syslog-ng 系列连载-40 ：使用流控管理输入/出消息-ailms-ChinaUnix博客

阿勃的 blog

首页　| 　博文目录　| 　关于我

ailms

博客访问： 1801576
博文数量： 184
博客积分： 10122
博客等级：上将
技术积分： 5566
用户组：普通用户
注册时间： 2005-12-08 12:32

文章分类

全部博文（184）

我的音乐（0）
常用命令及手册翻（0）

网络工具（0）

二进制相关（0）

网络下载（0）

邮件相关（0）

进程管理（0）

文件查找（0）

文本处理（0）

文件访问/管理（0）

文件系统（0）

手册/帮助（0）

系统信息（0）

全部命令列表（0）
网络相关（23）

抓包（0）

MRTG（15）

RRDtool（8）
操作系统（57）

Xwindow 相关（0）

initrd 文件（0）

用户管理（0）

系统时钟与时间（0）

软件包管理（0）

LOCALE 、i18n 和（0）

Software-RAID（6）

LVM （逻辑卷管理（2）

日志与日志服务器（48）

文件系统和修复（0）

登录流程（0）

启动/关机流程分（1）

磁盘配额（0）

内核/模块/补丁（0）

GRUB（0）
安全相关（65）

文件权限（1）

公钥认证和 PKI（4）

OpenSSL（57）

ACL（3）

Tripwire（0）

PAM（0）
服务器配置（36）

SNMP（10）

DHCP（1）

Postfix（0）

Apache（10）

bind（15）
脚本编程（2）

反删除实验（0）

监控相关（0）

杂（1）

系统启动脚本分析（0）

RRDtool 辅助（0）

如何实现自己的 s（0）

LVM 辅助脚本（0）

DHCP ip 分配统计（0）
未分配的博文（1）

文章存档

2011年（1）

2008年（183）

我的朋友

7.3. Managing incoming and outgoing messages with flow-control

This section describes the internal message-processing model of syslog-ng, as well as the flow-control feature that can prevent message losses. To use flow-control, the flow-control flag must be enabled for the particular log path.

The syslog-ng application monitors (polls) the sources defined in its configuration file, periodically checking each source for messages. When a log message is found in one of the sources, syslog-ng polls every source and reads the available messages. These messages are processed and put into the output buffer of syslog-ng (also called fifo). From the output buffer, the operating system sends the messages to the appropriate destinations.

In large-traffic environments many messages can arrive during a single poll loop, therefore syslog-ng reads only a fixed number of messages from each source. The log_fetch_limit() option specifies the number of messages read during a poll loop from a single source.

Note
The `log_fetch_limit()` parameter can be set as a global option, or for every source individually.

Every destination has its own output buffer. The output buffer is needed because the destination might not be able to accept all messages immediately. The log_fifo_size() parameter sets the size of the output buffer. The output buffer must be larger than the log_fetch_limit() of the sources, to ensure that every message read during the poll loop fits into the output buffer. If the log path sends messages to a destination from multiple sources, the output buffer must be large enough to store the incoming messages of every source.

TCP, unix-stream, and unix-dgram sources can receive the logs from several incoming connections (e.g., many different clients or applications). For such sources, syslog-ng reads messages from every connection, thus the log_fetch_limit() parameter applies individually to every connection of the source. E.g., if there are five connections logging to the source, syslog-ng reads maximum number_of_connections*log_fetch_limit() = 5*log_fetch_limit() messages. The maximum number of parallel connections that the source accepts is set using the max_connections() parameter.

The flow-control of syslog-ng introduces a control window to the source that tracks how many messages can syslog-ng accept from the source. Every message that syslog-ng reads from the source lowers the window size by one; every message that syslog-ng successfully sends from the output buffer increases the window size by one. If the window is full (i.e., its size decreases to zero), syslog-ng stops reading messages from the source. The initial size of the control window is by default 100: the log_fifo_size() must be larger than this value in order for flow-control to have any effect.

When flow-control is used, every connection has its own control window. As a worst-case situation, the output buffer of the destination must be set to accommodate all messages of every control window, that is, the log_fifo_size() of the destination must be greater than max_connections()*log_iw_size(). This applies to every source that sends logs to the particular destination, thus if two sources having several connections and heavy traffic send logs to the same destination, the control window of every connection of both sources must fit into the output buffer of the destination. Otherwise, syslog-ng does not activate the flow-control, and messages may be lost.

The summary of the main points is as follows:

The syslog-ng application normally reads a maximum of log_fetch_limit() number of messages from a source.
From TCP, unix-stream, and unix-dgram sources, syslog-ng reads a maximum of log_fetch_limit() from every connection of the source. The number of connections to the source is set using the max_connections() parameter.
Every destination has an output buffer (log_fifo_size()).
Flow-control uses a control window to determine if there is free space in the output buffer for new messages. Every source or connection has its own control window; log_iw_size() parameter sets the size of the control window.
The output buffer must be larger than the control window of every connection that logs to the destination.
If the output buffer is full, syslog-ng stops reading messages from the source until some messages are successfully sent to the destination.
Note

If you modify the max_connections() or the log_fetch_limit() parameter, do not forget to adjust the log_iw_size() and log_fifo_size() parameters accordingly.

Note
If you modify the `max_connections()` or the `log_fetch_limit()` parameter, do not forget to adjust the `log_iw_size()` and `log_fifo_size()` parameters accordingly.

Example 7.1. Sizing parameters for flow-control
Suppose that syslog-ng has a source that must accept up to 300 parallel connections. Such situation can arise when a network source receives connections from many clients, or if many applications log to the same socket. Therefore, set the `max_connections()` parameter of the source to `300`. However, the `log_fetch_limit()` (default value: 10) and `log_iw_size()` (default value: 100) parameters apply to every connection of the source. In a worst-case scenario, the destination does not accept any messages, while all 300 connections send at least `log_fetch_limit()` number of messages to the source during every poll loop. Therefore the output buffer of the destination must accommodate at least `max_connections()`*`log_iw_size()` messages, that is: 300100=30000 messages. That way all incoming messages of ten poll loops fit in the output buffer. If the output buffer is full, syslog-ng does not read any messages from the source until some messages are successfully sent to the destination. source s_localhost { tcp(ip(127.0.0.1) port(1999) max-connections(300)); }; destination d_tcp { tcp("10.1.2.3" port(1999); localport(999)); log_fifo_size(30000); }; log { source(s_localhost); destination(d_tcp); flags(flow-control); }; If other sources send messages to this destination, than the output buffer must be further increased. For example, if a network host with maximum `100`* connections also logs into the destination, than increase the `log_fifo_size()` by `10000`. source s_localhost { tcp(ip(127.0.0.1) port(1999) max-connections(300)); }; source s_tcp { tcp(ip(192.168.1.5) port(1999) max-connections(100)); }; destination d_tcp { tcp("10.1.2.3" port(1999); localport(999)); log_fifo_size(40000); }; log { source(s_localhost); destination(d_tcp); flags(flow-control); };

Example 7.1. Sizing parameters for flow-control

Suppose that syslog-ng has a source that must accept up to 300 parallel connections. Such situation can arise when a network source receives connections from many clients, or if many applications log to the same socket. Therefore, set the max_connections() parameter of the source to 300. However, the log_fetch_limit() (default value: 10) and log_iw_size() (default value: 100) parameters apply to every connection of the source. In a worst-case scenario, the destination does not accept any messages, while all 300 connections send at least log_fetch_limit() number of messages to the source during every poll loop. Therefore the output buffer of the destination must accommodate at least max_connections()*log_iw_size() messages, that is: 300*100=30000 messages. That way all incoming messages of ten poll loops fit in the output buffer. If the output buffer is full, syslog-ng does not read any messages from the source until some messages are successfully sent to the destination.

source s_localhost { 
		  tcp(ip(127.0.0.1) port(1999) max-connections(300)); };
destination d_tcp { 
				tcp("10.1.2.3" port(1999); localport(999)); log_fifo_size(30000); };
log { source(s_localhost); destination(d_tcp); flags(flow-control); };

If other sources send messages to this destination, than the output buffer must be further increased. For example, if a network host with maximum 100 connections also logs into the destination, than increase the log_fifo_size() by 10000.

source s_localhost { 
			tcp(ip(127.0.0.1) port(1999) max-connections(300)); };
source s_tcp { 
			tcp(ip(192.168.1.5) port(1999) max-connections(100)); };
destination d_tcp { 
			tcp("10.1.2.3" port(1999); localport(999)); log_fifo_size(40000); };
log { source(s_localhost); destination(d_tcp); flags(flow-control); };

阅读(1733) | 评论(0) | 转发(0) |

上一篇：syslog-ng 系列连载-39 ：处理较重的消息负荷

下一篇：syslog-ng 系列连载-41 ：sync（）参数

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6