[syslog-ng] Solaris 10 UDP overflows, message drops

Mishou Michael Michael.Mishou at csirc.irs.gov
Wed Apr 27 15:18:42 CEST 2011 

Zeek,
 
I didn't compile it myself, I'm using the 3.1.2 from sunfreeware.com.
I'm actually having a heck of a time figuring out how to compile 3.3
from the alpha2 tarball on Solaris 10.  I don't think I'm helping myself
by having all the gcc tools installed from sunfreeware.com, maybe I need
to start over.  I'm so much more comfortable on Linux, where stuff just
compiles magically and I don't have to do anything special.
 
When you are using loggen, you should write to disk on the receiving end
and compare the number of messages received to messages sent.  Clayton
Dukes (on this list) has a good writeup of how to use loggen to generate
some relevant performance numbers here:
http://nms.gdd.net/index.php/Install_Guide_for_LogZilla_v3.1#UDP_Buffers
 
If I had to guess, --active-connections parameter wouldn't apply to UDP
transport.  Sounds like a TCP thing.
 
Hope this helps!
 
--Mike
 

________________________________

From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Zeek Anow
Sent: Tuesday, April 26, 2011 5:37 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops


Just a heads up Mike. I tried doing the same thing with regards to using
loggen to find the best rate on my V490. My version of loggen did not
have the --active-connections parameter for sure, and I think it didn't
have the --idle connection parameter either. I set the -I to 600 for 10
minutes, and that didn't work either. It ran until I manually killed it
about 25 minutes later.

Then for the output all I got was :
count=14877   diff=15930    rate = 627.75

I haven't found what they mean yet. I reckon count would be the number
of packets sent, not sure what diff is, but I know what the msg/sec
is:))

I am curious to see what you come up with. Oh, did you use the
SunFreeware version or did you compile it yourself?




On Tue, Apr 26, 2011 at 1:58 PM, Mishou Michael
<Michael.Mishou at csirc.irs.gov> wrote:


	Gergely,
	
	Thanks for any testing you can do.  I'm not sure if a SPARC
processor is
	an important testing component or not, I suppose your VMs will
help
	determine this since you'll be using x86.  If there's any
testing I can
	do to help things along, please let me know.
	
	Yes, I'm (very) scared of rsyslog as a maintainable solution,
the
	configs for syslog-ng are *so* much easier to read and
understand.  I'll
	try 3.3 and report back how threading helps things out, I'm glad
to hear
	that it's been pretty stable for you, that was my major concern
in
	testing 3.3 since eventually we'll need this to be in production
with
	our basic (from a config complexity standpoint) requirements.
	
	I'll report back how 3.3 works out for me after I get it
compiled and up
	today.
	
	Regards,
	
	--Mike
	

	-----Original Message-----
	From: syslog-ng-bounces at lists.balabit.hu
	
	[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Gergely
Nagy
	Sent: Tuesday, April 26, 2011 12:19 PM
	
	To: Syslog-ng users' and developers' mailing list
	Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops
	
	
	(A few preliminary answers follow - I'll have another look at
this later
	tonight from home, once I tested a few things on my local
solaris vm)
	
	"Mishou Michael" <Michael.Mishou at csirc.irs.gov> writes:
	
	> I'm going to experiment with syslog-ng and the loggen tool to
find a
	> point at which a single syslog-ng instance starts dropping
inbound UDP
	> traffic with a simple configuration writing to disk.  Once I
have that
	> number, I have a few options:
	>
	> 1.  Experiment with syslog-ng 3.3 and the new threaded code to
see if
	I
	> have performance gains.  I'm hesitant to push Alpha code in
	production,
	> if anyone has any experience with 3.3 in semi-production
environment
	> running consistently I'd love to hear it.
	
	I've been running 3.3 on most systems I administer (2 of my own
servers
	+ a few I administer for friends; and all of my virtual
machines). It's
	been serving me fine for the past 4 months now.
	
	However, most of my systems are also linux systems, where
syslog-ng is
	much better tested (and I'm not using UDP at all).
	
	Personally, I'd give it a test run, as current 3.3 is fairly
stable.
	
	> 3.  Give up on syslog-ng until 3.3, or move to some other
solution.
	Not
	> sure what I could do here, rsyslog is the other major
contender I
	guess,
	> not sure what gains I would get.  Could also do native syslog
server
	and
	> post-process to different buckets/relay which is what we
mainly use
	> syslog-ng for.
	
	I wouldn't consider rsyslog. It's a nightmare to maintain that,
and an
	even bigger nightmare to get it to perform well in any but the
most
	trivial situations. (Or it might be just me being too used to
good
	documentation and readable config files, but I'm fairly sure
it's not
	just that :P)
	
	--
	|8]
	
________________________________________________________________________
	______
	Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
	Documentation:
	http://www.balabit.com/support/documentation/?product=syslog-ng
	FAQ: http://www.campin.net/syslog-ng/faq.html
	
	
________________________________________________________________________
______
	Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
	Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
	FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list