Generating syslog network load

Recently we're experimenting with logging solutions at work. We'd like to have an indication of what our current setup is capable of handling in terms of log volume.

My first idea was to whip up a quick Perl script that simply uses Sys::Syslog to dump Shakespeare's works into the logging setup. That worked quite nicely but it's a limited test case.

I wanted something that is more flexible. Enter logload. Logload uses a simple pattern language to generate syslog lines and adds rate limiting on top.

Syslog Patterns

Logload supports a simple pattern language. The logload tool reads a pattern, interprets it and then generates corresponding output. logload will make the following substitutions:

  • a quoted string "foo", which is printed as is
  • a group of quoted strings [ "foo", "bar", ... ] which will select one of these strings at random
  • the plain string randword which will select a random word from the included dictionary
  • the plain string timestamp which will print the current timestamp in iso format
  • all of these should be placed in a list ( [ "foo", "bar"], "=", ["1", "2"], ... ) whose elements will be printed according to the rules above

So the pattern ( ["foo", "bar"], "=", [ "1", "2" ]) will select randomly from foo, bar and 1, 2 and print something like bar = 1 into the syslog stream.

Actually the selection is not truly random. At parse time we randomize the list and then iterate through it, starting from the beginning and wraping around when the end has been reached.

The keyword randword will select a random word from an included dictionary. This is nice to simulate usernames and similar things.

Use the keyword timestamp to fetch the current time in ISO format.

Throughput

To control how many loglines are output per second you can use the -r options of logload. This accepts the number of loglines per second that will be sent.

Throughput control is implemented with a simple leaky bucket algorithm, that tries to reach the defined number of lines. The algorithm has a very low time granularity so output may be a bit bursty.

Usage & examples

Command line arguments:

  • -H specifies the target host, default is localhost, i.e. -H localhost
  • -p specifies the port to send on, default is 514
  • -l specifies the logline/pattern to send
  • -r rate specifies the rate in lines per second, defaults to 1000

Some examples:

  • logload -l '(["INFO", "DEBUG"], ": foobar user ", randword, "logged in")'

  • logload -l 'yada yada' -H logger -p 1544

  • logload -l '("<13>", timestamp, " mymachine ", ["postmaster[14333]", "httpd[17663]"], ": Oww, i must terminate!")'

Limitations

  • currently only plain syslog connections, no GELF or similar
  • currently only tcp and no udp protocol support
  • currently no ssl

Getting Logload

Logload is available from my github repository or simply do a pip install logload.

comments powered by Disqus