[syslog-ng] UDP packet loss with syslog-ng
Lars Kellogg-Stedman
lars at oddbit.com
Sat Oct 16 20:10:01 CEST 2010
> Hmm. the numbers you are seeing are indeed low, with sufficient buffer
> sizes I could get up to the 20k message/sec range with syslog-ng...
It's better now, having adjusted the buffer sizes way up. I'd like to
recommend a change to the documenation. In section 7:
http://www.balabit.com/sites/default/files/documents/syslog-ng-admin-guide_en.html/handling_large_load.html
The issue of buffer size is addressed like this:
"This section provides tips on optimizing the performance of
syslog-ng. Optimizing the performance is important for syslog-ng hosts
that handle large traffic... When receiving lots of messages using the
UDP protocol, increase the size of the UDP receive buffer on the
syslog-ng hosts."
I would suggest that with the default Linux kernel values for UDP
receive buffer size, adjusting the UDP receive buffer size is
necessary to get performance above "crappy". That is, this isn't just
a necessity for "high volume" sites; it should probably be a
recommended practice for anyone planning on accepting UDP syslog
messages on a Linux host. Making this more prominent in the
documentation might save a lot of people from the rude surprise that
comes with the default buffer sizes.
Things are running much better now having made these changes. I'm
going to write up the performance test I did in a little more detail
and stick it online somewhere, hopefully saving someone else a little
bit of time in the future.
More information about the syslog-ng
mailing list