[syslog-ng]syslog-ng performance problems

Balazs Scheidler syslog-ng@lists.balabit.hu
Fri, 03 Sep 2004 12:13:21 +0200


You have a lot of log() statements however I can't see right now why
syslog-ng is eating so much CPU time. Can you do some kind of profiling?
(oprofile with syslog-ng debug symbols, or easier compiling syslog-ng
with -pg and processing gmon.out with gprof)?

On Thu, 2004-09-02 at 14:22, west@x-dot.ch wrote:
> Hallo
> 
> I have replaced the original syslog with syslog-ng.
> everything works fine. the only problem I have is that
> syslog-ng uses between 50% and 70% of the cpu.
> I think that it is a configuration problem because the
> old syslogd never uses more than 10% of the cpu. 
> 
> thank you for your help
> stefan
> 
> here are my configuration files:
> 
> traditional syslog:
> 
> # /etc/syslog.conf      syslog configuration
> file.###################################
> 
> # output to local file "messages" for automatic log file analysis
> *.err;auth,daemon,mark,kern.debug;mail,user.notice      /var/adm/messages
> 
> # display emergencies on all terminals (uses WALL)
> *.emerg         *
> 
> #print time on console every 20mins (not needed if you have contool)
> #mark.*                 /dev/console
> 
> kern.info       ifdef(`LOGHOST', /var/log/kernlog, @loghost)
> user.info       ifdef(`LOGHOST', /var/log/userlog, @loghost)
> mail.info       ifdef(`LOGHOST', /var/log/maillog, @loghost)
> daemon.info     ifdef(`LOGHOST', /var/log/daemonlog, @loghost)
> auth.info       ifdef(`LOGHOST', /var/log/authlog, @loghost)
> lpr.info        ifdef(`LOGHOST', /var/log/lprlog, @loghost)
> news,uucp.info  ifdef(`LOGHOST', /var/log/newslog, @loghost)
> cron.info       ifdef(`LOGHOST', /var/log/cronlog, @loghost)
> 
> ## other "local" messages not yet used
> local0,local1.info              ifdef(`LOGHOST', /var/log/local0log, @loghost)
> local2,local3,local4.info       ifdef(`LOGHOST', /var/log/local2log, @loghost)
> local5.info                     ifdef(`LOGHOST', /var/log/local5log, @loghost)
> local6.info                     ifdef(`LOGHOST', /var/log/local6log, @loghost)
> local7.info                     ifdef(`LOGHOST', /var/log/local7log, @loghost)
> 
> # Put all alerts (& higher) into a seperate log:
> *.err   ifdef(`LOGHOST', /var/log/alertlog, @loghost)
> ###########################################################################
> 
> syslog-ng:
> #
> # Syslog-ng configuration for SUN Solaris
> #
> # Copyright (c) 1999 anonymous
> # Copyright (c) 1999 Balazs Scheidler
> # Copyleft      2004 Stefan Wenger
> # $Id: syslog-ng.conf.sample,v 1.2 1999/11/15 12:30:41 bazsi Exp $
> #
> # Syslog-ng configuration file, compatible with default Debian syslogd
> # installation.
> #
> 
> options {
>           keep_hostname(yes);
>           time_reopen (1);
>           time_reap(300);
> 
>           use_dns(yes);
>           use_fqdn(no);
>           use_time_recvd(yes);
> 
>           dns_cache(yes);
>           dns_cache_expire(3600);
>           dns_cache_expire_failed(10);
> 
>           sync(4);
>           gc_idle_threshold(300);
>           gc_busy_threshold(1000);
>           log_fifo_size(16777216);
>           log_msg_size(8192);
>           chain_hostnames(no);
> 
>           owner(root);
>           group(nobody);
>           perm(0644);
>           dir_perm(0755);
>           create_dirs(yes);
>         };
> 
> source src { sun_streams("/dev/log" door("/etc/.syslog_door")); internal (); };
> source net { udp(); };
> 
> destination alertlog { file("/var/log/alertlog"); };
> destination messages { file("/var/adm/messages"); };
> destination console { usertty("root"); };
> destination console_all { file("/dev/tty12"); };
> 
> destination kernlog { file("/var/log/kernlog"); };
> destination userlog { file("/var/log/userlog"); };
> destination maillog { file("/var/log/maillog"); };
> destination daemonlog { file("/var/log/daemonlog"); };
> destination authlog { file("/var/log/authlog"); };
> destination lprlog { file("/var/log/lprlog"); };
> destination newslog { file("/var/log/newslog"); };
> destination cronlog { file("/var/log/cronlog"); };
> 
> destination local0log { file("/var/log/local0log"); };
> destination local2log { file("/var/log/local2log"); };
> destination local5log { file("/var/log/local5log"); };
> destination local6log { file("/var/log/local6log"); };
> destination local7log { file("/var/log/local7log"); };
> 
> destination fallbacklog { file("/var/log/fallbacklog"); };
> 
> destination loghost { udp("loghost"); };
> #destination xconsole { pipe("/dev/xconsole"); };
> 
> destination d_mysql { pipe("/tmp/mysql.pipe"
>   template("INSERT INTO logs (host, facility, priority, level, tag, date,time,
> program, msg)
>   VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL',
> '$TAG','$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC',
>   '$PROGRAM', '$MSG' );\n") template-escape(yes));
> };
> 
> filter f_emerg { level(emerg); };
> filter f_kern_info {facility(kern) and not priority(debug); };
> filter f_user_info {facility(user) and not priority(debug); };
> filter f_mail_info {facility(mail) and not priority(debug); };
> filter f_daemon_info {facility(daemon) and not priority(debug); };
> filter f_auth_info {facility(auth) and not priority(debug); };
> filter f_lpr_info {facility(lpr) and not priority(debug); };
> filter f_news_info {(facility(news)  or facility(uucp)) and not
> priority(debug);
> };
> filter f_cron_info {facility(cron) and not priority(debug); };
> 
> filter f_local0 {facility(local0, local1) and not priority(debug); };
> filter f_local2 {facility(local2, local3, local4) and not priority(debug); };
> filter f_local5 {facility(local5) and not priority(debug); };
> filter f_local6 {facility(local6) and not priority(debug); };
> filter f_local7 {facility(local7) and not priority(debug); };
> filter f_err {priority(err..emerg); };
> filter f_messages {priority(err..emerg) or facility(auth, daemon, kern)
> or (facility(mail, user) and priority(notice..emerg)); };
> 
> log { source(src); filter(f_messages); destination(messages); };
> log { source(src); filter(f_emerg); destination(console); };
> log { source(src); filter(f_kern_info); destination(kernlog);
> destination(loghost); };
> log { source(src); filter(f_user_info); destination(userlog);
> destination(loghost); };
> log { source(src); filter(f_mail_info); destination(maillog);
> destination(loghost); };
> log { source(src); filter(f_daemon_info); destination(daemonlog);
> destination(loghost); };
> log { source(src); filter(f_auth_info); destination(authlog);
> destination(loghost); };
> log { source(src); filter(f_lpr_info); destination(lprlog);
> destination(loghost); };
> log { source(src); filter(f_news_info); destination(newslog);
> destination(loghost); };
> log { source(src); filter(f_cron_info); destination(cronlog);
> destination(loghost); };
> 
> log { source(src); filter(f_local0); destination(local0log);
> destination(loghost); };
> log { source(src); filter(f_local2); destination(local2log);
> destination(loghost); };
> log { source(src); filter(f_local5); destination(local5log);
> destination(loghost); };
> log { source(src); filter(f_local6); destination(local6log);
> destination(loghost); };
> log { source(src); filter(f_local7); destination(local7log);
> destination(loghost); };
> log { source(src); filter(f_err); destination(alertlog); destination(loghost);
> };
> 
> log { source(src); destination(fallbacklog); flags(fallback); };
> 
> 
> log { source(net); filter(f_messages); destination(messages); };
> #log { source(net); filter(f_emerg); destination(console); };
> log { source(net); filter(f_kern_info); destination(kernlog);
> destination(loghost); };
> log { source(net); filter(f_user_info); destination(userlog);
> destination(loghost); };
> log { source(net); filter(f_mail_info); destination(maillog);
> destination(loghost); };
> log { source(net); filter(f_daemon_info); destination(daemonlog);
> destination(loghost); };
> log { source(net); filter(f_auth_info); destination(authlog);
> destination(loghost); };
> log { source(net); filter(f_lpr_info); destination(lprlog);
> destination(loghost); };
> log { source(net); filter(f_news_info); destination(newslog);
> destination(loghost); };
> 
> log { source(net); filter(f_local0); destination(local0log);
> destination(loghost); };
> log { source(net); filter(f_local2); destination(local2log);
> destination(loghost); };
> log { source(net); filter(f_local5); destination(local5log);
> destination(loghost); };
> log { source(net); filter(f_local6); destination(local6log);
> destination(loghost); };
> log { source(net); filter(f_local7); destination(local7log);
> destination(loghost); };
> log { source(net); filter(f_err); destination(alertlog); destination(loghost);
> };
> 
> log { source(net); destination(fallbacklog); flags(fallback); };
> 
> ## MYSQL
> #log { source(src); destination(d_mysql); };
> #log { source(net); destination(d_mysql); };
> 
> 
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
-- 
Bazsi