Re: [logs] Re: syslogd / some analysis

From: Rich Salz (rsalzat_private)
Date: Tue Jan 29 2002 - 19:39:23 PST

  • Next message: _ _: "[logs] Attack signatures/keywords"

    > Ok, I gproffed syslogd just for the hell of it...
    >   %   cumulative   self              self     total
    >  time   seconds   seconds    calls  ms/call  ms/call  name
    >  15.0       5.50     5.50                             __thread_sys_open [1]
    >  12.3      10.03     4.52                             __thread_sys_select [5]
    >  12.2      14.51     4.48                             _writev [6]
    Is it possible that syslogd is linked against a multi-threaded C library
    with user-space threads emulation?  That would be my guess, judging just
    by the first two function names. If so, that's a recipe for performance
    disaster, as you're (at least) doubling the number of syscalls for every
    I/O operation.  Any way to confirm that, and try to build a syslogd
    without any of that threads stuff?   (Maybe jkh can offer advice. :) 
    It'd save more than 25%.
    I don't have an openbsd machine, else I'd take a look.
    > presumably some output queue was getting overrun and messages
    > were silently discarded - my sendto(...) code never returned an error,
    > by the way...
    UDP packets aren't acked, so if the server couldn't keep up and was
    dropping them, that's the behaviour you'd expect.
    Zolera Systems, Securing web services (XML, SOAP, Signatures,
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private

    This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 21:47:26 PST