Thanks for the help David, I changed the worker threads to 2 from 8, improved the cpu stats significantly. I also modified the syntax for each rule like you suggested, It ran great with 250k fps, not dropping a single packet. I deciced to up the spirent to 300k and it did well but not as I hoped:
[rcortiz@simon logs]$ ls -alh total 31G drwxr-xr-x 2 root wheel 125 Sep 25 10:27 . dr-xr-xr-x. 27 root root 4.0K Sep 17 15:14 .. -rwxr-xr-x 1 root nobody 1.1G Sep 25 10:39 f_ad -rwxr-xr-x 1 root nobody 8.3G Sep 25 10:39 f_fw -rwxr-xr-x 1 root nobody 6.4G Sep 25 10:39 f_mail -rwxr-xr-x 1 root nobody 1.1G Sep 25 10:39 f_networks -rwxr-xr-x 1 root nobody 1.1G Sep 25 10:39 f_pix -rwxr-xr-x 1 root nobody 1.1G Sep 25 10:39 f_router -rwxr-xr-x 1 root nobody 6.3G Sep 25 10:39 f_shib -rwxr-xr-x 1 root nobody 1.1G Sep 25 10:39 vm [rcortiz@simon logs]$ sudo sudo grep 10:29:00 * | wc -l 279050 [rcortiz@simon logs]$ sudo sudo grep 10:29:01 * | wc -l 275160 [rcortiz@simon logs]$ sudo sudo grep 10:29:02 * | wc -l 258010 [rcortiz@simon logs]$ sudo sudo grep 10:29:03 * | wc -l 255300 [rcortiz@simon logs]$ sudo sudo grep 10:29:04 * | wc -l 258730 [rcortiz@simon logs]$ sudo sudo grep 10:29:05 * | wc -l 269470 [rcortiz@simon logs]$ is there anything I can modify to improve the stats?: # Provides UDP syslog reception module(load="imudp" TimeRequery="10" SchedulingPolicy="fifo" SchedulingPriority="10") input(type="imudp" port="514") # Set Main Message Queue Size - default is 10000 $MainMsgQueueType FixedArray $MainMsgQueueSize 20000000 $MainMsgQueueWorkerThreads 2 $MainMsgQueueDequeueBatchSize 1000 $InputUDPMaxSessions 40000000 Robert.
rsyslog-stats
Description: Attachment: rsyslog-stats
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
