Re: [logs] Re: syslogd / some analysis

From: Shane Kerr (shane@time-travellers.org)
Date: Wed Jan 30 2002 - 08:36:26 PST

Next message: Stephane Nasdrovisky: "Re: [logs] syslog/mysql/webGUI."

Previous message: Nick Vargish: "RE: [logs] syslog/mysql/webGUI."
In reply to: Marcus J. Ranum: "Re: [logs] Re: syslogd / some analysis"
Next in thread: Rich Salz: "Re: [logs] Re: syslogd / some analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Meandering further from the main topic...

On 2002-01-30 10:26:36 -0500, Marcus J. Ranum wrote:
> Shane Kerr wrote:
> >Actually, UDP is a good choice for some types of logging, if you
> >build an ack mechanism on top of it.  
> 
> Those who do not understand TCP are doomed to re-implement it - badly.

I have heard this, however there are a class of problems where TCP is
known to be the wrong choice.  Personally, I've never worked in any of
these environments (video games, sound, etc.), but they do exist.

> The history of networking in the 80's and 90's is filled with cases
> where people tried to use UDP to "avoid TCP overhead" and wound up
> implementing something infinitely more arcane and worse. NFS is one
> shining example of doing it wrong in this manner. What's frustrating
> is that the folks who jump through these hoops to avoid "TCP overhead"
> probably never bother to measure and see what kind of "TCP overhead"
> actually exists. ;)

<off-topic>

I agree that the best thing to do is measure before designing.  Or to
put it another way:

    "Accurate measurement is the begining of all wisdom."
                           - Imhotep c.a. 2650 B.C.

That's an unfair attack on poor UDP, because NFS is a shining example of
so many things that are wrong:

http://www.time-travellers.org/shane/papers/NFS_considered_harmful.html

</off-topic>

To get slightly back on topic, one of the worst things you can possibly
do is use NFS for your logging!

> I think the reason syslog uses non-connected communications (either
> UDP or via a UNIX domain socket) is because it's unknown how many
> applications will be trying to connect to the log server at any time.
> In the 80's UNIXes didn't have hundreds of socket connections coming
> into a single application like modern web servers do. Handling syslogs
> over TCPs would entail a lot of fancy footwork to keep from blocking
> or thrashing in select( ) all the time.  This isn't actually a really
> easy problem to solve in a way that is fast, efficient, and safe. :(

Today you can reasonably handle O(1000) concurrent TCP connections on a
single box without tricks, especially if they are long-lived
connections.  O(10k) is where the problems start.  Personally I'd argue
that if you're trying to log from that many hosts to a single server
you're asking for trouble.  ;)

-- 
Shane
Carpe Diem

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribe@securityfocus.com
For additional commands, e-mail: loganalysis-help@securityfocus.com

Next message: Stephane Nasdrovisky: "Re: [logs] syslog/mysql/webGUI."
Previous message: Nick Vargish: "RE: [logs] syslog/mysql/webGUI."
In reply to: Marcus J. Ranum: "Re: [logs] Re: syslogd / some analysis"
Next in thread: Rich Salz: "Re: [logs] Re: syslogd / some analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 08:38:49 PST