well, you could disable syslog-ng queue, and use a destination program. So....syslog-ng get a message and send it immediatly to destination. Now with syslog-ng queue disabled, is up to you to be sure to handle and catch that message. Your program try to send it to a remote machine, if it cannot, it append it to a file. As soon as the host came back, your program ( without blocking on stdin or you will lose new messages syslog-ng is feeding ) , reads that file and sends the messages to the log host Naturally on a reboot, your program will find a non empty file, so if the host is up, it will send all the messages. This could not work if you have to handle big loads of messages or peaks... Your problem could simply be slower than syslog-ng, and lost some messages, while doing something else. I never consider too much this problem, cause I use only UDP logging...and it's well known by committent that messages could be lost. But probably I have to do a policy change, so I had to use TCP, reliability, compression and some few things. If you're interested I let you know. Amodiovalerio Verde
Ah, it sounds as though you've implemented the FIFO/buffer as a performance feature rather than as a high-availability one.
Is there any straightforward way to build a relay out of syslog-ng that offers reliable[1] forwarding of syslog information?
If not, would syslog-ng be interested in accepting a patch which added an option to make the FIFO buffer persistent?
- Raz
1: Clearly, perfect reliability is impossible; if a machine containing queued logs is physically destroyed before it gets the opportunity to deliver its logs, then they really will be lost. I am interested in reliability with respect to a temporary loss of connectivity between syslog relay and syslog collector, and a reboot of the relay during that loss of connectivity. The degree of reliability that I have in mind is comparable to that which I would expect of a mail relay; I certainly wouldn't want it throwing data away because of a reboot, but I'd accept data loss caused by physical destruction of the machine.