On Mon, 30 Sep 2013, Robert wrote:
Robert, can you describe the settings you are using on your spirent system?
what size logs is it sending?
the logs are ~ 39Bytes/each
does this include the timestamp (17 bytes) and hostname, or just the log
messages (the part after the programname[pid]:
how many sources is it simulating?
its simulating 8 different sources
is it just setting the hostname in the messages or is it using a different souce
IP/MAC for each different hostname?
It is sending the hostname
it shouldn't matter with this few sources, but is it also setting the IP?
as I asked before, is this a dedicated switch or a VLAN on a switch that's doing
other things?
its a vlan on a switch thats doing other tests, but the other tests are very
minimal compared to this
is this a bare metal machine, a VM, a blade server with shared infrastructure,
etc?
its a bare metal machine: hp, dual quad core intel xeon, 32GB
what OS/version are you running.
Red Hat 6.4, 2.6.32-279.14.1.el6.x86_64
is there anything else running on the system?
nothing else, except the monitoring tools.
depending on what message size you are talking about, you are running close to
the max speed of a gig-E network, so small nuances at the network layer could be
causing you problems. so let's stop looking at rsyslog for a little bit and see
what your machine is able to do in terms of just receiving UDP packets from the
network
I am sending at 250,000 eps/mps which is roughly 590Mbits
The reason that I was confused, was because with the tcpdump command that I was running,
I saw alot of "packets dropped by kernel" so that raised a flag for me, so I
noticed that I had maxed the capture byte size (65535bytes = 21,804eps) so thats why I
saw all of those drops.
So after taking tcpdump out of the equation, I am monitoring the throughput
with a cacti server, and locally with netstat -su -c, and iftop. and currently
I set the spirent at 250,000 eps/mps and I am writing 250,000 logs/second. ( so
I think its not dropping anything, at the moment)
( this is with the currentl configuration (i.e stop filters, to local storage)
Ok, separatly from the rsyslog tests, could you ramp up the spirent/tcpdump test
and see if you still get all the packets at higher speeds (keep rampting the
speed up until tcpdump starts loosing things)
at ~590Mb we should not be having problems yet at the network/kernel level.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
