Syslog Connector Performance Tuning

Summary:

The document "Syslog Connector Performance Tuning" focuses on enhancing the efficiency of Syslog Connectors used in data collection within Hewlett-Packard solutions. It discusses different types of Syslog connectors, their components and operation, event flow stages, identifying bottlenecks, and methods for performance tuning through parameter adjustments to manage memory and throughput effectively. The document is particularly relevant for environments where high frequency of Full Garbage Collection (GC) events or significant differences in round trip times can lead to performance issues. Here are the key points from the document: 1. **Understanding Syslog Connectors:** - These connectors facilitate the transmission of data logs from devices such as routers, switches, and other networking equipment to a centralized system for analysis and management. - They support various protocols including TCP, UDP, TLS, SSL/TLS, and Kerberos authentication. - The document mentions that Syslog Connectors can be deployed either as services under software connectors running as services or standalone applications on connector appliances. 2. **Memory Management in Syslog Connectors:** - Memory issues such as insufficient physical RAM or swap space, process size limits on a 32-bit system, and high memory usage leading to Full Garbage Collection (GC) events can cause JVM crashes due to malloc failures. - Recommendations include adjusting JVM parameters like `-Xms` and `-Xmx` in configuration files under the `current/user/agent` folder or creating custom scripts for setting these options. - It is suggested that memory allocations should be increased if physical RAM or swap space is insufficient, or if there are issues with process size limits on a 32-bit system. 3. **Performance Tuning and Memory Allocation:** - Specific settings include adjusting heap sizes (`wrapper.java.initmemory`, `wrapper.java.maxmemory`), Perm gen space (`-XX:PermSize`, `-XX:MaxPermSize`), stack size (`-Xss`), and other JVM parameters to manage native memory usage efficiently. - For service-based applications, setting custom options like `ARCSIGHT_MEMORY_OPTIONS` can help allocate specific amounts of heap space as needed. 4. **Troubleshooting Techniques:** - If increasing heap space does not solve the issue, check for potential memory leaks or bugs by opening a support incident with logs and heap dumps. - Adjustments in JVM parameters such as reducing heap size using `-Xms` and `-Xmx` can be tried if needed to manage native memory usage. 5. **Customer Cases:** - **Case 2:** High frequency of Full GC events lead to poor performance, which was addressed by increasing the Java heap size from default (1024 MB) to 2048 MB and enabling multi-threading for better event queue handling. - **Case 3:** Significant differences in round trip times between loggers led to caching issues, resolved by enabling multi-threading on the ESM transport with a thread count of up to 7. 6. **Recommendations:** - Consider device types and expected event volume during deployment planning to determine optimal connector distribution across multiple systems or connectors if handling more than 2000 events per second. - Ensure that Java heap sizes are well below total system memory to avoid performance bottlenecks and potential Full GC issues. In conclusion, the document provides a comprehensive guide on how to configure and adjust JVM settings for optimal performance in high-traffic environments where insufficient resources or mismanaged throughput can lead to problems. The tuning strategies include direct allocation changes in configuration files as well as indirect strategies such as tuning TCP connection management and optimizing event processing queues.

Details:

The presentation titled "Syslog Connector performance tuning" is aimed at enhancing the efficiency of Syslog Connectors used for data collection in various systems, particularly within Hewlett-Packard's solutions. The session covers several aspects including different variants of the Syslog connector, its components and operation, stages in the event flow, identifying bottlenecks, and methods to optimize performance through tuning. The presentation begins by introducing various types of Syslog connectors such as Network File listeners, readers, ArcSight CEF, Syslog NG Encrypted, Daemon Pipe, File, and Raw TCP. Each variant operates on different protocols and supports distinct features like TLS encryption for secure data transfer. Next, the components involved in the Syslog connector's operation are detailed, including how raw events are processed from reception to parsing, queuing, processing, and finally being transported to their intended destinations such as ESM or Logger subsystems. Performance bottlenecks within this event flow were identified and discussed along with strategies for tuning these processes: 1. **Event Reception**: The choice of transport protocol significantly impacts performance—UDP is ideal for reliable networks, while Raw TCP is recommended for less dependable networks. TLS should be used when encryption is required across all platforms except Unix where it supports only UDP and Raw TCP. Tuning parameters such as `tcppeerclosedchecktimeout` and `tcpmaxsockets` help in managing idle connections that can grow over time due to a large number of devices or frequent new connections. 2. **Event queuing**: With high event volumes, the file queue can build up leading to delays if not properly managed. Tuning here involves enabling multithreading for syslog parser and increasing the size of the file queue. Parameters such as `syslog.parser.multithreading.enabled` and `syslog.parser.threadcount` help in optimizing this process. Additional sections cover handling out-of-memory issues, providing examples from customer cases, and general recommendations for tuning Syslog connectors to ensure optimal performance across different environments. This document provides guidelines for tuning the Syslog Connector's performance, particularly focusing on reducing bottlenecks related to device inspection and memory usage. The connector can be customized by adjusting parameters such as threads per processor, file queue size, subagent list restriction, and heap space allocation in Java. Performance enhancements include optimizing regex expressions within parsers for better matching efficiency, batching agent events in larger sizes than the default of 100 to reduce network load, and simplifying external map queries for faster processing. Additionally, tuning memory usage by categorizing device types can help manage large numbers of devices efficiently. The provided text outlines several performance tuning strategies for the Syslog Connector, focusing on event transport, Java process memory management, and dealing with out-of-memory errors. Key points include: 1. **Event Transport Optimization**:

• Restricting the field set to minimum required helps in reducing the number of comparisons during events.

• Choosing an optimal event threshold value keeps the number of field comparisons low.

• Avoid using 'preserve common fields' in high-volume environments to prevent blocking the event flow.

• Name resolution is handled in background threads without blocking the event flow, but enabling 'Wait For Name Resolution' should be avoided in demanding scenarios.

2. **Performance Tuning for Syslog Connector**:

• When cache becomes full, events are dropped to avoid delays and prevent loss of data.

• Enable transport multithreading only when network latency is the cause of caching issues.

• Increasing the cache size can help hold more events in the cache before they reach their destination.

3. **Java Process Memory Management**:

• Connectors use a 32-bit JRE on both 64-bit systems, with heap space and native memory allocation constraints.

• Heap space is managed by JVM parameters like -Xms (initial heap size) and -Xmx (maximum heap size).

• Permanent generation space is limited in size due to OS factors; default limits are set at 1GB for connectors, 1.5 GB for Windows, and 2 GB for Unix systems.

• Native memory equals process memory minus heap space.

4. **Garbage Collection**:

• Minor collections (GC) clear young generation memory, while major collections (Full GC) reclaim all heap space memory.

• Frequent Full GCs can significantly impact application performance and should be monitored for signs of needing more heap space or adjustments in JVM parameters.

5. **Dealing with Java Out-of-Memory Errors**:

• Increase the maximum heap size using JVM options like -Xmx to avoid 'java.lang.OutOfMemoryError: Java heap space'.

• If increasing heap space does not solve the issue, check for potential memory leaks or bugs by opening a support incident with logs and heap dumps.

• Adjustments in JVM parameters such as reducing heap size using -Xms and -Xmx can be tried if needed to manage native memory usage.

Overall, these guidelines help in maintaining optimal performance of the Syslog Connector by balancing between data handling efficiency and system resource management. The provided text discusses troubleshooting and performance tuning for a Syslog Connector, focusing on memory management issues that arise when the JVM crashes due to malloc failures. These issues can be caused by insufficient physical RAM or swap space, hitting process size limits on a 32-bit system, or high memory usage leading to Full Garbage Collection (GC) events. To address these issues, several measures are suggested: 1. **Adjusting Memory Options**: This includes modifying settings in configuration files for both software connectors running as services and standalone applications. Adjustments can be made under the `current/user/agent` folder, either through `agent.wrapper.conf` or by creating a custom script like `setmem.sh` or `setmem.bat`.

• For service-based applications:

``` set ARCSIGHT_MEMORY_OPTIONS="-Xms256m -Xmx256m" export ARCSIGHT_MEMORY_OPTIONS (for Unix systems) ```

• For standalone applications or connector appliances, specific settings like `wrapper.java.initmemory`, `wrapper.java.maxmemory`, and additional Java parameters for Perm gen space (`-XX:PermSize` and `-XX:MaxPermSize`) and stack space (`-Xss`) can be adjusted based on requirements.

2. **Memory Allocation**: If physical RAM or swap space is insufficient, consider increasing either of these resources or reducing the application's memory footprint by decreasing the number of threads or heap/stack sizes. 3. **Performance Tuning and Customer Cases**: Specific customer issues are discussed with solutions that involve adjusting settings to improve performance:

• For TCP connections not being closed properly by sources, setting `tcppeerclosedchecktimeout` to a longer duration (e.g., 30000 msec) can help manage buffer sizes effectively.

• Managing event rates and queue lengths is crucial; excessive queuing can lead to dropped events. Increasing heap space might not always solve memory issues directly, but better resource management through configuration adjustments can mitigate these problems.

In summary, the text provides detailed guidance on how to configure and adjust JVM settings for optimal performance, particularly in high-traffic environments where insufficient resources or mismanaged throughput are problematic. Adjustments include both direct allocation changes in configuration files and indirect strategies such as tuning TCP connection management and optimizing event processing queues. This document discusses performance tuning of Syslog Connectors used in data collection from loggers to a centralized system (ESM). Two customer cases are presented with their respective issues and solutions: **Customer Case 2:**

• **Problem:** High frequency of Full GC (Garbage Collection) events, leading to poor performance.

• **Solution:**

1. Increased Java heap size from default to 2048 MB to decrease the occurrence of Full GCs. 2. Enabled syslog parser multi-threading to handle event queue more efficiently. 3. Increased file queue size and cache size during peak hours to prevent data loss due to congestion. 4. If needed, split the event volume among multiple connectors if a single connector couldn't manage the load. **Customer Case 3:**

• **Problem:** Significant difference in round trip times between loggers in the UK and USA (UK logger took much longer), causing caching issues.

• **Solution:** Enabled multi-threading on the ESM transport with a thread count of up to 7, which significantly reduced latency and resolved the caching issue.

**Recommendations:**

• Consider device types, event volume during deployment planning.

• Split load across multiple connectors if handling more than 2000 events/sec.

• Group devices by type for optimal connector distribution.

• Ensure that Java heap sizes are well below total system memory to avoid performance bottlenecks.