On Thu, 2011-11-10 at 13:40 -0600, Martin Holste wrote:
No it doesn't. However you shouldn't use UDP for log transport. You can lose as much as 95% percent of it in peaks.
Certainly UDP is not as reliable as TCP, but canonically saying you shouldn't use UDP seems a bit of an overstatement. We use UDP to collect > 15k logs per second and do not experience drops. Can you describe the 95% drop rates you have experienced?
Well, you need to generate a peak certainly, and once your IP receive buffer fills up, a lot of messages can be lost. Here's a tutorial by Marcus J. Ranum, who explains his findings (it's an interesting read anyway, but UDP packet loss is described in slide 33). http://www.ranum.com/security/computer_security/archives/logging-notes.pdf So definitely _you can_ tune udp receive parameters to make it fine, but once there's a runaway host generating lots of logs at wire speed, message loss will always be triggered. And not to mention that people usually run it with default parameters... -- Bazsi