[syslog-ng]buffer limitations and TCP compression
Jason Haar
syslog-ng@lists.balabit.hu
Wed, 19 Mar 2003 19:25:13 +1200
Andreas Schulze wrote:
> I think compression isn't the factor for centralized logging
> in WAN environments. But maybe its nice to have.
> Imagine your normal messages size is approx. <512Bytes.
> How many messages you must create/send to flood a 64KB/128KB
> leased line?
Well I've managed to flood a T1 with syslog traffic from one host before...
> We are logging >5000 devices with >15.000.000 messages per day
> to a centralized syslog-ng server over WAN.
> Problems we observed are mostly on the central size. The WAN
> isn't really the bottleneck in most scenarios.
That's really encouraging to hear. My "issue" with WAN congestion was
due to an extreme condition caused by one application pouring out syslog
messages - enough to flood a T1. I was burnt so badly by it that I've
been reluctant to turn WAN-based logging back on again - maybe I
shouldn't be...
Using TCP instead of UDP would also limit the damage - Slammer showed us
all how much better UDP is than TCP at filling pipes...
Jason