[syslog-ng] high performance server

Mike mike at jeke.fdns.net
Thu Oct 27 04:44:22 CEST 2005 


On Wed, 26 Oct 2005, JR Mayberry wrote:

> I've googled this topic and read the mailing list and haven't had much 
> luck improving my situation.
> 
> I have a very high volume syslog-ng server. I currently have logs that are 
> being received across the network but not being written to disk. This 
> could be as much as 25% of the logs being dropped. The STAT to syslog 
> always says 0 drops.

are you sure that they are being received? if htey are coming in over UDP, 
maybe check some netstat output to see if they are being dropped by the 
kernel? (in this case they would be dropped before syslog-ng can even see 
that would be the drops would be listed as zero)

> 
> It's a Netro 1405 w/ two CPUs and 1 gig of memory connected to a SAN. 
> syslog-ng is always at 49% CPU and never goes beyond that.
> 
probably means that 1 CPU is capped out...since syslog-ng is not threaded, 
that is the max you can get...what does your config file look like? lots 
of regex's? if possible, simplify.
also try increasing your receive buffer queue size for UDP (make it as 
big as you can...64Mbytes, 128Mbytes etc). that should 
help with bursts of traffic, but if it is constant there would be no help.

if that still doesn't help...then maybe fire up a second syslog-ng 
listening on a second port, then try to split up your traffic?


> What settings can I use to stop dropping logs?
> 
> 
> This is an output of iostate with an interval of 1. This will give you an 
> idea of performance. As you can see there are no disk waits.
> 
> Thanks.
> 
> device       r/s    w/s   Mr/s   Mw/s wait actv  svc_t  %w  %b
> md89         2.0   86.0    0.0    0.4  0.0  0.2    1.9   0   5
> md89         0.0    3.0    0.0    0.0  0.0  0.0    0.9   0   0
> md89         0.0    1.0    0.0    0.0  0.0  0.0    2.5   0   0
> md89         0.0    1.0    0.0    0.0  0.0  0.0    1.2   0   0
> md89         0.0    2.0    0.0    0.0  0.0  0.0    1.2   0   0
> md89         0.0   61.0    0.0    0.3  0.0  0.1    1.3   0   3
> md89         0.0    1.0    0.0    0.0  0.0  0.0    1.5   0   0
> md89         0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
> md89         0.0    2.0    0.0    0.0  0.0  0.0    0.9   0   0
> md89         0.0    2.0    0.0    0.0  0.0  0.0    0.7   0   0
> md89         0.0   83.0    0.0    0.4  0.0  0.2    2.2   0   3
> md89         2.0    4.0    0.0    0.0  0.0  0.0    3.0   0   2
> md89         0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
> md89         0.0    1.0    0.0    0.0  0.0  0.0    0.8   0   0
> md89         0.0    1.0    0.0    0.0  0.0  0.0    0.8   0   0
> md89         1.0   86.0    0.0    0.4  0.0  0.1    1.2   0   4
> md89         0.0    2.0    0.0    0.0  0.0  0.0    0.9   0   0
> md89         0.0    5.0    0.0    0.0  0.0  0.0    0.9   0   0
> md89         0.0    1.0    0.0    0.0  0.0  0.0    1.0   0   0
> md89         0.0    2.0    0.0    0.0  0.0  0.0    0.8   0   0
> md89         2.0  751.9    0.0    5.6  0.0  6.5    8.6   0  25
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list