[rsyslog] omudpspoof performance
david at lang.hm
david at lang.hm
Tue Nov 8 00:01:12 CET 2011
On Mon, 7 Nov 2011, Murphy, Brandon wrote:
> I have noticed that using the omudpspoof action with the omudpspoof
> module enabled results in very slow forwards. I suspect this is due to
> the action of creating new sockets for each message being spoofed.
Yes, that would be the bottleneck.
> I have noticed, that even if all the messages being forwarded via a
> omudpspoof action are from a single ip address, it creates new sockets
> for each message being forwarded. This results in very slow forwarding
> times. I believe it would be much quicker, if instead, a single socket
> is created for each unique source ip address, send all messages via the
> open socket, keep that session open for a given timeout (perhaps
> configurable), and if it remains idle for that timeframe, close it.
This approach would solve the problem, however the code to manage the open
sockets would be significant. A large number of open, but idle sockets
could cause grief for other processes trying to grab ephermeral ports.
The other approach, which would be faster and safer, would be to craft the
raw packet directly rather than opening a socket and writing to it. This
is probably simpler than managing (including expiring) a large population
of sockets, but is far from trivial.
The current 'bind to a socket for every message' approach was implemented
because it was the easiest one to do.
> I attempted to speed up the forwarding process by limiting the spoof
> port start and end configuration options to a single port, but there was
> no noticeable increase in speed.
This would not make any difference (and would actually risk slowing things
down if it can't re-use a port already in use)
More information about the rsyslog