We are using a linux system as syslog server w/ agent to parse as too heavy load for LEM itself.
we are slamming the linux system and they wanted to know if multi-thread capable.
Are you using syslog-ng on the linux server?
syslog-ng is multithreaded and able to do very creative filtering, and is able to simultaneously log locally and forward to LEM.
yep, I know it can do crazy filtering and forward, but I need the agent to parse and send that info to LEM.
Our LEM can't handle the load of RAW syslog. The agent is pegging the CPU parsing through the syslogs.
Thanks for the suggestions.
Has support or anyone helped you adjust the memory available to the agent yet? It could be a memory availability issue - we've seen the CPU get pegged more frequently when there isn't enough available memory versus not enough CPU. By default the agent itself only uses something like 64-128M of RAM, which is probably not enough at high throughput.
no, that would be good to test.. this is definitely high throughput. probably 100GB/day on normal day. please let me know how to set that and I'll test it out.
Thanks!
On the system, there should be a "SWLEMAgent.lax" file inside the agent install directory (regardless of platform). Within this LAX file are some configuration parameters. You're looking for the "lax.nl.java.option.additional" parameter and you need to add "-Xmx" and "-Xms" arguments that specify the memory settings (ms = minimum memory, mx = maximum memory; best for high throughput is to allocate enough memory at startup, possibly the same number). The argument should already be there with other info, so be careful to not mess with what's there.
It should look something like this, you just want to add the bits at the end (bold - sets agent to use 256MB) and restart the service:
lax.nl.java.option.additional=-Djava.library.path=5.3.1\\lib -Xms256m -Xmx256m
Since the default is 64/128M, we usually start at 256M and work our way up. I've seen high throughput windows event log systems at 512M and we allocate up to multiple gigs to the appliances (when we sold hardware syslog servers, they had 12G and we'd allocate 5G to the agent... oh my!).
Most excellent. I've put a ticket in so my Linux team can tweak. I'll post here when determine effect.
