Robert, can you describe the settings you are using on your spirent system?
what size logs is it sending?
how many sources is it simulating?
is it just setting the hostname in the messages or is it using a different souce
IP/MAC for each different hostname?
as I asked before, is this a dedicated switch or a VLAN on a switch that's doing
other things?
is this a bare metal machine, a VM, a blade server with shared infrastructure,
etc?
what OS/version are you running.
is there anything else running on the system?
depending on what message size you are talking about, you are running close to
the max speed of a gig-E network, so small nuances at the network layer could be
causing you problems. so let's stop looking at rsyslog for a little bit and see
what your machine is able to do in terms of just receiving UDP packets from the
network
I've had rsyslog able to handle 380K logs/sec on a gig-E network, but that was
on a dedicated switch, with ~1/4KB messages, and a custom compiled kernel
(stripped down, connection tracking disabled, no cgroups, and a few other tweaks
that I don't remember right now)
If you are dealing with larger messages, or have connection tracking/cgroups
enabled, etc you could very well be just running into the limit of the input
rate on your system.
So, we need to figure out what that limit is, and adjust your test to stay below
that limit. At that point, we can then look at rsyslog again and see if it's
keeping up (it probably won't if you try to use the network for NFS as well),
and if needed, what we can do to get you as close to your system limit as we
can.
David Lang
On Mon, 30 Sep 2013, David Lang wrote:
On Mon, 30 Sep 2013, Rainer Gerhards wrote:
I don't see anything that jumps out at me in your configs.
just checking, the system doesn't log any errors from the kernel during your
test does it?
I am wondering if the tcpdump command that I use, is the best indicator of
how many packets are coming in?
******tcpdump -i eth2.10 -nn | cut -c 1-8 | uniq -c*************
if you have any other activity on the network (like a ssh session into the
server) you may want to limit it to port 514 traffic
tcpdump -i eth2.10 -nn port 514| cut -c 1-8 | uniq -c
I am curious if the server just cannot handle the traffic that I am
sending it? and that is why we are seeing such a fluctuation in the
resulfs?
that's possible, what does the output of tcpdump look like during your test?
I note that you are using vlans for this (this is on vlan10), is this on a
dedicated switch? or is this on a vlan of a switch that is doing other things
as well?
David Lang
need to think a bit about this and also hope that David joins the
discussion.
I think a priority is to get to consistent local results, else further
testing is almost impossible.
Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
