[syslog-ng] SEC and syslog
Solis, Alex (EMC)
axsolis at cps-ems.com
Fri Jan 11 14:14:55 CET 2008
Thanks for the reply!
Is there any DoS possibility or performance problem when the program()
destination is used in a high log volume environment? I can see a
problem if the program is spawned (executed) each time a log comes in,
which might be very often. I am hoping the program() destination keeps
the program in memory; does it do this?
Alex
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of
infosec at gmail.com
Sent: Thursday, January 10, 2008 8:12 PM
To: Syslog-ng users' and developers' mailing list;
syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] SEC and syslog
I use the program destination because I log to files by date and
sometimes a host system with a bad date screws things up. With program
I'll see every message once and only once, see it right away and not
have to worry about the pipe.
I could see going with a pipe if you wanted to be able to restart syslog
regularly (like if you had a mem leak or something), but program() is
quick, reliable and easy.
-----Original Message-----
From: "Solis, Alex \(EMC\)" <axsolis at cps-ems.com>
Subj: [syslog-ng] SEC and syslog
Date: Thu Jan 10, 2008 8:30 am
Size: 873 bytes
To: <syslog-ng at lists.balabit.hu>
I have been using syslog-ng and logdog.pl
(http://caspian.dotconf.net/menu/Software/LogDog/) for quite some time
but now want to move to SEC because of its thresholding and suppression
features. I noticed that SEC can monitor files and does not necessarily
need a FIFO pipe. I also noticed that syslog-ng can send logs directly
to a program using the program() feature. My question is which is the
best way to implement the syslog-ng to SEC conduit? Should I create a
pipe and ask SEC to monitor that because its efficient? Should I simply
ask SEC to monitor syslog-ng's destination file even though files are
rotated every night? Or should I use syslog-ng's program() feature to
send messages to SEC. I guess all will work but which is the best
option.
Thanks for any insight.
Alex
--- attachment noname 1.html ---
--- message truncated ---
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list