[syslog-ng] UDP packet loss with syslog-ng
Lars Kellogg-Stedman
lars at oddbit.com
Fri Oct 15 23:22:05 CEST 2010
> Actually, I missed what you were doing with awk because I don't think
> I've ever seen /inet before. Are you on FreeBSD? My experience (and
> cited performance numbers) is all on Linux.
Me too. Awk has supported network connectivity for a decade or so, I
think (since v3.1). Using netcat, the results are pretty much the
same. At 2000 msgs/sec I get around 10% loss, which is a lot better
than syslog-ng.
One of the possibilities I'm looking at is putting something like
netcat (or socklog, http://smarden.org/socklog/) in front of syslog-ng
and spooling the messages from the network directly to disk, and then
post-processing them with syslog-ng. This would solve the performance
problem, since these simpler tools appear to have no problem
supporting higher logging rates, and we've got disk space to spare.
Injecting the messages into syslog-ng in a useful fashion might be a
bit of a challenge.
Our alternate plan is just to use tcp syslog across the board (which
avoids the loss problem), although I'm concerned that this may impact
the connection-tracking firewalls in use around our environment.
More information about the syslog-ng
mailing list