[syslog-ng] Using syslog-ng for NAS
Balazs Scheidler
bazsi@balabit.hu
Mon, 11 Oct 1999 22:27:08 +0200
Hi,
> The Balabit syslog-ng can be relaying UDP to TCP.
>
> source and destination syntax eg.)
> Syntax: udp <ipaddr>,<port>;
> Sends messages to the given host & port using UDP datagrams.
> Example: udp 193.6.40.37,514;
>
> Is it the best for this situation ?
It depends on which version you are talking about. Version 1.0.x defined the
UDP destination exactly as you wrote above, but 1.1.xx uses a new syntax:
udp(<hostname> port(<udpport>));
>
> (1) old syslogd style
>
> [NAS]........UDP.........................
> .<Drop!>
> [NAS]........UDP.........................[Syslog]----IO->(Disk)
> .<Drop!>
> [NAS]........UDP.........................
>
> NAS: Network Access Server
>
> (2) using syslog-ng
>
> <Buffered?+Relay!>
> vvvvvvvvv
> [NAS]........UDP..[Syslog-ng]______TCP___
> . \
> [NAS]........UDP. [Syslog-ng]--IO->(Disk)
> ______ ___/
> [NAS]........UDP..[Syslog-ng] TCP
> ^^^^^^^^^
> <Buffered?+Relay!>
>
> It's correct?
>
> I want to understand that cause of dropping UDP on syslog.
> (the cause is the UDP stack on kernel(OS)?)
UDP by definition is a connectionless protocol, and it's possible that
packets get lost while transmission. If syslog-ng is put directly beside the
NAS (e.g. same ethernet segment) and log traffic is relayed using a TCP
connection, it may help. But the buffers in syslog-ng are not unlimited, so
if your network segment is overloaded, TCP transport will not help, and even
may make the situation worse.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt