Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Kiwi Syslog Server > Load balance the Kiwi Syslog Server

Load balance the Kiwi Syslog Server

Table of contents

Updated March 20th, 2016

Overview

This article discusses how to load balance the Kiwi Syslog Server to mitigate any overloading that may occur.

Overloading in Kiwi Syslog Server manifests in the following ways:

  • When there is a non-zero value in the Message Queue overflow section of the Kiwi Syslog Server diagnostic information.  A non-zero value indicates that messages are being lost (due to overloading the internal message buffers).  To view diagnostic information in Kiwi Syslog Server, go to the View Menu > Debug options > Get diagnostic information (File Menu > Debug options, if running the non-service version).
  • When the Messages per hour - Average value in the Kiwi Syslog Server diagnostic information is above the recommended maximum syslog message throughput that Kiwi Syslog Server can nominally handle. This value is around 1 - 2 million messages per hour (average), depending on the number and complexity of rules configured in Kiwi Syslog Server.

Environment

All Kiwi Syslog Server versions

Steps

  1. Inspect your Kiwi Syslog Server diagnostic information, specifically looking for syslog hosts that account for around 50% of all syslog traffic. These higher utilization devices are candidates load balancing, through a second instance of Kiwi Syslog Server.
    For example, consider the following "Breakdown of Syslog messages by sending host" from the diagnostics information.
    Breakdown of Syslog messages by sending host  
    
       
     Top 20 Hosts
    Messages  
    Percentage 
    162.19.168.153
    143054
    
    23,92%
    162.19.168.136
    
    121773
    20,36%
    162.19.168.154
    
    30102
    5,03%
    162.19.169.100
    29908
    
    5,00%
    162.19.169.83
    28576
    
    4,78%
    162.19.168.86
    26452
    4,42%
    162.19.168.21
    17897
    
    2,99%
    162.19.169.4
    12809
    
    2,14%
     162.19.169.36
    6780
    
    1,13%
       ...    ...    ...
    From these diagnostics, you can see that 162.19.168.153 and 162.19.168.136 account for approximately 50% of the syslog load. We normally just start adding utilization figures from the top of the list, until we get to about 50%. Most of the time, 50% of all syslog events come from one or two devices, and this is indeed the case here.
  2. Install a second instance of Kiwi Syslog Server (on a second machine).
  3. Replicate the config from the first machine to the second. 
    1. On the original instance, click File Menu > Export Setting to INI file.
    2. On the new instance, click File Menu > Import settings from INI file.
  4. Reconfigure devices 162.19.168.153 and 162.19.168.136 to send syslog events to the new instance.

 

Last modified
14:58, 6 Jul 2017

Tags

Classifications

Public