UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Glasscock
Absent Member.
Absent Member.
‎2012-10-05 16:33
488 views

Connector Appliance to Logger EPS lower then expect

We have a new connector appliance (C3400) with a syslog connector receiving ~3000 eps.  It is forwarding logs to a Logger (L7200) at a max of ~350 eps.

We feel it should be able to send much more the ~350 eps to a Logger.

We have the memory increased to 1GB on the Container.

We have tried multi-threading.

We have tried aggregation.

We have tried eliminating extra syslog types.

We are only receiving Cisco ASA and Netscreen FW events via syslog.

Any Suggestions?

Labels (3)
Labels
0 Likes
Reply
Report Inappropriate Content
5 Replies
ld3161
Absent Member.
Absent Member.
‎2012-10-06 09:48

Wouldn't this number be lower anyways since the connector has done its aggregation by time it forwards to logger? Also, check the batching? I have seen improvements by upping it to 300 and 1 sec. Also check the ping between the appliance and logger for network latency. Oh, and whats up John? long time since we spoke. 

0 Likes
Reply
Report Inappropriate Content
Glasscock
Absent Member.
Absent Member.
‎2012-10-09 12:58

Hey Lennie, How are you doing man?  Yea, with aggregation the number would be lower, however we can see the connector cache grows and starts to drop events.  We are trying to work with our network guys to test the network connections.

0 Likes
Reply
Report Inappropriate Content
Vini
Fleet Admiral
Fleet Admiral
‎2012-10-09 13:14

What do you see in the agentdata directory?

If you see lots of .syslogd files then the problem is with the connector not being able to parse logs fast enough.

If that is the case try two things:

  • Try disabling aggregation
  • Check the connector logs to see if there are error parsing events as these would slow it down
0 Likes
Reply
Report Inappropriate Content
dan13lp3na
Absent Member.
Absent Member.
‎2013-05-08 22:48

Not sure if you resolved yet or not but I had the same issue on some syslog connectors (on conapps) with very high input EPS. I am working on a complete post of the experience but Iadded this to agent.properties and have had great success in getting events to the logger much faster.

 

transport.loggersecure.threads=10

I will be tesing adding transport.loggersecure.multithreaded=true to agent.properites over the next week to see if that improves it more. Will let you know

0 Likes
Reply
Report Inappropriate Content
kinneysr
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2015-04-09 03:41

Yea -

I put in the agent.properties for my smartagent ...

transport.loggersecure.multithreaded=true

transport.loggersecure.threads= (not to exceed the number of processors)

... and now I have events flying to the logger.  I have a 7400 model with full text indexing turned on and it is doing really well.

scotty

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.