[syslog-ng] RE: syslog-ng 2.0.4 How can syslog-ng achieve
thisperformance???
Geller, Sandor (IT)
Sandor.Geller at morganstanley.com
Mon Jun 25 13:42:09 CEST 2007
> Geller, Sandor
> Balazs Scheidler
>
> Thanks 4 ur advise.
>
> Please pardon me for my short information.
>
> The scenario is this,
> -----
> There is a network device which sends logs to syslog server
> over network at a pace of approx 4000 logs/sec.
> Syslog server has its own mission to handle them.
> In case, syslog server must write logs to local disk, the
> server in fact drops some logs in the local file.
> Consequently, I turned to think of tuning some tweak in
> syslog-ng parameter or kernel parameter.
> I have tuned kernel parameter by setting "udp_recv_hiwat" to
> its maximum value, and udp_max_buf to the value of 300 times
> of the default value.
> And, I have come up with this idea.
>
> 1. Increase "sync" parameter to buffer some logs and write
> logs , not at the pace of every second.
> I tried to increase sync as well as log_fifo_size.
> First, I set sync as 3000 , log_fifo_size as 10000.
> However, it was not liked, with the message
> " The value of flush_lines must be less than fifo_size;
> fifo_size='1000',flush_lines='3000' ".
>
> Syslog-ng is configured as follows;
> sync (3000);
> time_reopen (10);
> time_sleep(0);
> log_fifo_size (10000);
> long_hostnames (off);
> use_dns (no);
> use_fqdn (no);
> create_dirs (no);
> keep_hostname (yes);
>
> source s_test { udp(ip(0.0.0.0) port(514)); };
> destination d_local4 { file("/var/log/local4"); };
> filter f_local4_al { facility(local4) and level(info)
> and match("xxxxxx") and filter(test); };
> filter test { match("10600[1267]") or
> match("10601[0-8]") or match ("10602[0124567]") or match("106100") or
> match("20900[345]") or match("500004"); };
> log { source(s_test); filter(f_local4_al);
> destination(d_local4); };
Your filters might cause CPU load... Is this heavy filtering really
required? Usually not too many programs use local4 so you should try
to examine whether this filtering is really need or not. Maybe you
could turn the conditions to match to the logs which should be
excluded. This kind of performance tuning could be done only when
you have a representative set of data to experiment with.
> Any advice about how sync works , and how log_fifo_size
> works will greatly help.
sync() is deprecated, use flush_lines() and flush_timeout() instead.
> Is there any other way than editing the logwriter.c
> file and re-compile it?
Maybe a daily shapshot already contains the change.
> Is there difference between setting sync and
> log_fifo_size in global option section and individual
> destination section
> in terms of its effect?
After applying the patch Bazsi sent there shouldn't be any
difference.
>
> 2. "fsync" parameter would be thouhgt as second chance to
> overcome this problem.
> However, no userful information cound not be found on web.
> I set fsync in destination section, but it was rejected
> when reloading the process.
> Any advice about how fsync works will greatly help.
AFAIK fsync hasn't been implemented. Anyway it would cause
performance problems, as fsync is used to make sure that the data
ended up on solid storage. This means that the fsync call will
block the caller until the kernel flushes VM/FS caches...
> In addition, how can I get STATS information of syslog-ng?
> I have added "stats_freq (60);" in global option section, but
> I could not get any information in /var/adm/messages.
> Where does syslog-ng output the stats information?
Use the internal() source, it's missing from your configuration.
Something like this:
source s_internal {
internal();
};
destination d_syslognglog {
file("/var/log/syslog-ng.log");
};
log {
source(s_internal);
destination(d_syslognglog);
};
Regards,
Sandor
--------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
More information about the syslog-ng
mailing list