[syslog-ng]TCP interconnection between syslog-ng Servers

Rule, Ted syslog-ng@lists.balabit.hu
Fri, 6 Feb 2004 12:02:05 -0000 

I have a requirement to interconnect a few syslog-ng Servers.

The overall idea is to provide a sub-master syslog server per building,
and then have all the sub-master's log up to the master syslog server
in the main site. The hope is to reduce the impact on total log visibility
of loss of either the master server or the master server's site.

Two basic questions arise from this, though the 2nd has some sub-clauses:

1)	Is there a preferred TCP port and formatting to be used on the syslog-ng
interconnect? I'd like to conform as much as is practicable with RFCs and s=
o on,
but of course TCP Port 514 is already taken by rsh as noted in the syslog-n=
g documentation.
Some of the more recent Internet Drafts make reference to XML style formatt=
ing on the=20
syslog stream, but I don't think that's supported in syslog-ng as yet.

2)	What is the overall impact on the sub-master of a sudden death of the ma=
ster?
Are there any deadlocks involved here where the outbound stream from the su=
b-master pumps
TCP data to a non-existent host and the syslog-ng client hangs waiting for =
TCP session to complete?
Does the syslog-ng client and/or the syslog-ng server set TCP_KEEPALIVE fla=
g on the socket
to ensure that the socket eventually gets closed if the master ( OR slave )=
 is dead for an extended period?

FWIW, I'm running version 1.6.0rc3 at present.




Ted




***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************