[OT]: Syslog issues?

Chris Benson chrisb at jesmond.demon.co.uk
Thu Mar 22 10:19:28 GMT 2007


On Wed, Mar 21, 2007 at 01:39:13PM +0100, Luis Motta Campos wrote:
>   Dear M[ou]ngers
> 
>   I'm facing a funny problem at work.
> 
>   We have a very busy apache farm producing 40Gb of log files  
> everyday, and no centralized logging facility.
>   We're considering using syslog (or better, syslog-ng) to  
> concentrate all logs on a single spot, so we can handle, parse, and  
> summarize all information for human and machine consumption.

It's not 40GB/day, but I've got a 
System Configuration:  Sun Microsystems  sun4u Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 333MHz)
System clock frequency: 111 MHz
Memory size: 128 Megabytes

With one 100Mbps NIC logging 4-5GB/day ... (to a NFS appliance so traffic
is coming in then out!).

syslog-ng is using 10-15% CPU, loadavg is pretty stable between 0.2 and
0.25.  It has options { sync(2); } -- performance was terrible without.

Network utilisation is usually about 600Kbps in and 500Kbps out, with
peaks of 850Kbps in and 750Kbps out (except when the network people
tried to log every packet through a 1Gbps firewall).

So with e.g. Gbps NICs and a 1Gbps switched network I don't think the 
network side should be a problem.  And if you let syslog-ng buffer a few
messages (with the risk of loss) writing to any reasonable disks should
be OK too.
 
>   The problem is making sure we have enough hardware to not loose  
> messages and enough bandwidth to guarantee that every message gets  
> properly delivered to the logging server without problems.

I don't think you should use guarantee in the same sentence as syslog.

Oh, you didn't.  

If you need guarantees perhaps database(s) or one of the other suggestions
are the way to go.  I don't *think* I'm losing messages -- but I've got
no way of knowing!
-- 
Chris Benson


More information about the london.pm mailing list