Dear, I have Graylog 2.1.1-2 server in a Debian 8 box with 40 GB RAM and 24 CPU’s.
I have several firewalls sending their logs at about 9000 msg/sec.
I have defined a bigger heap space for JVM:
GRAYLOG_SERVER_JAVA_OPTS="-Xms12g -Xmx14g -XX:NewRatio=1 -XX:PermSize=256m -XX:MaxPermSize=512m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"
My CPU’s are at about 70%, I have 2 GB RAM free and the swap is under 5%. My disks are fast.
But usually the IN msg/sec are greater than the OUT msg/sec, and so the journal is increased along the time…and finally I have to stop the input corresponding to syslog in order empty the journal, and after that start the same input.
I think my hardware is big enough because I can’t see any warning in the resources utilization.
What can I do in order to process all the incoming messages and don’t fill the journal ???
Thanks to all.