[stunnel-users] scaling stunnel
Ben Hartshorne
stunnel at green.hartshorne.net
Fri Oct 19 00:33:28 CEST 2007
addendum that I forgot. My debian does actually have stunnel 4.09, I
just havn't gotten around to testing it yet (is there a compelling
reason to upgrade to 4.20 from 4.09?). And I'm running debian on linux
2.6.16-2-686-smp. ;)
-ben
On Thu, Oct 18, 2007 at 03:00:56PM -0700, Ben Hartshorne wrote:
> Hi,
>
> I am trying to set up syslog + stunnel in a large environment. I am
> curious about the experience of members of this mailing list regarding
> how stunnel + syslog-ng scale.
>
> I set up a test environment using stunnel 3.26 (because that's what is
> in my debian installation)[*]. I configured stunnel to run as a daemon
> (starting on boot), and syslog passes off messages and receives messages
> from localhost:514. In the stunnel log, it tells me that there is a
> limit of 500 clients, and it seems that with stunnel 3.x, it must be
> recompiled to increase this limit. I found some posts on this list that
> say that while stunnel 3.x uses select(), stunnel 4.x uses poll(), which
> is much more efficient. So I figure that if I will have to roll my own
> package, I may as well upgrade to 4.x at the same time. Agree? If so,
> which version?
>
> It's my understanding that this configuration will create a persistent
> connection between the client and server, holding it open until such
> time as syslog needs to send a message across it. How many clients have
> you experienced being able to connect to the log aggregator? My logs
> are rather sparse, so I expect I will hit a limit based on processor /
> filehandle / memory usage before I start overloading the local disk.
> Eventually, I realize that I will have to build a tree structure with
> intermediate nodes aggregating logs and passing them on to the central
> host, but I would like to know where people have hit that limit. I
> would love to have ~5000 clients connected to each aggregating server.
> Is this within the realm of experience?
>
> Does anybody have tuning suggestions for such high numbers of
> connections? I saw one person mention on the mailing list that
> compiling without libwrap allowed him to pass ~2500 connections (though
> he didn't give a new ceiling).
>
> Thanks,
>
> -ben
>
> [*] I was actually impressed at how easy this was. Aside from having to
> write my own /etc/init.d/ scripts to start the client and server, I
> could bring down either end of the stunnel connection, and things would
> just pick up where they left off when the tunnel was reconnected. Add
> monit into the picture and you've got a nice resilient secure logging
> system. Slick!
>
> --
> Ben Hartshorne
> email: ben at hartshorne.net
> http://ben.hartshorne.net
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
--
Ben Hartshorne
email: ben at hartshorne.net
http://ben.hartshorne.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20071018/0681e8be/attachment.sig>
More information about the stunnel-users
mailing list