Handling large message load
This section provides tips on optimizing the performance of
syslog-ng. Optimizing the performance is important for AxoSyslog hosts that handle large traffic.
Disable DNS resolution, or resolve hostnames locally. For details, see Using name resolution in syslog-ng.
Enable flow-control for the TCP sources. For details, see Managing incoming and outgoing messages with flow-control.
Do not use the
usertty()destination driver. Under heavy load, the users are not be able to read the messages from the console, and it slows down
Do not use regular expressions in our filters. Evaluating general regular expressions puts a high load on the CPU. Use simple filter functions and logical operators instead. For details, see Regular expressions.
When receiving messages using the UDP protocol, increase the size of the UDP receive buffer on the receiver host (that is, the AxoSyslog server or relay receiving the messages). Note that on certain platforms, for example, on Red Hat Enterprise Linux 5, even low message load (~200 messages per second) can result in message loss, unless the
so-rcvbuf()option of the source is increased. In this cases, you will need to increase the
net.core.rmem_maxparameter of the host (for example, to
1024000), but do not modify
As a general rule, increase the
so-rcvbuf()so that the buffer size in kilobytes is higher than the rate of incoming messages per second. For example, to receive 2000 messages per second, set the
so-rcvbuf()at least to
2 097 152bytes.
Increase the value of the
100can increase the performance of AxoSyslog by 100%.