On Thu, 12 Sep 2013, Robert Ortiz wrote:
Thanks everyone for all the help, I don't seem to be dropping any more packets
at 150k mps, but I am seeing when I am doing a raw tcpdump to the interface,
whenever I start the rsyslog service the tcpdump drops a significant amount of
packets, I modified my sysctl.conf to :
net.core.rmem_default = 2097152
net.core.wmem_default = 2097152
net.core.rmem_max = 10485760
net.core.wmem_max = 10485760
have you looked to see which thread of rsyslog is running out of CPU? it may be
that rsyslog is not dropping any packets, but is instead filling it's queue
because it's not delivering them fast enough.
the next phase of testing is sending logs to multiple locations, I have been
looking around on how to make this happen, but I cannot seem to find any
documentation, is rsyslog capable of sending logs to multiple locations?
Do you mean delivering the same messages to multiple locations? or do you mean
load balancing by sending some messages to one location and other messages to
other locations?
you can use pacemaker and CLUSTERIP to have multiple syslog servers recieving
logs on a single IP address with no changes on the sending side (although there
are a couple changes that are useful to make)
But before you start worrying about how to have more servers accepting the logs,
let's see where the bottleneck is now and see how much more speed we can get out
of your current setup.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
