matthew.copeland@honeywell.com on Fri 6/10 08:34 -0500:
That would be great. The big thing they seem to be harping on is that using TCP over udp in the syslog will make it much slower, since we have to use TCP for the transmissions.
For system logs, I'll take slowness over lack of reliability any day. Sure, if your network people have their shit together, you can rest with a pretty good idea that you won't have any UDP packets dropped on your own networks. Still, that's not a guarantee, which TCP gives. But try routing from your WAN sites with UDP, or worse, from remote VPN sites that have to route over the Internet. TCP is a big win here if you want all your log packets. Why the original UNIX syslog started with UDP is beyond my comprehension. Here we have logs which may or may not be *critical* in the case of intrusion attempts or other problems where missing log messages would be a disaster. And unless you are running at modem speeds or something (in which case you'd *have* to use TCP anyways or you'd have tons of lost messages), who cares about the additional overhead of TCP...this isn't NFS we're talking about; we're not at the races. We're trying to peice together what went wrong.
I am assuming that someone here will know this. When you use tcp logging for remote syslog-ng, does it keep the tcp connection open, or does it initiate a new connection each time a message is posted?
Yes, it does keep the connection open until it detects that the remote has closed the connection, and then it will re-connect.