[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tpop3d-discuss] How do i change the syslog facility?
From: |
Chris Elsworth |
Subject: |
Re: [tpop3d-discuss] How do i change the syslog facility? |
Date: |
Thu, 8 Nov 2001 13:09:19 +0000 |
User-agent: |
Mutt/1.2.5i |
On Wed, Nov 07, 2001 at 03:52:58PM -0800, Paul Makepeace wrote:
> On Wed, Nov 07, 2001 at 11:42:42PM +0000, Chris Elsworth wrote:
> > A busy mail server might spend almost as much time (remember ISPs turn
> > logging up to aid in troubleshooting, coping for customer complaints, etc)
> > logging as it does sending mail when going via syslogd.
> >
> > A real life example. Demon use thttpd (a very lightweight httpd server)
> > for Homepages. Output from top with irrelevant processes snipped:
> >
> > PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND
> > 24110 nobody 1 49 0 51M 18M run 549.2H 12.94% thttpd
> > 15207 root 18 58 0 4608K 1824K sleep 82.8H 1.57% syslogd
>
> I'm curious -- is the machine that is logging the syslog messages also
> the same machine that is writing data to a file somewhere? Typically a
> busy system will have a dedicated syslogging facility that has its own
> optimi[sz]ed resources (disk, cpu, etc). That is typically one of
> the major plus points of syslog after all is its ability to
> centrali[sz]e logging.
Yes, it is - we have four machines doing exactly the same thing at the
moment, each one running a thttpd and syslogd (and other minor daemons of
no importance). We could fiddle with how it works all day, for example by
moving all the logging to the fourth box, so 1,2, and 3 have no logs being
written at all, but then that would increase the load on 4 fourfold. The
ideal solution is a box not actually serving pages to do the logging, but
we don't have one at the moment. We make do with what we have :)
> > Notice the runtime on each process. syslogd takes up a substantial amount
> > of CPU time - for this reason we're looking at moving to direct file
> > logging. One line (about 100 bytes) is logged per hit.
>
> Have you looked at disk contention, profiled/straced syslogd and checked
> for filesystem fragmentation?
To be honest, no, not yet - in the grand scheme of helping to run an ISP
and its day to day problems, this particular issue is small fry so it's
been pushed to the back of the queue, but the long term plan was to take
syslogd out of the loop as far as the weblogs are concerned - there can be
no doubt that it is causing overhead - for each line received it has to do
checks to verify authenticity, decide where the logline should end up,
handle file opening/closing - all of this could be avoided with
direct-to-disk logging. (or as is also pointed out, a tiny daemon to
listen to syslog/udp and throw whatever it get directly onto disk.)
--
Chris Elsworth - Software & Systems Developer / Systems Administrator