0

I am currently using Balabit's Syslog-NG to concentrate my IT logs and convey them in a remote server, via a TCP connection, which can allow one listening port only.

Thing is, my log volume is really important (about 15,000 messages/sec), and I can see that messages are being spooled in my disk ( I actually enabled disk-buf-size(300G) and mem-buf-length(10M) in my destination TCP object.

Do you know if there is a way :

  • to increase performance?
  • To open several TCP sockets for destination objects (I tried max_connections, threaded etc. which didn't work)

version of syslog-ng : 3.9

Sample of syslog-ng.conf:

options {
  perm(0644);
  stats_freq(30)
  log_msg_size(65535)
  flush_lines(0);
  time_reap(10);
  threaded(yes);
  time_reopen(10);
  log_fifo_size(10M);
  chain_hostnames(off);
  use_dns(no);
  use_fqdn(no);
  create_dirs(yes);
  dir_perm(0755);
  keep_hostname(yes);
  keep-timestamp(yes);
};

...

destination dst_siem_port_1234 {
  tcp(
    "192.168.0.1"
    port(1234)
    disk-buffer( mem-buf-length(10M) disk-buf-size(300G) reliable(no) )
  );
};
log {source(mysrc); filter(f_myfilter); destination(dst_siem_port_1234); };

Sorty for typos in keyboard, copied screen-to-screen :)

moutonjr
  • 498
  • 5
  • 10

1 Answers1

0

Try setting flush_lines(100); in the options so that client isn't sending one line at a time (at least that's my understanding of what happens when this is set to 0).

Paul Haldane
  • 4,517
  • 1
  • 21
  • 32