[syslog-ng] SEC and syslog
infosec at gmail.com
infosec at gmail.com
Fri Jan 11 03:12:00 CET 2008
I use the program destination because I log to files by date and sometimes a host system with a bad date screws things up. With program I'll see every message once and only once, see it right away and not have to worry about the pipe.
I could see going with a pipe if you wanted to be able to restart syslog regularly (like if you had a mem leak or something), but program() is quick, reliable and easy.
-----Original Message-----
From: "Solis, Alex \(EMC\)" <axsolis at cps-ems.com>
Subj: [syslog-ng] SEC and syslog
Date: Thu Jan 10, 2008 8:30 am
Size: 873 bytes
To: <syslog-ng at lists.balabit.hu>
I have been using syslog-ng and logdog.pl
(http://caspian.dotconf.net/menu/Software/LogDog/) for quite some time
but now want to move to SEC because of its thresholding and suppression
features. I noticed that SEC can monitor files and does not necessarily
need a FIFO pipe. I also noticed that syslog-ng can send logs directly
to a program using the program() feature. My question is which is the
best way to implement the syslog-ng to SEC conduit? Should I create a
pipe and ask SEC to monitor that because its efficient? Should I simply
ask SEC to monitor syslog-ng's destination file even though files are
rotated every night? Or should I use syslog-ng's program() feature to
send messages to SEC. I guess all will work but which is the best
option.
Thanks for any insight.
Alex
--- attachment noname 1.html ---
--- message truncated ---
More information about the syslog-ng
mailing list