[syslog-ng] Flow-control
Anton Koldaev
koldaevav at gmail.com
Wed Jan 16 08:16:44 CET 2013
I talked to algernon in IRC yesterday:
[14:33] <iroller_> algernon: could you explain please what happens when
syslog-ng stops reading the source(flow-control enabled)? As I understand
if the source is "file()" it will stop reading it at current position and
will continue later at the same postition, right? What if I have tcp source
where my app is sending logs all the time?
[14:39] <algernon> iroller_: in case of tcp(), it will stop reading from
there, kernel buffers will fill up, and the remote end will slow down. if
messages pile up there, and fill the sending syslogd's buffers, then
they'll likely be dropped on that side
[14:40] <iroller_> algernon: so by enabling flow-control we're just
switching from syslog-ng's fifo buffer to kernel buffers, right?
[14:41] <algernon> as far as I understand, yes. (I'm not using flow control
anywhere, and my knowledge of how it works in syslog-ng is a bit rusty,
unfortunately)
[14:44] <iroller_> we need more balabit guys here :)
Bazsi, could you please give some more information on it? What's the
purpose of switching from fifo to kernel buffers?
On Tue, Jan 8, 2013 at 4:38 PM, Anton Koldaev <koldaevav at gmail.com> wrote:
> For example at one moment of time I see the following values(with
> flow-control disabled):
> dst_syslog.total.stored: 10000 (msg)
> dst_syslog.total.dropped: 12179 (msg per min)
> dst_syslog.total.processed: 183800 (msg per min)
>
> How should flow-control help me here?
>
>
> On Tue, Jan 8, 2013 at 4:15 PM, Anton Koldaev <koldaevav at gmail.com> wrote:
>
>> As I understand syslog-ng will buffer the lines in buffer until it can
>> process them, right? Which buffer?
>>
>>
>> On Tue, Jan 8, 2013 at 4:10 PM, Anton Koldaev <koldaevav at gmail.com>wrote:
>>
>>> Could you please explain the following statement:
>>> > If the control window is full, syslog-ng stops reading messages from
>>> the source until some messages are successfully sent to the destination.
>>>
>>> What does that mean - "stops reading messages from the source"? My
>>> applications is still sending messages to this souce so where will all the
>>> logs at that moment?
>>> Where will it start reading the source? From the same point it stopped
>>> or not?
>>>
>>> --
>>> Best regards,
>>> Koldaev Anton
>>>
>>
>>
>>
>> --
>> Best regards,
>> Koldaev Anton
>>
>
>
>
> --
> Best regards,
> Koldaev Anton
>
--
Best regards,
Koldaev Anton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130116/93199406/attachment.htm
More information about the syslog-ng
mailing list