6 Replies Latest reply on Sep 11, 2013 6:48 PM by njoylif

    is agent multithreaded

    njoylif

      We are using a linux system as syslog server w/ agent to parse as too heavy load for LEM itself.

      we are slamming the linux system and they wanted to know if multi-thread capable.

        • Re: is agent multithreaded
          svindler

          Are you using syslog-ng on the linux server?

          syslog-ng is multithreaded and able to do very creative filtering, and is able to simultaneously log locally and forward to LEM.

            • Re: is agent multithreaded
              njoylif

              yep, I know it can do crazy filtering and forward, but I need the agent to parse and send that info to LEM.

              Our LEM can't handle the load of RAW syslog.  The agent is pegging the CPU parsing through the syslogs.

              Thanks for the suggestions.

                • Re: is agent multithreaded
                  nicole pauls

                  Has support or anyone helped you adjust the memory available to the agent yet? It could be a memory availability issue - we've seen the CPU get pegged more frequently when there isn't enough available memory versus not enough CPU. By default the agent itself only uses something like 64-128M of RAM, which is probably not enough at high throughput.

                    • Re: is agent multithreaded
                      njoylif

                      no, that would be good to test.. this is definitely high throughput.  probably 100GB/day on normal day.  please let me know how to set that and I'll test it out.

                      Thanks!

                        • Re: is agent multithreaded
                          nicole pauls

                          On the system, there should be a "SWLEMAgent.lax" file inside the agent install directory (regardless of platform). Within this LAX file are some configuration parameters. You're looking for the "lax.nl.java.option.additional" parameter and you need to add "-Xmx" and "-Xms" arguments that specify the memory settings (ms = minimum memory, mx = maximum memory; best for high throughput is to allocate enough memory at startup, possibly the same number). The argument should already be there with other info, so be careful to not mess with what's there.

                           

                          It should look something like this, you just want to add the bits at the end (bold - sets agent to use 256MB) and restart the service:

                          lax.nl.java.option.additional=-Djava.library.path=5.3.1\\lib -Xms256m -Xmx256m

                          Since the default is 64/128M, we usually start at 256M and work our way up. I've seen high throughput windows event log systems at 512M and we allocate up to multiple gigs to the appliances (when we sold hardware syslog servers, they had 12G and we'd allocate 5G to the agent... oh my!).

                          1 of 1 people found this helpful