[syslog-ng] SEC and syslog

infosec at gmail.com infosec at gmail.com
Fri Jan 11 03:12:00 CET 2008


I use the program destination because I log to files by date and sometimes a host system with a bad date screws things up.  With program I'll see every message once and only once, see it right away and not have to worry about the pipe. 

I could see going with a pipe if you wanted to be able to restart syslog regularly (like if you had a mem leak or something), but program() is quick, reliable and easy.

-----Original Message-----

From:  "Solis, Alex \(EMC\)" <axsolis at cps-ems.com>
Subj:  [syslog-ng] SEC and syslog
Date:  Thu Jan 10, 2008 8:30 am
Size:  873 bytes
To:  <syslog-ng at lists.balabit.hu>

 

 

I have been using syslog-ng and logdog.pl
(http://caspian.dotconf.net/menu/Software/LogDog/) for quite some time
but now want to move to SEC because of its thresholding and suppression
features.  I noticed that SEC can monitor files and does not necessarily
need a FIFO pipe.  I also noticed that syslog-ng can send logs directly
to a program using the program() feature.  My question is which is the
best way to implement the syslog-ng to SEC conduit?  Should I create a
pipe and ask SEC to monitor that because its efficient?  Should I simply
ask SEC to monitor syslog-ng's destination file even though files are
rotated every night?  Or should I use syslog-ng's program() feature to
send messages to SEC.  I guess all will work but which is the best
option.

 

Thanks for any insight.

 

Alex

 

 



--- attachment noname 1.html ---

--- message truncated ---




More information about the syslog-ng mailing list