Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

High Speed Logging versus Local Logging

Working through a training session on iRules, did a lab exercise comparing timing stats on log versus HSL::send. Surprisingly, the same iRule performed considerably better with local logging than it did with high speed logging over UDP. It wasn't a confidence booster in HSL.

One of the other class attendees (an F5 proserv consultant) mentioned that because it's single local user load on a virtual Big-IP, it's still within the region of the performance graph where local logging is more efficient. Has anyone seen this graph, where HSL overtakes local logging? I have some iRules in production I was thinking about retrofitting for some additional logging using HSL, but now I'm concerned that adding the load to these rules (my debugging logging is all commented out in production) may be more detrimental than beneficial.

1
Rate this Discussion

Replies to this Discussion

placeholder+image

Really? What did you use to time them? And what was the config? And what did the code look like? Did you re-open the HSL every event? or just at connection accept time?

H

0
Comments on this Reply
Comment made 17-Mar-2014 by Eric Kolb 87
Timing was using iRules' built in timing control. Output readout on the console. The HSL connection was being opened on CLIENT_ACCEPTED and then written to on each HTTP_REQUEST. On the other end, log was writing to local0. on each HTTP_REQUEST.
0
placeholder+image

There's one really important distinction to make here, and that's that local Syslog and HSL aren't really comparable. Local Syslog is, well, local. It has fast track access to the local Syslog service through tmm. HSL on the other hand is designed for sending Syslog messages off-box and would be more comparable with modifying Syslog-ng to relay messages off-box or specifying an IP and port in a log local statement. The difference here is how each functions. If you specify an IP and port in a log local statement, or modify Syslog-ng, all Syslog traffic must flow from the data plane, to the management plane where the Syslog service lives, and then out. HSL traffic stays in the data plane, so there's no potential management plane bottleneck or performance hit.

I would imagine that local Syslog will always be faster, but HSL would be faster than remote Syslog.

0
Comments on this Reply
Comment made 17-Mar-2014 by Eric Kolb 87
I find it curious that HSL using a UDP connection could be faster than the local logging because the local log is written to disk. So, you're talking about an asynchronous network operation versus synchronous disk I/O. Anyhow, the official recommendation pertaining to logging is not to use log local0. in production, but HSL is presented as an alternative. I'm trying to figure out the tipping point where HSL makes sense in terms of performance versus local logging.
0
Comment made 17-Mar-2014 by Kevin Stewart
I actually said the opposite. Local Syslog will always be faster than HSL because it's the difference between writing to disk (I/O) and sending something off-box. The comparison was actually made between HSL and Syslog-ng configured to send messages off-box. In this case HSL would be faster.
0
Comment made 22-Nov-2017 by Harry 436

Hi kevin, i have some queries regrading syslog: * difference between simple syslog forwarding and HSL. * if configure syslog then which plane will be responsible i mean data plane or management plane in both cases.

0
Comment made 22-Nov-2017 by Kevin Stewart

Harry, as noted earlier, the primary difference is relative to sending traffic off-box. If you're going to generate a lot of logs, those logs will take up space on the local disk so always best to send them off-box. If you configure Syslog-ng to send off-box, your log messages still have to go to the management plane before exiting the box. If you use HSL, log messages egress directly from the data plane (thus are much faster).

0
Comment made 22-Nov-2017 by Harry 436

Thanks Kevin for prompt reply. actually there are 700-800 VS and customer wants to forward all logs to remote syslog. he has concern if managment plane or interface will send the log then it will utilize more hardware in terms of cpu and memory. it has 10G management but data interface is 40Gig so it is better to send all syslog related traffic via data port only.

also for snmp alerts can it use data interface or management?

1
Comment made 22-Nov-2017 by Kevin Stewart

As a rule, always use HSL for large amounts of logging.

0
Comment made 22-Nov-2017 by Stanislas Piron 10641

@Harry, if you want to send HTTP / HTTPS logs, you can use request logging profile instead of HSL::send commands.

0
Comment made 22-Nov-2017 by Harry 436

Hi Piron,

you mean to say ,i should configure logging profile in ASM policy? then can we configure destination here?

0
Comment made 22-Nov-2017 by Stanislas Piron 10641

No, LTM request logging profile

Local Traffic ›› Profiles : Other : Request Logging

look at this thread when you have both HSL irule and request logging profile configurations

0
Comment made 27-Nov-2017 by meeple 146

Hi, One more question in a similar problem :)

I've been using HSL irule to log http request/response data and I'm just trying to switch to using request-logging profile instead.

One problem I noticed that while using an irule I can reference a hsl profile which can log to a syslog server via the management interface.. And when using an request-logging profile I have to reference a syslog pool, so it has to be available via a self-ip. Is this right?

Is there any way to use request-logging profile and log to a syslog server available via the mgmt interface?

0