[stunnel-users] scaling stunnel

--===============0799584992==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L"
Content-Disposition: inline


--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I am trying to set up syslog + stunnel in a large environment. I am
curious about the experience of members of this mailing list regarding
how stunnel + syslog-ng scale. =20

I set up a test environment using stunnel 3.26 (because that's what is
in my debian installation)[*]. I configured stunnel to run as a daemon
(starting on boot), and syslog passes off messages and receives messages
=66rom localhost:514. In the stunnel log, it tells me that there is a
limit of 500 clients, and it seems that with stunnel 3.x, it must be
recompiled to increase this limit. I found some posts on this list that
say that while stunnel 3.x uses select(), stunnel 4.x uses poll(), which
is much more efficient. So I figure that if I will have to roll my own
package, I may as well upgrade to 4.x at the same time. Agree? If so,
which version? =20

It's my understanding that this configuration will create a persistent
connection between the client and server, holding it open until such
time as syslog needs to send a message across it. How many clients have
you experienced being able to connect to the log aggregator? My logs
are rather sparse, so I expect I will hit a limit based on processor /
filehandle / memory usage before I start overloading the local disk.
Eventually, I realize that I will have to build a tree structure with
intermediate nodes aggregating logs and passing them on to the central
host, but I would like to know where people have hit that limit. I
would love to have ~5000 clients connected to each aggregating server.
Is this within the realm of experience? =20

Does anybody have tuning suggestions for such high numbers of
connections? I saw one person mention on the mailing list that
compiling without libwrap allowed him to pass ~2500 connections (though
he didn't give a new ceiling).

Thanks,

-ben
[*] I was actually impressed at how easy this was. Aside from having to
write my own /etc/init.d/ scripts to start the client and server, I
could bring down either end of the stunnel connection, and things would
just pick up where they left off when the tunnel was reconnected. Add
monit into the picture and you've got a nice resilient secure logging
system. Slick!

--=20
Ben Hartshorne
email: ben@hartshorne.net
http://ben.hartshorne.net

--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHF9eYKeT3tvTdv64RAqLXAJ449gCQ4UNmQ7xs29t1rH VZ14WzfgCeONAt
/gOWO0M18g3RbdmoJ6MboXA=
=CBO9
-----END PGP SIGNATURE-----

--FCuugMFkClbJLl1L--

--===============0799584992==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

--===============0799584992==--