Re: [logs] Re: syslogd / some analysis

From: Rich Salz (rsalzat_private)
Date: Tue Jan 29 2002 - 19:39:23 PST

  • Next message: _ _: "[logs] Attack signatures/keywords"

    > Ok, I gproffed syslogd just for the hell of it...
    >   %   cumulative   self              self     total
    >  time   seconds   seconds    calls  ms/call  ms/call  name
    >  15.0       5.50     5.50                             __thread_sys_open [1]
    >  12.3      10.03     4.52                             __thread_sys_select [5]
    >  12.2      14.51     4.48                             _writev [6]
    
    Is it possible that syslogd is linked against a multi-threaded C library
    with user-space threads emulation?  That would be my guess, judging just
    by the first two function names. If so, that's a recipe for performance
    disaster, as you're (at least) doubling the number of syscalls for every
    I/O operation.  Any way to confirm that, and try to build a syslogd
    without any of that threads stuff?   (Maybe jkh can offer advice. :) 
    It'd save more than 25%.
    
    I don't have an openbsd machine, else I'd take a look.
    
    > presumably some output queue was getting overrun and messages
    > were silently discarded - my sendto(...) code never returned an error,
    > by the way...
    
    UDP packets aren't acked, so if the server couldn't keep up and was
    dropping them, that's the behaviour you'd expect.
    
    	/r$
    
    -- 
    Zolera Systems, Securing web services (XML, SOAP, Signatures,
    Encryption)
    http://www.zolera.com
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 21:47:26 PST