[syslog-ng] Solaris 10 UDP overflows, message drops

Zeek Anow zeekstern at gmail.com
Thu Apr 28 17:17:37 CEST 2011 

Thanks Mike..
I am in the same boat as you are. I have the same hardware, same OS (Solaris
10, Update 9) etc. I also am using the sunfreeware version.
One thing that kind of concerns me is the lack of response from other Sun
users. There does not seem to be too many that use it for a central log
host. Maybe we found out why:))

I too am going down the compiling 3.3 route and am hoping to start next
week.

Agree with the active connections. I mentioned that because we have both.
Also, I am going to get rid of the UDP logging since I'm dropping so many
packets and move to TCP.

Thanks for that link. Looks pretty good!! Have you been able to get to the
link in that document? The one that says Topics in High Performance
Messaging?   It is supposed to take you to the 29west.com site but I keep
getting redirected to a different site. Don't know if I have malware or if
the site is no longer around.

If I get around to compiling 3.3 before you do,  I will post back here if
you want and let you know how I did it, if you want. I have a friend that is
pretty good at it and am hoping it isn't a big deal to do.

Fred


On Wed, Apr 27, 2011 at 9:18 AM, Mishou Michael <
Michael.Mishou at csirc.irs.gov> wrote:

> Zeek,
>
> I didn't compile it myself, I'm using the 3.1.2 from sunfreeware.com.
> I'm actually having a heck of a time figuring out how to compile 3.3
> from the alpha2 tarball on Solaris 10.  I don't think I'm helping myself
> by having all the gcc tools installed from sunfreeware.com, maybe I need
> to start over.  I'm so much more comfortable on Linux, where stuff just
> compiles magically and I don't have to do anything special.
>
> When you are using loggen, you should write to disk on the receiving end
> and compare the number of messages received to messages sent.  Clayton
> Dukes (on this list) has a good writeup of how to use loggen to generate
> some relevant performance numbers here:
> http://nms.gdd.net/index.php/Install_Guide_for_LogZilla_v3.1#UDP_Buffers
>
> If I had to guess, --active-connections parameter wouldn't apply to UDP
> transport.  Sounds like a TCP thing.
>
> Hope this helps!
>
> --Mike
>
>
> ________________________________
>
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Zeek Anow
> Sent: Tuesday, April 26, 2011 5:37 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops
>
>
> Just a heads up Mike. I tried doing the same thing with regards to using
> loggen to find the best rate on my V490. My version of loggen did not
> have the --active-connections parameter for sure, and I think it didn't
> have the --idle connection parameter either. I set the -I to 600 for 10
> minutes, and that didn't work either. It ran until I manually killed it
> about 25 minutes later.
>
> Then for the output all I got was :
> count=14877   diff=15930    rate = 627.75
>
> I haven't found what they mean yet. I reckon count would be the number
> of packets sent, not sure what diff is, but I know what the msg/sec
> is:))
>
> I am curious to see what you come up with. Oh, did you use the
> SunFreeware version or did you compile it yourself?
>
>
>
>
> On Tue, Apr 26, 2011 at 1:58 PM, Mishou Michael
> <Michael.Mishou at csirc.irs.gov> wrote:
>
>
>        Gergely,
>
>        Thanks for any testing you can do.  I'm not sure if a SPARC
> processor is
>        an important testing component or not, I suppose your VMs will
> help
>        determine this since you'll be using x86.  If there's any
> testing I can
>        do to help things along, please let me know.
>
>        Yes, I'm (very) scared of rsyslog as a maintainable solution,
> the
>        configs for syslog-ng are *so* much easier to read and
> understand.  I'll
>        try 3.3 and report back how threading helps things out, I'm glad
> to hear
>        that it's been pretty stable for you, that was my major concern
> in
>        testing 3.3 since eventually we'll need this to be in production
> with
>        our basic (from a config complexity standpoint) requirements.
>
>        I'll report back how 3.3 works out for me after I get it
> compiled and up
>        today.
>
>        Regards,
>
>        --Mike
>
>
>        -----Original Message-----
>        From: syslog-ng-bounces at lists.balabit.hu
>
>        [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Gergely
> Nagy
>        Sent: Tuesday, April 26, 2011 12:19 PM
>
>        To: Syslog-ng users' and developers' mailing list
>        Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops
>
>
>        (A few preliminary answers follow - I'll have another look at
> this later
>        tonight from home, once I tested a few things on my local
> solaris vm)
>
>        "Mishou Michael" <Michael.Mishou at csirc.irs.gov> writes:
>
>        > I'm going to experiment with syslog-ng and the loggen tool to
> find a
>        > point at which a single syslog-ng instance starts dropping
> inbound UDP
>        > traffic with a simple configuration writing to disk.  Once I
> have that
>        > number, I have a few options:
>        >
>        > 1.  Experiment with syslog-ng 3.3 and the new threaded code to
> see if
>        I
>        > have performance gains.  I'm hesitant to push Alpha code in
>        production,
>        > if anyone has any experience with 3.3 in semi-production
> environment
>        > running consistently I'd love to hear it.
>
>        I've been running 3.3 on most systems I administer (2 of my own
> servers
>        + a few I administer for friends; and all of my virtual
> machines). It's
>        been serving me fine for the past 4 months now.
>
>        However, most of my systems are also linux systems, where
> syslog-ng is
>        much better tested (and I'm not using UDP at all).
>
>        Personally, I'd give it a test run, as current 3.3 is fairly
> stable.
>
>        > 3.  Give up on syslog-ng until 3.3, or move to some other
> solution.
>        Not
>        > sure what I could do here, rsyslog is the other major
> contender I
>        guess,
>        > not sure what gains I would get.  Could also do native syslog
> server
>        and
>        > post-process to different buckets/relay which is what we
> mainly use
>        > syslog-ng for.
>
>        I wouldn't consider rsyslog. It's a nightmare to maintain that,
> and an
>        even bigger nightmare to get it to perform well in any but the
> most
>        trivial situations. (Or it might be just me being too used to
> good
>        documentation and readable config files, but I'm fairly sure
> it's not
>        just that :P)
>
>        --
>        |8]
>
> ________________________________________________________________________
>        ______
>        Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>        Documentation:
>        http://www.balabit.com/support/documentation/?product=syslog-ng
>        FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
> ________________________________________________________________________
> ______
>        Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>        Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
>        FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110428/a66ca045/attachment-0001.htm

More information about the syslog-ng mailing list