[syslog-ng]Buffering to a program.

[John A. Parker]

Mahlon,

>My eventual goal is to have one 'logging server', receiving logs from all
>of the other servers around here, and parsing/pushing them into a mysql
>database.

We've implemented basically the same topology here, but instead of 
"mysql"ing the messages we're parsing and monitoring the lot of them 
looking for those (repeated login failures within or across system(s), 
etc..) which might concern us.

What we did was write all messages to named pipes, one for each priority 
level. We made our perl script a daemon which reads the messages out of the 
named pipes. One of the perceived advantages here was that all buffering is 
provided by the OS. Our central server (AIX) comfortably supports over 50 
disparate clients (AIX, Sun, NT) and handles an average of 310000 messages 
a day. (We had an anomalous day two weeks ago with 800000 messages with no 
observed problems.)

The only significant disadvantage we've encountered is that our daemon has 
to be running before syslog-ng is started, this due to syslog-ng rightfully 
failing to startup if the named pipes are not open, something our daemon does.

Good luck,

John