[syslog-ng] 1.6.5 performance

Balazs Scheidler bazsi at balabit.hu
Fri Oct 21 17:48:49 CEST 2005


On Fri, 2005-10-21 at 08:01 -0700, Nate Campi wrote:
> On Fri, Oct 21, 2005 at 06:54:04AM -0700, Scott C wrote:
> > But what's really most peculiar in this scenario is the fact that the
> > numbers simply don't add up.  Why does syslog-ng appear (on the
> > surface) to be dropping a very large percentage of the messages that
> > it receives?  I realize that it's not, but the numbers tell a
> > different story.  And how could it possibly drop so many messages when
> > the FIFO queue is configured to buffer three million lines?  How
> > preposterous!
>   
> So you think you really have all the logs but you see STATS messages
> reporting dropped messages? How would you know if you really have them
> all? It's possible that under heavy load you have some program or pipe
> destination (or maybe even file if you have slow disks) that just can't
> keep up. That's not syslog-ng's fault, it just lets you know that the
> buffer filled up.

One minor note: files are _not_ flow-controlled. If a file destination
cannot keep up, then the incoming side of syslog-ng (e.g. UDP receive
buffers) will drop messages.

It might be possible that syslog-ng can write all incoming messages to a
file for instance, but fail to do so for a pipe or tcp destination. The
reason is that pipe and tcp are flow controlled, they will not sink all
messages that syslog-ng would send to them.

-- 
Bazsi



More information about the syslog-ng mailing list