Shane Kerr wrote: >Actually, UDP is a good choice for some types of logging, if you build >an ack mechanism on top of it. Those who do not understand TCP are doomed to re-implement it - badly. The history of networking in the 80's and 90's is filled with cases where people tried to use UDP to "avoid TCP overhead" and wound up implementing something infinitely more arcane and worse. NFS is one shining example of doing it wrong in this manner. What's frustrating is that the folks who jump through these hoops to avoid "TCP overhead" probably never bother to measure and see what kind of "TCP overhead" actually exists. ;) I think the reason syslog uses non-connected communications (either UDP or via a UNIX domain socket) is because it's unknown how many applications will be trying to connect to the log server at any time. In the 80's UNIXes didn't have hundreds of socket connections coming into a single application like modern web servers do. Handling syslogs over TCPs would entail a lot of fancy footwork to keep from blocking or thrashing in select( ) all the time. This isn't actually a really easy problem to solve in a way that is fast, efficient, and safe. :( You could use a fifo and expect the calling program to lock/block on write - but then your data could get scrambled if a client didn't play nice. Expecting hackers to play nice is a bad idea, and fifos are only local. Anyhow, this appears to be another case of "you can have cheap, fast, or good: pick two" mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 07:28:28 PST