3

I am using syslog-ng 3.0 in my machines. There is one machine, which gets logs from other three machines. But lately, when I use top to monitor cpu usage (in the main one), I see syslog-ng uses appr.95% of the cpu. I use 2nd depth inclusion in my confs. What could be possible cause for this problem?

Thanks in advance.

0xmtn
  • 360
  • 3
  • 15

2 Answers2

3

Syslog-ng does use a lot of CPU resources, yet showing a consistent 95% with a single CPU seems high. I have a single CPU system w/ <1Gb memory running syslog-ng 2.1.4 for three firewalls (on debug) and 20+ Linux servers (on warn). Top shows the %CPU as 93-83%.

The filters are very flexible yet do not have any optimization or logic checking; syslog-ng relies on you for that. Having run into a similar situation, I reviewed all my filters for logic errors and optimized the orders. Cleanup and optimization reduced my utilization over 10%. I suggest:

  • Only transmit events worth logging. Set the client's priority level to warning or higher. If you need info priority events from a specific daemon, like authpriv for example, add a /etc/syslog.conf line for that demon. Fewer events transmitted means less CPU utilization.
  • Place the most frequently hit filters first, esp. if they eliminate/reduce the logged events. Again fewer events processed means less CPU utilization.
  • Run filters in series on the logging directive instead of as AND conditions in a single filter. Includes may be parallel checking both conditions despite one failing.

While you are looking at it, check for disk I/O wait and verify you are using the native UDP protocol (avoid TCP). Hope that helps.

Samuel Dighan
  • 51
  • 2
1

You're asking the wrong question -- you need to focus on system performance, not a number on a screen.
If your system is operating normally, performance meets your requirements, and your load average is not excessively high (indicating a long wait for process to get the CPU when they ask for it), you have no problem to solve.

If you are experiencing a performance problem that's what you should be asking us about (the fact that your CPU is pegged is incidental, and would be helpful when trying to help you solve a performance problem).

You don't tell us which "CPU Utilization" number you're talking about, but it really doesn't matter -- It is a common misconception that "100% CPU utilization" is a Bad thing. It isn't.
A computer running at 100% CPU utilization, absent any performance issues, is NOT a problem, unless you anticipate substantial growth that would over-tax the available CPU bandwidth in the future (within the lifetime of the system).

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • Ok, it is true that I don't face with even minor performance issues, but the question is that when I even take two slaves out, the percentage do not change. Isn't it a abnormality?? – 0xmtn Sep 05 '12 at 08:41
  • @mtndesign that depends on *which* CPU number you're reporting (there are about twelve of them in `top`'s output). Generally however CPU utilization on Unix systems is a number that can (and I would argue *should*) be ignored. Load average (RunQ depth) is a far more meaningful measure of the system's workload. – voretaq7 Sep 05 '12 at 15:53