Syslog Watcher Performance Overview
Syslog Watcher, like any syslog server, must have at least three main performance qualities:
- Receiving syslog messages without a loss
- Storing of the received messages optimally
- Displaying a large number of messages through a quick UI
If these functions are realized excellently, syslog server will be a good helper for a network administrator. Syslog Watcher fully conforms to these requirements and is a very effective network tool. Our server solves the problem of receiving logs from an entire network.
Lossless Syslog Receiving
Syslog server must register all syslog messages coming from the network. We understand the absolute inadmissibility of losing a syslog, even on slow hardware. That is why we are constantly working on increasing Syslog Watcher's performance. The test results reveal that our server is able to register more than 3,000 syslog messages per second on average hardware. This is not a peak performance but a continuous processing.
This is the result of Syslog Watcher Pro (Service Mode), which was installed on a workstation (CPU 2GHz, RAM 1GB, HDD 5400rpm).
Optimal Syslog Storage
The second main task of a syslog server is to store all received messages. These messages should be stored in the most optimal way, as far as in a large network is concerned, the total amount of syslog traffic generated by the whole network is extremely large. At the same time, the company's policy can require keeping the syslog for a long period. As a result, the syslog storage will have grown to a very large size over time. When developing Syslog Watcher, we took this fact into consideration and added a varied limitation of storing time for syslog messages. Therefore, more important messages will be kept longer, and the less important ones will be kept for the minimal possible period. This limits the acceptable storage size without the loss of important information.
Example. Suppose that there are some syslog sources in the network and important messages come to syslog server several times an hour, informational - several times a minute, and debug messages - every 2-3 seconds. The company policy requires storing syslog for quite a long period of time for troubleshooting and analysis.
If there are not any limits for the storage time (case #1), the size of the storage will constantly increase, and by the end of the first year, there will be more than 3 GB of storage. The setting of a simple limit for storing messages (case #2) stops the growth of the syslog storage size at 1.5-2 GB. Using the advanced mode allows a setting for one year of storage time for all messages, except for the debug ones, for which the storage time is one month. As a result, the storage size is fixed and is approximately 500-600 MB.
The example given above reveals the advantage of the varied limits within small networks. We are experienced in the installation of our product in networks where the number of syslog messages received by the syslog server per hour is as many as 50,000. When a flow is so intensive, the effectiveness of the varied limiting is extremely useful.
You can estimate the size of syslog storage in your case with Syslog Watcher Storage Size Estimator.
Rapid Syslog Viewer
Syslog viewer is a very important part of the syslog server. Taking into account the fact that every minute a syslog server receives several hundreds messages and that its storage contains hundreds of thousands of syslog messages, the syslog viewer user interface must be maximally fast and easy to use.
We attempted to make the filtering of displayed syslog messages in Syslog Watcher maximally easy and intuitive. As for the productiveness of the UI, we paid special attention to this while designing the product. Syslog storage is a special optimized database, thus sequence reading can be performed with the speed of 250,000+ syslog messages per second.
The graph given allows for the ability to estimate the effectiveness of Syslog Watcher as a viewer of syslog messages.
In summary, it could be argued that Syslog Watcher is a powerful syslog server and a high-performance syslog viewer.
See also Syslog Watcher Features and Benefits section for more information.
