xconsole { pipe("/dev/xconsole"); };

destination d_mysql { pipe("/tmp/mysql.pipe"
  template("INSERT INTO logs (host, facility, priority, level, tag, date,time,
program, msg)
  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL',
'$TAG','$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC',
  '$PROGRAM', '$MSG' );\n") template-escape(yes));
};

filter f_emerg { level(emerg); };
filter f_kern_info {facility(kern) and not priority(debug); };
filter f_user_info {facility(user) and not priority(debug); };
filter f_mail_info {facility(mail) and not priority(debug); };
filter f_daemon_info {facility(daemon) and not priority(debug); };
filter f_auth_info {facility(auth) and not priority(debug); };
filter f_lpr_info {facility(lpr) and not priority(debug); };
filter f_news_info {(facility(news)  or facility(uucp)) and not
priority(debug);
};
filter f_cron_info {facility(cron) and not priority(debug); };

filter f_local0 {facility(local0, local1) and not priority(debug); };
filter f_local2 {facility(local2, local3, local4) and not priority(debug); };
filter f_local5 {facility(local5) and not priority(debug); };
filter f_local6 {facility(local6) and not priority(debug); };
filter f_local7 {facility(local7) and not priority(debug); };
filter f_err {priority(err..emerg); };
filter f_messages {priority(err..emerg) or facility(auth, daemon, kern)
or (facility(mail, user) and priority(notice..emerg)); };

log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emerg); destination(console); };
log { source(src); filter(f_kern_info); destination(kernlog);
destination(loghost); };
log { source(src); filter(f_user_info); destination(userlog);
destination(loghost); };
log { source(src); filter(f_mail_info); destination(maillog);
destination(loghost); };
log { source(src); filter(f_daemon_info); destination(daemonlog);
destination(loghost); };
log { source(src); filter(f_auth_info); destination(authlog);
destination(loghost); };
log { source(src); filter(f_lpr_info); destination(lprlog);
destination(loghost); };
log { source(src); filter(f_news_info); destination(newslog);
destination(loghost); };
log { source(src); filter(f_cron_info); destination(cronlog);
destination(loghost); };

log { source(src); filter(f_local0); destination(local0log);
destination(loghost); };
log { source(src); filter(f_local2); destination(local2log);
destination(loghost); };
log { source(src); filter(f_local5); destination(local5log);
destination(loghost); };
log { source(src); filter(f_local6); destination(local6log);
destination(loghost); };
log { source(src); filter(f_local7); destination(local7log);
destination(loghost); };
log { source(src); filter(f_err); destination(alertlog); destination(loghost);
};

log { source(src); destination(fallbacklog); flags(fallback); };


log { source(net); filter(f_messages); destination(messages); };
#log { source(net); filter(f_emerg); destination(console); };
log { source(net); filter(f_kern_info); destination(kernlog);
destination(loghost); };
log { source(net); filter(f_user_info); destination(userlog);
destination(loghost); };
log { source(net); filter(f_mail_info); destination(maillog);
destination(loghost); };
log { source(net); filter(f_daemon_info); destination(daemonlog);
destination(loghost); };
log { source(net); filter(f_auth_info); destination(authlog);
destination(loghost); };
log { source(net); filter(f_lpr_info); destination(lprlog);
destination(loghost); };
log { source(net); filter(f_news_info); destination(newslog);
destination(loghost); };

log { source(net); filter(f_local0); destination(local0log);
destination(loghost); };
log { source(net); filter(f_local2); destination(local2log);
destination(loghost); };
log { source(net); filter(f_local5); destination(local5log);
destination(loghost); };
log { source(net); filter(f_local6); destination(local6log);
destination(loghost); };
log { source(net); filter(f_local7); destination(local7log);
destination(loghost); };
log { source(net); filter(f_err); destination(alertlog); destination(loghost);
};

log { source(net); destination(fallbacklog); flags(fallback); };

## MYSQL
#log { source(src); destination(d_mysql); };
#log { source(net); destination(d_mysql); };