Rafi Sadowsky wrote:
>
> Oh come on - I'm sure you realize that the disk seek time is
> the limiting factor and not the peak/burst transfer speed
> (assume syslogd is logging to more than one file)
We're crossing into a territory where I'm not that well-versed --
I rarely code things that are disk i/o-intensive, so I haven't
paid that much attention to it. So, I did a "real-life" test.
I wrote a small program that opens 50 files for write, and then
receives UDP datagrams, picks a random file for each datagram
and then writes the data. There's no fancy stuff going on -
the writes are just through standard libc streams with default
buffer sizes.
I ran this on a Pentium 200 (not P-II) running slackware.
It uses PIO rather than DMA. The disk (IDE) is about three
years old, so is newer than the box itself. This is the crappiest
*nix box I have at my disposal at the moment.
The packets I sent were 214 bytes with ethernet headers, so that's
172 bytes UDP data. I believe this exceeds the average syslog
packet length from firewalls in general.
Now, I tried sending just 100 packets per second. The CPU
load and system load barely moved. But with 2000 packets
per second, I definately saw things happening, and here's
the "top" output for 5000 pps:
12:44am up 48 days, 10:38, 2 users, load average: 0.53, 0.57, 0.34
64 processes: 60 sleeping, 4 running, 0 zombie, 0 stopped
CPU states: 5.9% user, 25.7% system, 0.0% nice, 68.2% idle
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
9801 mike 11 0 640 640 360 R 27.8 1.0 1:48 fsd
9558 mike 4 0 1036 1036 804 R 1.9 1.6 0:26 top
"fsd" is my process: "fake syslogd".
This is after ~7 minutes run time. The total written data was
something like 450 megabytes. Five thousand 214-byte packets
per second equals about 8.5 Mbps.
Now, I realize that a syslog daemon would need to do a bit more
work than my fake one, but, as we can see, the actual "CPU
crunching" isn't the problem here. (As you rightly pointed out.)
Anyway, I think this nicely illustrates my original point that
100 pps, even with a crappy syslog daemon, shouldn't be a problem
for any system that hasn't already passed its MTBF. Given, of
course, that it doesn't attempt to flush its output files for every
packet that it writes. That _is_ painful.
Regards,
Mikael Olsson
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls