[syslog-ng] Idea for streaming logs to my workstation as well as logserver

[Hari Sekhon]

I have a cunning idea.

When I first set up a logserver, I also had it log to tty12, and a
monitor next to my desk of the server with the network logs streaming
down the screen. This was very interesting and I managed to pick up
quite a lot about my network by noticing when a sudden screen full of
information would whizz by instead of the usual incremental logs
coming in.

I would like to implement something similar by having the logserver
also send on it's logs to my linux workstation by way of udp. I could
then have my local syslog-ng listen for this udp and write it to a
pipe (similar to the way you integrate mysql with syslog-ng). I would
then like to have root-tail read from this pipe and output to my X
background so that I have a continuous stream of network logs in the
background.

Are there any pitfalls that you can think of when doing this? I don't
think this will risk filling up the bit bucket on the logserver since
the logs are immediately sent on via udp, "spray and pray". If they
don't get to my workstation for any reason, no harm done, it won't
clog up the logserver.

I guess the root-tail will take a bit out of my workstation having to
draw on the X background all the time but it's a fast machine.

I believe that it would block my local syslog-ng on my workstation if
the root-tail were to stop reading from it. Which brings me to my next
question:

Is it better to do

root-tail /var/log/logstream.pipe

or

root-tail - < /var/log/logstream.pipe

Since I'm not sure that the first will take the actual throughput away
from the pipe to stop the logger from blocking on the sending side.

Also, this would require that the my X session not be closed otherwise
the root-tail wouldn't be able to run to take away the logs from the
other side of the pipe and the local logger would block again.

All feedback welcome.

Thanks.

-h

--
Hari Sekhon