On 2/6/24 13:11, Patrick McEvilly via WLUG wrote:
All
First off, I’m in way over my head. $dayjob we have a redhat 8 box. We are looking to take in syslog messages and sent them out to one/two different IP addresses. We tried using https://github.com/sleinen/samplicator <https://github.com/sleinen/samplicator> and while it works perfectly and a one banana job to setup, we seem to be dropping a significant amount of traffic on the box. At least 10% of the logs are missing and we have not loaded up the system yet. We tuned out the network buffers and added 25MB of memory without any improvement.
Due to the nature of UDP, you will probably lose some messages in
What syslog server are you using? In rsyslog at least I'm 99% sure you can send to multiple addresses: *.* @$syslog-receiver:514;RSYSLOG_SyslogProtocol23Format Just duplicating this line should do it. Admittedly, I only have one syslog receiver, but the manpages don't offer any issues with that. The issue it does bring up is with high volumes of logs, where UDP can cause logs to get dropped: transit. If you expect high traffic volume, you can expect to lose a quite noticeable number of messages (the higher the traffic, the more likely and severe is message loss) (from rsyslogd.conf(5)) I'd take a look at that and see if you even need samplicator. --cs