docs: Add additional information regarding performance fine-tuning (#2833)

* docs: Add additional information regarding performance fine-tuning

* docs: Revert removing SC4S_DEST_SPLUNK_HEC_DEFAULT_WORKERS

* docs: Change Performance note

* docs: Add information about disk buffering

* docs: simplify fine-tune section

* docs: Suggested changes

* docs: Add note formating

* docs: Fix spaces in notes

* docs: Enhance section headers in fine-tuning.md

docs: Updated formatting for sections on UDP socket behavior.

* docs: Suggested changes

---------

Co-authored-by: JustynaPe <jpatosz@cisco.com>

Author: Kawron

docs/architecture/fine-tuning.md

@@ -0,0 +1,209 @@
+# Finetune SC4S
+
+This section provides guidance on improving SC4S performance by tuning configuration settings.
+
+You can apply these settings to your infrastructure to improve SC4S performance. After making adjustments, run the [performance tests](performance-tests.md#check-your-tcp-performance) and retain the changes that result in performance improvements.
+
+## Disable features that reduce performance
+
+Some SC4S features may negatively impact performance. If you experience performance issues, consider disabling some of the settings like **name cache** and **message grouping**:
+
+Edit `/opt/sc4s/env_file`:
+
+```bash
+SC4S_USE_NAME_CACHE=no
+SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG=no
+```
+
+Restart SC4S for the changes to take effect.
+
+## Dedicated sc4s instances
+
+If one of the logs sources produces a large percentage of the overall traffic, create an additional dedicated sc4s service on a separate host.
+
+## Tune the receiving buffer
+
+Increasing the receive buffer allows the kernel to queue more incoming data before the application processes it, reducing packet loss during traffic bursts. This requires changes at both the OS level and within SC4S. Start turning the receiving buffer with increasing the kernel buffer OS limits. Perform the following steps to change the buffer size:
+
+1. Edit `/etc/sysctl.conf` and set the receive buffer size to 512 MB:
+
+```bash
+net.core.rmem_default = 536870912
+net.core.rmem_max = 536870912
+```
+
+2. Apply the changes:
+
+```bash
+sudo sysctl -p
+```
+
+Next configure SC4S to use the larger buffer:
+
+1. Add the following line to `/opt/sc4s/env_file`:
+
+```bash
+SC4S_SOURCE_TCP_SO_RCVBUFF=536870912
+```
+
+2. Apply the same buffer tuning to each syslog transport you have enabled:
+
+```bash
+SC4S_SOURCE_TCP_SO_RCVBUFF=536870912       # Generic syslog over TCP
+SC4S_SOURCE_UDP_SO_RCVBUFF=536870912       # Generic syslog over UDP
+SC4S_SOURCE_RFC5426_SO_RCVBUFF=536870912   # RFC 5426 (syslog over UDP)
+SC4S_SOURCE_RFC6587_SO_RCVBUFF=536870912   # RFC 6587 (syslog over TCP)
+SC4S_SOURCE_RFC5425_SO_RCVBUFF=536870912   # RFC 5425 (syslog over TLS)
+```
+
+3. Restart SC4S for the changes to take effect.
+
+### Additional considerations
+
+- **Sending buffer:** In rare cases, you may also need to increase the sending buffer size by modifying `net.core.wmem_max` and `net.core.wmem_default` using the same approach.
+- **Buffer size limits:** Setting buffers too large can actually decrease performance. Start with the recommended values and adjust based on your testing results.
+- **Hardware constraints:** Network driver limitations should be considered when tuning these values. Consult your NIC documentation for maximum supported buffer sizes.
+
+## Tune static input window size
+
+Input window provides flow‑control at the application level. Syslog‑ng uses this feature to temporarily buffer messages when outputs are slow. The mechanism works by pulling messages from the kernel’s receive buffer and placing them into an application buffer.
+
+- The window size defines how many messages this internal buffer can hold.
+- Each message fetched from the kernel buffer increases the window counter.
+- Each message successfully forwarded to the output decreases the counter.
+
+To change the window size, modify the following options in `/opt/sc4s/env_file`:
+
+**for TCP**:
+
+```bash
+SC4S_SOURCE_TCP_IW_SIZE=1000000
+```
+
+**for UDP**:
+
+```bash
+SC4S_SOURCE_UDP_IW_USE=yes 
+SC4S_SOURCE_UDP_IW_SIZE=1000000
+```
+
+Restart SC4S for the changes to take effect.
+
+In the example above, the input window can store up to **1,000,000 messages**. Note that increasing the window size will increase the application's memory usage.
+
+For **UDP**, if the output becomes slow and this window fills up, syslog‑ng will stop reading from the kernel buffer. As a result, the kernel buffer will begin to fill, and once it becomes full, **incoming UDP packets will be dropped** by the kernel.
+
+A single UDP message can be up to approximately 1 KB. With a window size of 1,000,000 messages, this may require up to **1 GB** of additional memory for buffering.
+
+### Fetch limit
+
+When increasing the input window size, you may also need to increase the **fetch limit**. The fetch limit controls the maximum number of messages retrieved from the source in a single read operation.
+
+- **Too high**: Should not exceed the input window size, as this would fill the entire buffer in one read cycle.
+- **Too low**: Results in underutilizing the buffer capacity, requiring more read cycles to process the same volume.
+
+The default value is `1000`.
+
+## Disk buffering
+
+To prevent message loss during HEC connection outages, consider enabling [Disk Buffering](../configuration.md#configure-your-sc4s-disk-buffer). This feature temporarily stores messages on disk when the destination is unavailable.
+
+## Switch to SC4S Lite
+
+Parsing syslog messages can be a CPU-intensive task. During the parsing process, each syslog message goes through multiple parsing rules until a match is found. Some log messages follow longer parsing paths than others, and some parsers use regular expressions, which can be slow.
+
+If you are familiar with your log sources, consider performing an A/B test and switching to SC4S Lite, which includes only the parsers for the vendors you require. Although artificial performance tests may not fully reflect the impact of this change, you may observe an increase in the capacity of your syslog layer when operating with real-world data.
+
+## Finetune for UDP traffic
+
+### Tested configuration:
+- **Loggen** - c5.2xlarge
+- **SC4S** (3.29.0) + podman - c5.4xlarge
+- **Splunk Cloud** 9.2.2403.105 - 30IDX
+
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
+| Setup for 67,000 EPS (Events per Second) | % Loss |
+|------------------------------------------|--------|
+| Default                                  | 77.88  |
+| OS Kernel Tuning                         | 24.38  |
+| Increasing the Number of UDP Sockets     | 22.95  |
+| eBPF                                     | 0      |
+
+### Increase the number of UDP sockets
+
+By default, SC4S uses a single UDP socket per port. Increasing the number of sockets allows traffic to be distributed across multiple CPU threads using the kernel's `SO_REUSEPORT` feature.
+
+**Default behavior (without eBPF)**
+
+The kernel assigns packets to sockets based on a hash of the source IP and port. This means:
+
+- **Consistent routing**: All packets from the same sender go to the same socket, preserving message order.
+- **Potential imbalance**: If a few senders generate most of the traffic, their packets may all land on the same socket, leaving other sockets underutilized.
+
+**With eBPF enabled**
+
+eBPF provides true per-packet load balancing, where each packet is randomly distributed across all sockets regardless of sender. This results in:
+
+- **Even workload**: Traffic is distributed more uniformly across CPU threads.
+- **No ordering guarantee**: Packets from the same sender may be processed out of order.
+
+**Configuration**
+
+Add the following to `/opt/sc4s/env_file`:
+
+```bash
+SC4S_SOURCE_LISTEN_UDP_SOCKETS=32
+```
+
+Set this value based on the number of CPU cores available. Start with a value equal to your 4 x core count and adjust based on performance testing. Restart SC4S for the changes to take effect.
+
+### Enable eBPF
+
+Find more in the [About eBPF](../../configuration/#about-ebpf) section.
+
+1. Verify that your host supports eBPF. 
+2. Ensure your container is running in privileged mode. 
+3. Update the configuration in `/opt/sc4s/env_file`:
+```bash
+SC4S_SOURCE_LISTEN_UDP_SOCKETS=32
+SC4S_ENABLE_EBPF=yes
+SC4S_EBPF_NO_SOCKETS=32
+```
+4. Restart SC4S for the changes to take effect.
+
+## Finetune for TCP traffic
+
+### Tested configuration:
+- **Loggen** - c5.2xlarge
+- **SC4S** (3.29.0) + podman - c5.4xlarge
+- **Splunk Cloud** 9.2.2403.105 - 30IDX
+
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
+| Setting                       | EPS (Events per Second) |
+|-------------------------------|-------------------------|
+| default                       | 71,327                  |
+| SC4S_SOURCE_TCP_SO_RCVBUFF     | 99,207                  |
+| SC4S_ENABLE_PARALLELIZE        | 101,700                 |
+| SC4S_SOURCE_TCP_IW_USE         | 115,276                 |
+
+### Parallelize TCP processing
+1. Update `/opt/sc4s/env_file`:
+
+```
+SC4S_ENABLE_PARALLELIZE=yes
+SC4S_PARALLELIZE_NO_PARTITION=4
+```
+
+2. Restart SC4S for the changes to take effect.
+
+Parallelize distributes messages from a single TCP stream across multiple concurrent threads, which is noticeable in production environments with a single high-volume TCP source.
+
+| SC4S parallelize    | Loggen TCP connections         | % CPUs used | Average rate (msg/sec) |
+|---------------------|--------------------------------|------------|------------------------|
+| off                 | 1                              |     9.0    |         14,144.10      |
+| off                 | 10                             |    59.3    |         73,743.32      |
+| on (10 threads)     | 1                              |    58.4    |         77,842.18      |

docs/architecture/lb/f5.md

@@ -5,7 +5,8 @@ If you're using F5 BIG-IP for syslog ingestion, consider the following:
 - **UDP limitations**: UDP is a protocol prone to data loss, and load balancers can introduce another point of data loss.
 - **High Availability (HA) mode**: Running the load balancer without HA makes it a single point of failure.
 
-**Note**: Splunk only supports SC4S. If you encounter issues related to the load balancer, please contact F5 support.
+!!! note "Note"
+    Splunk only supports SC4S. If you encounter issues related to the load balancer, please contact F5 support.
 
 ## Set up your F5 BIG-IP
 F5 BIG-IP is available in both hardware and virtual editions. This documentation assumes you already have a functioning F5 instance. If you need help with your F5 instance, see [external resource](https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html).
@@ -139,12 +140,16 @@ Follow the [Check TCP Performance](../performance-tests.md#check-your-tcp-perfor
 - **SC4S Instances**: `c5.4xlarge`  
 - **F5 Instance**: `r5.8xlarge, 32vCPU, 256GiB Memory, 10Gbps Network Performance`  
 
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
 | Receiver                   | Performance        |
 |----------------------------|--------------------|
 | Single SC4S Server         | 69,192.11 msg/sec  |
 | Load Balancer + 2 Servers  | 93,832.33 msg/sec  |
 
-**Note:** Load balancer support and fine-tuning are beyond the scope of the SC4S team. For assistance in optimizing the TCP throughput of your load balancer instance, contact the F5 support team.
+!!! note "Note"
+    Load balancer support and fine-tuning are beyond the scope of the SC4S team. For assistance in optimizing the TCP throughput of your load balancer instance, contact the F5 support team.
 
 ## Stateless Virtual Server for UDP  
 UDP syslog traffic is unacknowledged and unidirectional by design. To preserve the source IP for UDP ports, configure [stateless virtual servers](https://my.f5.com/manage/s/article/K13675).
@@ -200,11 +205,15 @@ Follow the [Check UDP Performance](../performance-tests.md#check-your-udp-perfor
 - **SC4S Instances**: `c5.4xlarge`  
 - **F5 Instance**: `r5.8xlarge, 32vCPU, 256GiB Memory, 10Gbps Network Performance`  
 
-| Receiver / Drops Rate for EPS (msgs/sec) | 4,500  | 9,000  | 27,000 | 50,000 | 150,000 |
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
+| Receiver / Drops rate for EPS (msgs/sec) | 4,500  | 9,000  | 27,000 | 50,000 | 150,000 |
 |------------------------------------------|--------|--------|--------|--------|---------|
 | Single SC4S Server                       | 0%  | 0.34%  | 58.89% | 78.30% |    92.19%   |
 | Load Balancer + 2 Servers                | 0%     | 0%  | 15.66%  | 54.44% |    84.16%   |
 | Single Finetuned SC4S Server             | 0%     | 0%     | 0%     | 0%     |  48.62% |
 | Load Balancer + 2 Finetuned Servers      | 0%  | 0%  | 0.002%  | 0.05%  |  0.03%  |
 
-**Note:** Load balancer support and fine-tuning are beyond the scope of the SC4S team. For assistance in minimizing UDP drops on the load balancer side, please contact the F5 support team. 
+!!! note "Note"
+    Load balancer support and fine-tuning are beyond the scope of the SC4S team. For assistance in minimizing UDP drops on the load balancer side, please contact the F5 support team. 

docs/architecture/lb/nginx.md

@@ -146,6 +146,9 @@ echo "11 hello world" | netcat <LB_IP> 601
 
 3. Run performance tests based on the [Check TCP Performance](performance-tests.md#check-your-tcp-performance) section.
 
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
 | Receiver                   | Performance        |
 |----------------------------|--------------------|
 | Single SC4S Server         | 71,738.98 msg/sec  |
@@ -242,7 +245,10 @@ echo "hello world" > /dev/udp/<LB_IP>/514
 
 2. Run performance tests:
 
-| Receiver / Drops Rate for EPS (msgs/sec) | 4,500  | 9,000  | 27,000 | 50,000 | 150,000 | 300,000 |
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
+| Receiver / Drops rate for EPS (msgs/sec) | 4,500  | 9,000  | 27,000 | 50,000 | 150,000 | 300,000 |
 |------------------------------------------|--------|--------|--------|--------|---------|---------|
 | Single SC4S Server                       | 0.33%  | 1.24%  | 52.31% | 74.71% |    --   |    --   |
 | Load Balancer + 2 Servers                | 1%     | 1.19%  | 6.11%  | 47.64% |    --   |    --   |

docs/architecture/performance-tests.md

@@ -54,14 +54,16 @@ Here is a reference example of performance testing using our lab configuration o
 ### Tested configuration
 * Loggen (syslog-ng 3.25.1) - m5zn.3xlarge
 * SC4S(2.30.0) + podman (4.0.2) - m5zn family
-* SC4S_DEST_SPLUNK_HEC_DEFAULT_WORKERS=10 (default)
 * Splunk Cloud Noah 8.2.2203.2 - 3SH + 3IDX
 
 ### Command
 ```bash
 /opt/syslog-ng/bin/loggen -i --rate=100000 --interval=1800 -P -F --sdata="[test name=\"stress17\"]" -s 800 --active-connections=10 <local_hostmane> <sc4s_external_tcp514_port>
 ```
 
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
 | SC4S instance | root networking                                                                                                     | slirp4netns networking                                                                                                |
 |---------------|---------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
 | m5zn.large    | average rate = 21109.66 msg/sec, count=38023708, time=1801.25, (average) msg size=800, bandwidth=16491.92 kB/sec    | average rate = 20738.39 msg/sec, count=37344765, time=1800.75, (average) msg size=800, bandwidth=16201.87 kB/sec      |
@@ -74,6 +76,9 @@ Comparing loggen results can be sufficient for A/B testing, but is not adequate
 
 In the following example, loggen was able to send 4.3 mln messages in one minute; however, Splunk indexers required an additional two minutes to process these messages. During that time, SC4S processed the messages and stored them in a queue while waiting for the HEC endpoint to accept new batches.
 
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
 | Splunk Indexers | Total Processing Time (4.3 mln messages) | Estimated Max EPS |
 |-----------------|------------------------------------------|-------------------|
 | 3               | 3 min                                    | 22K               |
@@ -100,6 +105,9 @@ Example results:
 * default configuration
 * Splunk Cloud 9.2.2403.105 - 30IDX
 
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
 | Metric       | Default SC4S        | Finetuned SC4S      |
 |--------------|---------------------|---------------------|
 | Average Rate | 72,153.75 msg/sec   | 115,276.92 msg/sec  |
@@ -116,7 +124,10 @@ Over a span of 60 seconds, loggen will attempt to generate 20,000 logs per secon
 
 After running the command, count the number of events that reached Splunk. Since UDP is prone to data loss, messages can be lost anywhere along the path.
 
-| Receiver / Drops Rate for EPS (msgs/sec) | 4,500  | 9,000  | 27,000 | 50,000 | 150,000 |
+!!! note "Note"
+    Performance may vary depending on a version and specifics of your environment.
+
+| Receiver / Drops rate for EPS (msgs/sec) | 4,500  | 9,000  | 27,000 | 50,000 | 150,000 |
 |------------------------------------------|--------|--------|--------|--------|---------|
 | Default SC4S                             | 0.33%  | 1.24%  | 52.31% | 74.71% |    --   |
 | Finetuned SC4S                           | 0%     | 0%     | 0%     | 0%     |  47.37% |