8.1. Handling lots of parallel connections

When syslog-ng is receiving messages from a large number of TCP or unix-stream connections, the CPU usage of syslog-ng might increase even if the number of messages is low. By default, syslog-ng processes every message when it is received. To reduce the CPU usage, process the incoming messages in batches. To accomplish this, instruct syslog-ng to wait for a short time before processing a message. During this period additional messages might arrive that can be processed together with the original message. To process log messages in batches, set the time_sleep() option (measured in milliseconds) to a non-zero value. Include the following line in your syslog-ng configuration:

	            
options { time_sleep(20); };

Note

	Note
It is not recommended to increase the `time_sleep()` parameter above 100ms, as that might distort timestamps, slow down syslog-ng, and cause messages to be dropped. When modifying the `time_sleep()` option, also adjust the `log_fetch_limit()` and `log_fifo_size()` options accordingly.

It is not recommended to increase the time_sleep() parameter above 100ms, as that might distort timestamps, slow down syslog-ng, and cause messages to be dropped.

When modifying the time_sleep() option, also adjust the log_fetch_limit() and log_fifo_size() options accordingly.

The max_connections() parameter limits the number of parallel connections for the source.

If adjusting the time_sleep() option is not desired for some reason, an alternative solution is to use unix-stream(), udp() and unix-dgram() sources instead of tcp() connections.

Prev	Up	Next
Chapter 8. Troubleshooting and performance tuning	Home \| Contents	8.2. Handling large message load

The syslog-ng Administrator Guide

Document version: 1.1.4
Release date: July 23, 2008
Latest version available at the BalaBit Documentation Page