[syslog-ng]syslog-ng vs (of all things) Win2k + IIS

Mordechai T. Abzug morty@sanctuary.arbutus.md.us
Mon, 9 Oct 2000 18:18:43 -0400


On Fri, Oct 06, 2000 at 10:05:55AM -0400, Scott McDermott wrote:

> Sure, if your network people have their shit together, you can rest
> with a pretty good idea that you won't have any UDP packets dropped
> on your own networks.  Still, that's not a guarantee, which TCP
> gives.

TCP gives a conditional guarantee.  Your packets only arrive safely if
the network isn't too congested and if the hosts have the time to
establish a full session.  That sucks when you want to send a "network
congested" message or a "my power supply is dying so I'm going down"
message or a "my CPU is at 100% and i'm dropping packets left and
right" message.  You need a protocol that works when everything around
it is breaking.  The younger SNMP-trap is also UDP.

> Why the original UNIX syslog started with UDP is beyond my
> comprehension.  Here we have logs which may or may not be *critical*
> in the case of intrusion attempts or other problems where missing
> log messages would be a disaster.

Because the people who wrote syslog lived in the days before everyone
was concerned with security and secure loghosts, when they were just
trying to make everything work to begin with.  And because they wanted
a protocol that had some chance of working during other kinds of
disasters, like imminent host failure.  And because they (and the
people who wrote snmp, and snmp-trap, and DNS) were looking at tiny
messages, at TCP overhead that's considerably larger than the
underlying messages, at TCP's long session setup/teardown times, and
so at much higher scalability limits for UDP over TCP for a given
collection of hardware and network.

- Morty