[syslog-ng]syslog-ng performance problems
syslog-ng@lists.balabit.hu
syslog-ng@lists.balabit.hu
Thu, 2 Sep 2004 14:22:36 +0200
Hallo
I have replaced the original syslog with syslog-ng.
everything works fine. the only problem I have is that
syslog-ng uses between 50% and 70% of the cpu.
I think that it is a configuration problem because the
old syslogd never uses more than 10% of the cpu.
thank you for your help
stefan
here are my configuration files:
traditional syslog:
# /etc/syslog.conf syslog configuration
file.###################################
# output to local file "messages" for automatic log file analysis
*.err;auth,daemon,mark,kern.debug;mail,user.notice /var/adm/messages
# display emergencies on all terminals (uses WALL)
*.emerg *
#print time on console every 20mins (not needed if you have contool)
#mark.* /dev/console
kern.info ifdef(`LOGHOST', /var/log/kernlog, @loghost)
user.info ifdef(`LOGHOST', /var/log/userlog, @loghost)
mail.info ifdef(`LOGHOST', /var/log/maillog, @loghost)
daemon.info ifdef(`LOGHOST', /var/log/daemonlog, @loghost)
auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)
lpr.info ifdef(`LOGHOST', /var/log/lprlog, @loghost)
news,uucp.info ifdef(`LOGHOST', /var/log/newslog, @loghost)
cron.info ifdef(`LOGHOST', /var/log/cronlog, @loghost)
## other "local" messages not yet used
local0,local1.info ifdef(`LOGHOST', /var/log/local0log, @loghost)
local2,local3,local4.info ifdef(`LOGHOST', /var/log/local2log, @loghost)
local5.info ifdef(`LOGHOST', /var/log/local5log, @loghost)
local6.info ifdef(`LOGHOST', /var/log/local6log, @loghost)
local7.info ifdef(`LOGHOST', /var/log/local7log, @loghost)
# Put all alerts (& higher) into a seperate log:
*.err ifdef(`LOGHOST', /var/log/alertlog, @loghost)
###########################################################################
syslog-ng:
#
# Syslog-ng configuration for SUN Solaris
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# Copyleft 2004 Stefan Wenger
# $Id: syslog-ng.conf.sample,v 1.2 1999/11/15 12:30:41 bazsi Exp $
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.
#
options {
keep_hostname(yes);
time_reopen (1);
time_reap(300);
use_dns(yes);
use_fqdn(no);
use_time_recvd(yes);
dns_cache(yes);
dns_cache_expire(3600);
dns_cache_expire_failed(10);
sync(4);
gc_idle_threshold(300);
gc_busy_threshold(1000);
log_fifo_size(16777216);
log_msg_size(8192);
chain_hostnames(no);
owner(root);
group(nobody);
perm(0644);
dir_perm(0755);
create_dirs(yes);
};
source src { sun_streams("/dev/log" door("/etc/.syslog_door")); internal (); };
source net { udp(); };
destination alertlog { file("/var/log/alertlog"); };
destination messages { file("/var/adm/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination kernlog { file("/var/log/kernlog"); };
destination userlog { file("/var/log/userlog"); };
destination maillog { file("/var/log/maillog"); };
destination daemonlog { file("/var/log/daemonlog"); };
destination authlog { file("/var/log/authlog"); };
destination lprlog { file("/var/log/lprlog"); };
destination newslog { file("/var/log/newslog"); };
destination cronlog { file("/var/log/cronlog"); };
destination local0log { file("/var/log/local0log"); };
destination local2log { file("/var/log/local2log"); };
destination local5log { file("/var/log/local5log"); };
destination local6log { file("/var/log/local6log"); };
destination local7log { file("/var/log/local7log"); };
destination fallbacklog { file("/var/log/fallbacklog"); };
destination loghost { udp("loghost"); };
#destination xconsole { pipe("/dev/xconsole"); };
destination d_mysql { pipe("/tmp/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, date,time,
program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL',
'$TAG','$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));
};
filter f_emerg { level(emerg); };
filter f_kern_info {facility(kern) and not priority(debug); };
filter f_user_info {facility(user) and not priority(debug); };
filter f_mail_info {facility(mail) and not priority(debug); };
filter f_daemon_info {facility(daemon) and not priority(debug); };
filter f_auth_info {facility(auth) and not priority(debug); };
filter f_lpr_info {facility(lpr) and not priority(debug); };
filter f_news_info {(facility(news) or facility(uucp)) and not
priority(debug);
};
filter f_cron_info {facility(cron) and not priority(debug); };
filter f_local0 {facility(local0, local1) and not priority(debug); };
filter f_local2 {facility(local2, local3, local4) and not priority(debug); };
filter f_local5 {facility(local5) and not priority(debug); };
filter f_local6 {facility(local6) and not priority(debug); };
filter f_local7 {facility(local7) and not priority(debug); };
filter f_err {priority(err..emerg); };
filter f_messages {priority(err..emerg) or facility(auth, daemon, kern)
or (facility(mail, user) and priority(notice..emerg)); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emerg); destination(console); };
log { source(src); filter(f_kern_info); destination(kernlog);
destination(loghost); };
log { source(src); filter(f_user_info); destination(userlog);
destination(loghost); };
log { source(src); filter(f_mail_info); destination(maillog);
destination(loghost); };
log { source(src); filter(f_daemon_info); destination(daemonlog);
destination(loghost); };
log { source(src); filter(f_auth_info); destination(authlog);
destination(loghost); };
log { source(src); filter(f_lpr_info); destination(lprlog);
destination(loghost); };
log { source(src); filter(f_news_info); destination(newslog);
destination(loghost); };
log { source(src); filter(f_cron_info); destination(cronlog);
destination(loghost); };
log { source(src); filter(f_local0); destination(local0log);
destination(loghost); };
log { source(src); filter(f_local2); destination(local2log);
destination(loghost); };
log { source(src); filter(f_local5); destination(local5log);
destination(loghost); };
log { source(src); filter(f_local6); destination(local6log);
destination(loghost); };
log { source(src); filter(f_local7); destination(local7log);
destination(loghost); };
log { source(src); filter(f_err); destination(alertlog); destination(loghost);
};
log { source(src); destination(fallbacklog); flags(fallback); };
log { source(net); filter(f_messages); destination(messages); };
#log { source(net); filter(f_emerg); destination(console); };
log { source(net); filter(f_kern_info); destination(kernlog);
destination(loghost); };
log { source(net); filter(f_user_info); destination(userlog);
destination(loghost); };
log { source(net); filter(f_mail_info); destination(maillog);
destination(loghost); };
log { source(net); filter(f_daemon_info); destination(daemonlog);
destination(loghost); };
log { source(net); filter(f_auth_info); destination(authlog);
destination(loghost); };
log { source(net); filter(f_lpr_info); destination(lprlog);
destination(loghost); };
log { source(net); filter(f_news_info); destination(newslog);
destination(loghost); };
log { source(net); filter(f_local0); destination(local0log);
destination(loghost); };
log { source(net); filter(f_local2); destination(local2log);
destination(loghost); };
log { source(net); filter(f_local5); destination(local5log);
destination(loghost); };
log { source(net); filter(f_local6); destination(local6log);
destination(loghost); };
log { source(net); filter(f_local7); destination(local7log);
destination(loghost); };
log { source(net); filter(f_err); destination(alertlog); destination(loghost);
};
log { source(net); destination(fallbacklog); flags(fallback); };
## MYSQL
#log { source(src); destination(d_mysql); };
#log { source(net); destination(d_mysql); };