Log index rate in multi log server environment

OCD_Michael · ‎2023-04-03

Hello,

We have a multi log server environment, I am trying to identify the cause of an issue with log indexing performance. When I check the rate of the logs being received and the indexing rate, I have something I do not understand. On the dedicated log servers there indexing rate is similar to the rate of logs being received:

Log Server 1:

[Expert@Log-Server-1]# cpstat ls -f logging | grep "Log Receive Rate"
Log Receive Rate: 2040
Log Receive Rate Peak: 7959
Log Receive Rate Last 10 Minutes: 2206
Log Receive Rate Last Hour: 3017
|Name |State |Last Login Time |Log Receive Rate|
[Expert@Log-Server-1]# cpstat ls -f indexer | grep Indexed
Total Updates and Logs Indexed Errors: 48017
Updates and Logs Indexed Rate: 2238
Updates and Logs Indexed Rate (10min): 2206
Updates and Logs Indexed Rate (60min): 3034
Updates and Logs Indexed Rate Peak: 9100
[Expert@Log-Server-1]#

Log Server 2:

[Expert@Log-Server-2]# cpstat ls -f logging | grep "Log Receive Rate"
Log Receive Rate: 2400
Log Receive Rate Peak: 41840
Log Receive Rate Last 10 Minutes: 2466
Log Receive Rate Last Hour: 3195
|Name |State |Last Login Time |Log Receive Rate|
[Expert@Log-Server-2]# cpstat ls -f indexer | grep Indexed
Total Updates and Logs Indexed Errors: 44016
Updates and Logs Indexed Rate: 2452
Updates and Logs Indexed Rate (10min): 2471
Updates and Logs Indexed Rate (60min): 3198
Updates and Logs Indexed Rate Peak: 10042
[Expert@Log-Server-2]#

When I check on the management server (It also handles a few logs), the indexing rate is very high:

[Expert@Management]# cpstat mg -f log_server | grep "Log Receive Rate"
Log Receive Rate: 410
Log Receive Rate Peak: 52850
Log Receive Rate Last 10 Minutes: 417
Log Receive Rate Last Hour: 790
|Name |State |Last Login Time |Log Receive Rate|
[Expert@Management]# cpstat mg -f log_server | grep "Log Receive Rate" indexer | grp ep Indexed
Total Updates and Logs Indexed: 58609391
Total Updates and Logs Indexed Errors: 84000
Updates and Logs Indexed Rate: 2816
Updates and Logs Indexed Rate (10min): 2958
Updates and Logs Indexed Rate (60min): 3927
Updates and Logs Indexed Rate Peak: 11341
[Expert@Management]#

Is the indexing rate on the management server a sum of the indexing rate on all 3 servers? or is it a sign that the management server has an indexing issue, as the indexing rate is 7 x the log receive rate.

Many thanks,

Michael

_Val_ · ‎2023-04-05

Please open a TAC case: https://help.checkpoint.com

Are you a member of CheckMates?

Log index rate in multi log server environment