Re: [logs] Re: syslogd / some analysis

From: Marcus J. Ranum (mjrat_private)
Date: Tue Jan 29 2002 - 14:35:46 PST

  • Next message: Nate Campi: "Re: [logs] Re: syslogd / some analysis"

    Marcus J. Ranum wrote:
    >syslogd is decidedly not OK for loads in the 10,000 messages/second range on
    >        my machine
    I didn't add the obvious: "which is ridiculous"
    A machine capable of servicing thousands of web hits/second should be
    capable of logging them without dropping them on the floor. :)  To aggregate
    large amounts of logs, 10,000 messages/second might not be an extraordinary
    number, assuming some buffering and sane handling of I/O on the host and
    the network. I don't think I'd want to try to insert 10,000 records/second into
    a SQL database, even using bulk inserts. ;) So one implication is that for
    really big-ass (yes, that's the technical term...) logging servers prefiltering
    and coalescing will be a requirement. Of course coalescing _fast_ is a real
    challenge... ;)
    Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private

    This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 14:36:24 PST