[syslog-ng] RE: Performance tuning questions

[Martin, David M]

Greg,

I had 'messages being dropped' issue recently on rhel4 and sol8 hosts.

since you are using rhl..

'netstat -ucs' was reporting 500-2000 packet receive errors per second.

after making a few adjustments it has dropped to 0.

my sysctl.conf is similar to yours, except for:

net.core.rmem_default = 16777216
net.core.wmem_default = 16777216

* values mentioned worked for me, your mileage may vary.

in my syslog-ng.conf file, I adjusted the source:
(may be unnecessary since I use the default as set by sysctl (above), but for
documentation sake)

source abs_udp514 {
  udp(ip(0.0.0.0) port(514) so_rcvbuf(16777216));
};

set the log_fifo_size

destination abd_sec {
  program(
    "/opt/sec/2.3.3/sec.pl -input=\"-\" -conf=/opt/sec/etc/sec.conf"
    template("$MONTH$DAY $UNIXTIME $HOST $MSG\n")
    log_fifo_size(8192)
  );
};

did something similar for my file destinations.

and then add flow-control

log {
  source(abs_udp514);
  filter(abf_postfix);
  destination(abd_sec);
  flags(flow-control);
};


# netstat -ucs
Udp:
    1067529425 packets received
    9835593 packets to unknown port received.
    27851339 packet receive errors
    772843529 packets sent
Udp:
    1067529464 packets received
    9835593 packets to unknown port received.
    27851339 packet receive errors
    772843549 packets sent



------------------------------

Message: 3
Date: Tue, 22 Aug 2006 08:04:38 -0500
From: "King, John (Greg) (LMIT-HOU)" <Greg.King at lmit.com>
Subject: [syslog-ng] Performance tuning questions
To: <syslog-ng at lists.balabit.hu>
Message-ID:
	
<7E0DB88FB5A5C04AAB0A06E72D58B2B4026053AF at lmit-mb01-hou.SERVICE.lmit.com>
	
Content-Type: text/plain;	charset="us-ascii"

I am currently using the stock syslog daemon from RedHat but it appears to not
be able to keep up so I am looking at syslog-ng to improve things. The data
below is to provide a baseline of what I am currently seeing and what I have
attempted to do. Then if anyone would let me know if syslog-ng would be able to
improve the performance and what measures I can take to achieve the improved
performance that would be great.

Logs have to be rotated each hour due to the amount of traffic. On average I am
successfully logging 25,888 events per minute. That goes higher during the early
morning login times.

I have set the following sysctl params:

net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 65536 33554432
net.ipv4.tcp_mem = 33554432 33554432 33554432

Netstat -su shows what might be data loss:
Udp:
    131725715 packets received
    16642 packets to unknown port received.
    4859684 packet receive errors
    31571 packets sent




The information transmitted (including attachments) is
covered by the Electronic Communications Privacy Act,
18 U.S.C. 2510-2521, is intended only for the person(s) or
entity/entities to which it is addressed and may contain
confidential and/or privileged material. Any review,
retransmission, dissemination or other use of, or taking
of any action in reliance upon, this information by persons
or entities other than the intended recipient(s) is prohibited.
If you received this in error, please contact the sender and
delete the material from any computer.