Re: Central syslog server best practices?

From: Brian Hatch (loganalysisat_private)
Date: Sun Aug 12 2001 - 14:04:40 PDT

  • Next message: Marlys A Nelson: "Re: Central syslog server best practices?" 

    > > Recently, the log traffic from our firewall (linux running ipchains) has
> > been so heavy that the syslog server has been losing data.
> ...
> > I'm wondering how others configure their syslogging "enterprise-wide" to
> > avoid this problem?
> 
> 
> I think it sounds a bit weird that the syslog server is losing data just
> because of one host sending to much information.

Since syslog uses UDP, and there's no method to enforce
retransmits of lost UDP datagrams built into the protocol
itself, it's quite possible for a busy network to cause
UDP packet loss, and thus the syslogd server will 'miss'
logs that were sent but not received.




--
Brian Hatch                "Faith" means not wanting
   Systems and              to know what is true.
   Security Engineer
http://www.hackinglinuxexposed.com/

Every message PGP signed

    This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 20:17:35 PDT