[syslog-ng] Performance tuning questions

Balazs Scheidler bazsi at balabit.hu
Fri Aug 25 13:50:45 CEST 2006

On Tue, 2006-08-22 at 08:04 -0500, King, John (Greg) (LMIT-HOU) wrote:
> I am currently using the stock syslog daemon from RedHat but it appears
> to not be able to keep up so I am looking at syslog-ng to improve
> things. The data below is to provide a baseline of what I am currently
> seeing and what I have attempted to do. Then if anyone would let me know
> if syslog-ng would be able to improve the performance and what measures
> I can take to achieve the improved performance that would be great.
> Logs have to be rotated each hour due to the amount of traffic. On
> average I am successfully logging 25,888 events per minute. That goes
> higher during the early morning login times.
> I have set the following sysctl params:
> net.core.rmem_max = 33554432
> net.core.wmem_max = 33554432
> net.core.rmem_default = 65536
> net.core.wmem_default = 65536
> net.ipv4.tcp_rmem = 4096 87380 33554432
> net.ipv4.tcp_wmem = 4096 65536 33554432
> net.ipv4.tcp_mem = 33554432 33554432 33554432

syslog-ng is more complex than plain syslogd, especially when it comes
to complex regexp based filtering. the 2.0.x branch should be way better
performance wise, than the 1.6.x series.

What I spotted in your settings is that probably rmem_default set at 64k
might be a bit small, you can increase its value with syslog-ng's
so_rcvbuf() option (available in 2.0.x only)

With your message rate I'd suggest about 512k-1MB receive buffer for the
UDP receiver.


More information about the syslog-ng mailing list