[syslog-ng] Solaris 10 UDP overflows, message drops

Mishou Michael Michael.Mishou at csirc.irs.gov
Tue Apr 26 19:58:12 CEST 2011 

Gergely,

Thanks for any testing you can do.  I'm not sure if a SPARC processor is
an important testing component or not, I suppose your VMs will help
determine this since you'll be using x86.  If there's any testing I can
do to help things along, please let me know.

Yes, I'm (very) scared of rsyslog as a maintainable solution, the
configs for syslog-ng are *so* much easier to read and understand.  I'll
try 3.3 and report back how threading helps things out, I'm glad to hear
that it's been pretty stable for you, that was my major concern in
testing 3.3 since eventually we'll need this to be in production with
our basic (from a config complexity standpoint) requirements. 

I'll report back how 3.3 works out for me after I get it compiled and up
today.

Regards,

--Mike

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Gergely Nagy
Sent: Tuesday, April 26, 2011 12:19 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops

(A few preliminary answers follow - I'll have another look at this later
tonight from home, once I tested a few things on my local solaris vm)

"Mishou Michael" <Michael.Mishou at csirc.irs.gov> writes:

> I'm going to experiment with syslog-ng and the loggen tool to find a
> point at which a single syslog-ng instance starts dropping inbound UDP
> traffic with a simple configuration writing to disk.  Once I have that
> number, I have a few options:
>
> 1.  Experiment with syslog-ng 3.3 and the new threaded code to see if
I
> have performance gains.  I'm hesitant to push Alpha code in
production,
> if anyone has any experience with 3.3 in semi-production environment
> running consistently I'd love to hear it.

I've been running 3.3 on most systems I administer (2 of my own servers
+ a few I administer for friends; and all of my virtual machines). It's
been serving me fine for the past 4 months now.

However, most of my systems are also linux systems, where syslog-ng is
much better tested (and I'm not using UDP at all).

Personally, I'd give it a test run, as current 3.3 is fairly stable.

> 3.  Give up on syslog-ng until 3.3, or move to some other solution.
Not
> sure what I could do here, rsyslog is the other major contender I
guess,
> not sure what gains I would get.  Could also do native syslog server
and
> post-process to different buckets/relay which is what we mainly use
> syslog-ng for.

I wouldn't consider rsyslog. It's a nightmare to maintain that, and an
even bigger nightmare to get it to perform well in any but the most
trivial situations. (Or it might be just me being too used to good
documentation and readable config files, but I'm fairly sure it's not
just that :P)

-- 
|8]
________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list