[syslog-ng] Logs after "\n" are getting truncated
Balazs Scheidler
bazsi at balabit.hu
Sat Nov 12 13:10:27 CET 2011
On Thu, 2011-11-10 at 13:40 -0600, Martin Holste wrote:
> > No it doesn't. However you shouldn't use UDP for log transport. You can
> > lose as much as 95% percent of it in peaks.
>
> Certainly UDP is not as reliable as TCP, but canonically saying you
> shouldn't use UDP seems a bit of an overstatement. We use UDP to
> collect > 15k logs per second and do not experience drops. Can you
> describe the 95% drop rates you have experienced?
Well, you need to generate a peak certainly, and once your IP receive
buffer fills up, a lot of messages can be lost.
Here's a tutorial by Marcus J. Ranum, who explains his findings (it's an
interesting read anyway, but UDP packet loss is described in slide 33).
http://www.ranum.com/security/computer_security/archives/logging-notes.pdf
So definitely _you can_ tune udp receive parameters to make it fine, but
once there's a runaway host generating lots of logs at wire speed,
message loss will always be triggered.
And not to mention that people usually run it with default parameters...
--
Bazsi
More information about the syslog-ng
mailing list