RE: iptables logging using ulog : which can handle high traffic, writing in db or json or xml?

Joel Gerber <Joel.Gerber@xxxxxxxxxxxxxxxx> · Fri, 21 Nov 2014 08:43:09 -0400

What type of storage are you writing to? The slow-down might be disk access.

If you really want to log traffic in the 10,000 pkt/sec range, I would start by writing to memory storage, and then have a process in the background sync to disk. Hopefully the sync will be able to keep up relatively well.

You'll also want a writing system with very little overhead. Writing directly to a file with no abstraction layer, using binary output, might be the fastest thing possible, short of writing to a raw partition table.

The other thing to consider, is even with all of the data written, how will you read it? Having a file constantly open for writing, precludes being able to reliably read from it.

Joel Gerber
Network Specialist
Network Operations
Eastlink
E: Joel.Gerber@xxxxxxxxxxxxxxxx T: 519.786.1241

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Akshat Kakkar
Sent: November-21-14 7:36 AM
To: netfilter@xxxxxxxxxxxxxxx
Subject: iptables logging using ulog : which can handle high traffic, writing in db or json or xml?

i want to do logging of traffic iptables rules.
Traffic can go upto 10000pkts/sec.

While using ulog and writing in mysql db, I could not get good results. Max around 300 pkts/sec were able to handle. Further traffic was delayed in db.

Then I used json, it was able to handle around 1700 pkts/sec, beyond that there is traffic loss in json file.

Is there any other mode which can be faster than json without losing any traffic?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥