[syslog-ng] Logs after "\n" are getting truncated
Martin Holste
mcholste at gmail.com
Mon Nov 14 01:17:54 CET 2011
> Here's a tutorial by Marcus J. Ranum, who explains his findings (it's an
> interesting read anyway, but UDP packet loss is described in slide 33).
>
> http://www.ranum.com/security/computer_security/archives/logging-notes.pdf
>
> So definitely _you can_ tune udp receive parameters to make it fine, but
> once there's a runaway host generating lots of logs at wire speed,
> message loss will always be triggered.
>
What a great paper! Hilarious and insightful, though it's a bit dated
now. Still, lots of great pull quotes like "One thing we have learned
over time is that some log messages which nobody would consider
security event messages may actually be the precursor-indicators of an
attack." Great stuff. However, slide 33 is way off with regard to
numbers. I don't know if it's a problem with the old hardware,
OpenBSD, or some other parameter, but modern Linux kernels at least
will definitely not see that kind of loss. I have yet to see
Syslog-NG drop a UDP message because of a networking stack load
problem. We verify this by looking at the sequence numbers from some
of our most voluminous routers. What I have seen is Syslog-NG drop
when the log destination gets backed up, like if writing directly to
SQL. I've never seen a file destination drop a message due to
overload.
More information about the syslog-ng
mailing list