[syslog-ng]Reliable syslog and network outages

Amodiovalerio Verde syslog-ng@lists.balabit.hu
Mon, 18 Aug 2003 13:57:36 +0200 

well, you could disable syslog-ng queue, and use a destination program.

So....syslog-ng get a message and send it immediatly to destination.

Now with syslog-ng queue disabled, is up to you to be sure to handle and
catch that message.

Your program try to send it to a remote machine, if it cannot, it append it
to a file.

As soon as the host came back, your program ( without blocking on stdin or
you will lose new messages
syslog-ng is feeding ) , reads that file and sends the messages to the log
host

Naturally on a reboot, your program will find a non empty file, so if the
host is up, it will send all the messages.

This could not work if you have to handle big loads of messages or peaks...

Your problem could simply be slower than syslog-ng, and lost some messages,
while doing something else.

I never consider too much this problem, cause I use only UDP logging...and
it's well known by committent that messages
could be lost.

But probably I have to do a policy change, so I had to use TCP, reliability,
compression and some few things.

If you're interested I let you know.


Amodiovalerio Verde

>
> Ah, it sounds as though you've implemented the FIFO/buffer as a
> performance feature rather than as a high-availability one.
>
> Is there any straightforward way to build a relay out of syslog-ng that
> offers reliable[1] forwarding of syslog information?
>
> If not, would syslog-ng be interested in accepting a patch which added
> an option to make the FIFO buffer persistent?
>
> - Raz
>
>
>
> 1: Clearly, perfect reliability is impossible; if a machine containing
> queued logs is physically destroyed before it gets the opportunity to
> deliver its logs, then they really will be lost. I am interested in
> reliability with respect to a temporary loss of connectivity between
> syslog relay and syslog collector, and a reboot of the relay during that
> loss of connectivity. The degree of reliability that I have in mind is
> comparable to that which I would expect of a mail relay; I certainly
> wouldn't want it throwing data away because of a reboot, but I'd accept
> data loss caused by physical destruction of the machine.
>