Managing the relay on the command line
Here's a reference for commands useful for managing the Devo Relay.
Starting and stopping the relay
/etc/init.d/devo-scoja-relay stop /etc/init.d/devo-scoja-relay start /etc/init.d/devo-scoja-relay restart
Tuning the relay
Scoja heap size
The Devo relay is based on a Java syslog engine called Scoja.
By default, Scoja is set to start with 70% of the total RAM available in the machine. If you need to change this, the relay administrator can connect to the machine, modify these parameters in the file /etc/init.d/devo-scoja-relay and update the following line:
SCOJA_SERVER_OPTS="-XX:+UseConcMarkSweepGC -XX:MaxRAMPercentage=70.0 -XX:InitialRAMPercentage=70.0" \
In the example above, Scoja will take 70% of the machine memory. These parameters can be modified to specify the maximum and minimum percentages.
Another way of setting the RAM is by using a fixed amount of memory instead of a percentage. For instance, if you want to set 2GB RAM for Scoja, you should update the previous line as follows:
SCOJA_SERVER_OPTS="-XX:+UseConcMarkSweepGC -Xms2G -Xmx2G" \
Take into account that the Process memory size value in the Relay config settings has to be lower than the process heap size defined here. Check Customizing In-House Relay settings to learn how to modify these settings.
How to avoid UDP data loss
UDP loss cannot be completely avoided as it is a non-reliable protocol. Due to this, TCP should be always the preferred way to send data to the relay. If there is no other choice, there are certain parameters that you can change in the OS to improve the situation.
Increase the maximum receive buffer to 500MB
Increase the UDP receive buffer sizes to at least 16MB
Edit the relay rules where UDP traffic is going to be sent and increase the UDP receive buffer sizes to at least 16MB. You may need to set bigger buffer sizes in order to not lose events, depending on the number of EPS sent to the relay and the average size of the events.
In a high traffic environment, a buffer size up to 256MB may be necessary.
You can monitor UDP packet loss using the following command:
Uninstalling the relay
apt-get purge devo-scoja-relay
Useful commands for testing high-availability
Here are a few Linux commands that can be useful when working with the relay or troubleshooting problems with a high-availability configuration.
|View the list of IP addresses assigned to the relay|
|Monitor the system logs for Keepalived activity|
|View the 100 most recent system events for Keepalived activity|
|Restart the Keepalived service|
|Reboot one relay system to test failover to the other relay|