Do you have packet drop issues? You didn't say whether you are
receiving/sending over TCP/UDP but you can check these stats:
- "netstat -s" and look for collapsed packets line if you are using TCP. If
the number increments then the application (rsyslog) that is supposed to
pick them up isn't keeping up.
- "netstat -s" and look for errors under the UDP stats if you are using
UDP. If the number keeps increasing then you are not consuming packets fast
enough.
- Run "netstat -an | grep port" under "watch" where port is the tcp/udp
port you are receiving/sending over. If you see either Recv-Q or Send-Q
number not going to zero then you have a bottleneck in the application.
Bottleneck can be CPU, disk IO bandwdith, network or receiving entity. CPU
will be a bottleneck in a multi-core system if rsyslog isn't threading
well. Usually, rsyslog threads very well, in my experience. Memory is also
usually not a problem because modern servers have lots of RAM and rsyslog
isn't a particularly memory hungry app.
You can also look for blocked threads in /proc/pid/net/{udp|tcp}. The
"tx_queue" or "rx_queue" fields can provide information on what threads are
causing drops.
Your other friends are iotop and mpstat.
On Thu, Sep 12, 2013 at 10:54 AM, Robert Ortiz <[email protected]> wrote:
> Thanks everyone for all the help, I don't seem to be dropping any more
> packets at 150k mps, but I am seeing when I am doing a raw tcpdump to the
> interface, whenever I start the rsyslog service the tcpdump drops a
> significant amount of packets, I modified my sysctl.conf to :
>
> net.core.rmem_default = 2097152
> net.core.wmem_default = 2097152
> net.core.rmem_max = 10485760
> net.core.wmem_max = 10485760
>
>
> the next phase of testing is sending logs to multiple locations, I have
> been looking around on how to make this happen, but I cannot seem to find
> any documentation, is rsyslog capable of sending logs to multiple locations?
>
> Thanks
>
>
>
> Robert.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
