sync question, feature request
hello again (sorry if I start to irk you :-), I'm a little bit irritated about the sync option. As I understood it from the docs (my tests confirmed them) syslog-ng holds up to n lines in a buffer before they get written down to disk. However, what happens if a machine dies and the buffer on the loggingserver isn't full yet? I'm not quite sure, but what would happen to the data in buffer? I didn't test it, but I think time_reap() would catch this and close the file after m minutes. However, imagine the following situation: You've got a central logginghost and you know that an intruder is working right at the moment on that machine; Seconds later the machine dies and you want to know what the last syslog message was. In this case one'd have to wait till syslog-ng closes that file. It would be nice to have a handler or a command line argument to make syslog-ng write down all current buffers to disk. I've got another question, I haven't really looked at the 1.5 tree yet, but I think about making patch to syslog-ng which would include the strftime functions. I want to be able to use things like $Y/$m/$d in the destination file path, this would effectively eliminate logrotation scripts. Is there such an effort already in work or is this feature planned? -- Regards, Wiktor Wodecki Unix-Administration Wapme Systems AG
hi, Wiktor Wodecki wrote:
hello again (sorry if I start to irk you :-),
I'm a little bit irritated about the sync option. As I understood it from the docs (my tests confirmed them) syslog-ng holds up to n lines in a buffer before they get written down to disk. However, what happens if a machine dies and the buffer on the loggingserver isn't full yet? I'm not quite sure, but what would happen to the data in buffer? I didn't test it, but I think time_reap() would catch this and close the file after m minutes. However, imagine the following situation: You've got a central logginghost and you know that an intruder is working right at the moment on that machine; Seconds later the machine dies and you want to know what the last syslog message was. In this case one'd have to wait till syslog-ng closes that file. It would be nice to have a handler or a command line argument to make syslog-ng write down all current buffers to disk.
In the case you specify, you want sync(0) to write everything immediately. The sync option is mainly to lighten the load on the server. If there is an intruder on your machine, you can't trust the logs anyway. In that case, you want some type of central logging server. That way, you havea known good copy of the logs on a nother machine. Setting up a central logging host has some other advantages too. I could see the error messages from an SGI with a dying hard drive. This helped greatly with diagnosing the problem. Obviously, if I hadn't had the logging server, I couldn't have seen those messages because of the dead hard drive. In addition, if all of your hosts log to one file, then it's very easy to see certain types of scans, such as someone scanning the whole subnet for machines with anonymous ftp open.
I've got another question, I haven't really looked at the 1.5 tree yet, but I think about making patch to syslog-ng which would include the strftime functions. I want to be able to use things like $Y/$m/$d in the destination file path, this would effectively eliminate logrotation scripts. Is there such an effort already in work or is this feature planned? There already is something similar, I think it's $MONTH, $DAY, and $YEAR. use it in the destination statement.
Jason Edgecombe
participants (2)
-
Jason Edgecombe
-
Wiktor Wodecki