Re: very busy syslog server

> I'm trying to setup a syslog server to serve a large group of
> servers. For the syslog daemon, I have chosen rsyslogd, and the
> backend is mysql (on a different machine).
>
> The machine has 2 Intel Xeon 2.80GHz CPUs, and 1GB of RAM, and it is
> running FreeBSD 6 (6.0-STABLE).
>
> The problem is, that I see a lot of UDP packets being dropped:
>
> udp:
> 390202 datagrams received
> 0 with incomplete header
> 0 with bad data length field
> 0 with bad checksum
> 6 with no checksum
> 0 dropped due to no socket
> 0 broadcast/multicast datagrams dropped due to no socket
> ->>> 123677 dropped due to full socket buffers
> 0 not for hashed pcb
> 266525 delivered
> 133260 datagrams output
>
> I have tried to increase net.inet.udp.recvspace, but it didn't solve
> the problem.
>
> I would appreciate any hint or tips.

When you're doing a large number of packets per second, you may want
to look into enabling device polling(4). Right now, every packet
results in an interrupt. With device polling, you can handle more
than one packet per interrupt. See the man page for details. If your
syslogd's are blocking, waiting for the MySQL INSERT to complete, you
may be dropping UDP packets and polling won't help you. I'd write
messages out to a file then process them once a minute. *shrug* -sc

--
Sean Chittenden
_______________________________________________
freebsd-performance@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-performance
To unsubscribe, send any mail to "freebsd-performance-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: update only file system
    ... Have your syslog server ... > promiscuous mode without an IP address, intercepting the packets ... If there's an attack on the logging daemon itself, ... magic log listener etc) have an increased security risk. ...
    (comp.os.linux.security)
  • RE: very busy syslog server
    ... I have tried polling, and it did not improve the performance. ... Subject: Re: very busy syslog server ... When you're doing a large number of packets per second, ... may be dropping UDP packets and polling won't help you. ...
    (freebsd-performance)
  • Re: Logging traffic activity of Cisco router
    ... The syslog server is the relatively easy part, ... "Netflow" has been suggested, and that's a good tool for monitoring ... for any one flow (so many packets). ... major fields that the ACL comparison engine does not pull over from ...
    (comp.dcom.sys.cisco)
  • Re: iptables performance
    ... There are connections and connections. ... actually know for how long) keep the way open for packets coming back the ... (as dropping all inbound ICMP would do -- f.ex. ... failure information returned by outbound UDP packets which were refused ...
    (comp.os.linux.networking)
  • Re: xl(4) & polling
    ... packet arrived at a network interface, the NIC generated an interrupt. ... Thus the concept of Device Polling came ... Instead whenever the packets arrive at a Network interface, ... the queue may fill up and subsequent packets are dropped. ...
    (freebsd-current)