2013/10/14 Rainer Gerhards <[email protected]> > [...]
As you deal with a slow output, I don't think this will have much effect. > > > Right! It should help if you: a) increase the batch size (20 is very little, especially if you have some fast servers). Somewhere between 100 and 1000 is a good starting point, although you might want to go higher if you have big boxes for ES. b) increase the number of queue.workerthreads. Because, after sending a bulk rsyslog has to wait for the response from ES and parse it. So you'll get better throughput if you index logs on multiple threads (even more than you have CPUs, because of the waiting involved) If you want to look at some more optimizations on the ES side, there are lots of them in my presentation Monitorama EU: http://blog.sematext.com/2013/09/24/presentation-on-centralizing-logs/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
