[syslog-ng]syslog-ng vs (of all things) Win2k + IIS

Scott McDermott mcdermot@questra.com
Fri, 6 Oct 2000 10:05:55 -0400


matthew.copeland@honeywell.com on Fri  6/10 08:34 -0500:
> That would be great.  The big thing they seem to be harping on is that
> using TCP over udp in the syslog will make it much slower, since we
> have to use TCP for the transmissions.  

For system logs, I'll take slowness over lack of reliability any day.

Sure, if your network people have their shit together, you can rest with
a pretty good idea that you won't have any UDP packets dropped on your
own networks.  Still, that's not a guarantee, which TCP gives.

But try routing from your WAN sites with UDP, or worse, from remote VPN
sites that have to route over the Internet.  TCP is a big win here if
you want all your log packets.

Why the original UNIX syslog started with UDP is beyond my
comprehension.  Here we have logs which may or may not be *critical* in
the case of intrusion attempts or other problems where missing log
messages would be a disaster.

And unless you are running at modem speeds or something (in which case
you'd *have* to use TCP anyways or you'd have tons of lost messages),
who cares about the additional overhead of TCP...this isn't NFS we're
talking about; we're not at the races.  We're trying to peice together
what went wrong.

> I am assuming that someone here will know this.  When you use tcp
> logging for remote syslog-ng, does it keep the tcp connection open, or
> does it initiate a new connection each time a message is posted?

Yes, it does keep the connection open until it detects that the remote
has closed the connection, and then it will re-connect.