Re: [logs] Apache Logs

From: William D. Colburn (aka Schlake) (wcolburnat_private)
Date: Tue Jan 29 2002 - 13:14:47 PST

Next message: Bill Burge: "Re: [logs] Apache Logs"

Previous message: Bill Burge: "Re: [logs] Apache Logs"
In reply to: Marcus J. Ranum: "Re: [logs] Apache Logs"
Next in thread: Nate Campi: "Re: [logs] Apache Logs"
Next in thread: Bill Burge: "Re: [logs] Apache Logs"
Next in thread: Bill Burge: "Re: [logs] Apache Logs"
Reply: Nate Campi: "Re: [logs] Apache Logs"
Reply: Marcus J. Ranum: "[logs] Re: syslogd / some analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a syslong-ng that shares a CPU with my LPRng server.  We don't
send our apache logs to it, however.

Since the beginning of the year (not counting today) it has sysloged a
total of 10394522 messages from about 100 different machines via UDP
(average 4 per second).  Every message is written to an "everything" file,
and usually one other file. Some messages are written to two or three
different files.  My machine is a linux-2.2.19 with 1 733 Mhz P3.

I don't know what the peak is as far as messages per second, but I can't
imagine that it is very many.  My "everything" file gets exactly that:
everything, no matter how low priority a message it is.

I have no reason to think that any messages are being dropped.  I used
to have other syslog servers "just in case", and local copies on
important machines, but I never seemed to lose any, so I stopped doing
it.

On Tue, Jan 29, 2002 at 03:54:46PM -0500, Marcus J. Ranum wrote:
> I'm kind of curious about this: does anyone have any numbers they'd
> care to share about logging rates and server log rates? How many
> entries/second does a busy server's access log collect? I assume
> they are stdio buffered so they come in approximately BUFSIZ chunks,
> so it's probably pretty efficient, no? Does anyone have any numbers
> for when syslogd begins to puke? Since it's using unix domain UDP
> (in general) my guess is that the failure mode would be UDP packets
> getting dropped on the output queue: which is system dependent. BSD
> systems will do it differently from STREAMs systems which will
> do it differently from Linux systems, etc, etc.
> 
> I guess I've heard a lot of people talk about syslog bogging down under
> load but I've never seen any measures behind the claim; can anyone
> provide some hard information? I don't feel like writing a syslogd torture
> test - has anyone? Are we operating on hearsay?
> 
> mjr.
> ---
> Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
> Work:                           http://www.nfr.com
> Personal:                      http://www.ranum.com
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private

--
William Colburn, "Sysprog" <wcolburnat_private>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Bill Burge: "Re: [logs] Apache Logs"
Previous message: Bill Burge: "Re: [logs] Apache Logs"
In reply to: Marcus J. Ranum: "Re: [logs] Apache Logs"
Next in thread: Nate Campi: "Re: [logs] Apache Logs"
Next in thread: Bill Burge: "Re: [logs] Apache Logs"
Next in thread: Bill Burge: "Re: [logs] Apache Logs"
Reply: Nate Campi: "Re: [logs] Apache Logs"
Reply: Marcus J. Ranum: "[logs] Re: syslogd / some analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 13:16:50 PST