[syslog-ng] Log daemon for high volume of logs
Balazs Scheidler
bazsi at balabit.hu
Mon Feb 12 17:42:48 CET 2007
On Mon, 2007-02-12 at 15:17 +0000, Bryan Henderson wrote:
> >My troubles didn't go away
> >until I deployed syslog-ng everywhere and used TCP for all syslog
> >traffic (from UNIX hosts anyways).
>
> It's important to understand just how TCP addresses the problem. It's
> a problem of servers logging more than the network can handle; UDP
> addresses it by discarding log messages; TCP addresses it by slowing
> down the servers creating them. For many servers, logging is supposed
> to be transparent; it's not a central enough activity to have it pace
> the server's real work.
>
> Besides the pacing, there's also a difference in reliability. If the
> syslog server hangs, a UDP-based logger will stop logging and go on
> with life. A TPC-based one will hang with it.
Not necessarily. syslog-ng for example is configurable in this regard.
You can choose to block applications in case of a failing destination
(log statement flag named "flow-control", which is not default), or
start dropping messages once the output queue is full.
Active drop inside syslog-ng (e.g. flow-control off) is still much more
reliable than using plain UDP. TCP can recover single message drops
without filling the output buffer, UDP can't.
--
Bazsi
More information about the syslog-ng
mailing list