Overloading your Kiwi Syslog Server can occur in many ways. 

The first and most obvious way, is when there is a non-zero value in the "Message Queue overflow" section of the Kiwi Syslog Server diagnostic information.

A non-zero value indicates that messages are being lost due to overloading the internal message buffers. This can be verified by viewing your diagnostic information:

Go to the View Menu > Debug options > Get diagnostic information (File Menu > Debug options, if running the non-service version). If you see non-zero values then you know you have a problem.

The second way overloading occurs is when the "Messages per hour - Average" value in the Kiwi Syslog Server diagnostic information exceeds the recommended "maximum" syslog message output that Kiwi Syslog Server can nominally handle.  This value is around 1 - 2 million messages per hour average, depending on the number and complexity of rules configured in your Kiwi Syslog Server.

If either of these two scenarios is true for your current Kiwi Syslog Server instance, then load balancing your syslog message load can mitigate any overloading that may occur.

To load balance Kiwi Syslog Server, start inspecting your Kiwi Syslog Server diagnostic information, specifically looking for syslog hosts that account for around 50% of all syslog traffic.  These higher utilization devices are candidates for load balancing. This is accomplished through implementing a second instance of Kiwi Syslog Server.

For example, consider the following "Breakdown of Syslog messages by sending host" from the diagnostics information.

Breakdown of Syslog messages by sending host 

Top 20 Hosts

Messages 

Percentage

  1. 162.19.168.153

143054

23,92%

  1. 162.19.168.136

121773

20,36%

  1. 162.19.168.154

30102

5,03%

  1. 162.19.169.100

29908

5,00%

  1. 162.19.169.83

28576

4,78%

  1. 162.19.168.86

26452

4,42%

  1. 162.19.168.21

17897

2,99%

  1. 162.19.169.4

12809

2,14%

  1. 162.19.169.36

6780

1,13%


From these diagnostics, you can see that 162.19.168.153 and 162.19.168.136 account for >50% of the syslog load.  Most of the time, 50% of all syslog events come from one or two devices, and this is indeed the case here.

To enable a load balanced Kiwi Syslog Server configuration, perform the following actions:

  1. Install a second instance of Kiwi Syslog Server on a second machine.
  2. Replicate the config from first machine to the second. 

    On the original instance – File Menu > Export Setting to INI file.
    and on the new instance – File Menu > Import settings from INI file.
  3. Reconfigure devices 162.19.168.153 and 162.19.168.136 to send syslog events to the new instance.