Re: [logs] Queuing of remote logging

From: Sweth Chandramouli (loganalysisat_private)
Date: Sat Mar 30 2002 - 23:01:47 PST

  • Next message: Sweth Chandramouli: "Re: [logs] Queuing of remote logging"

    On Fri, Mar 29, 2002 at 11:14:57AM -0500, Jason Piterak wrote:
    > Hi Sweth,
    >   Have you taken a look at modular syslog (a syslog replacement) from Core
    > Security Technologies (bsd license --
    > http://www.corest.com/products/corewisdom/CW01.php#nada)? 
    	I've looked at msyslog, although I hadn't noticed that
    particular feature in it.  (Sweth goes off for a while and looks at the
    latest tarball...)  Hmm... the docs are less than helpful, and the
    source isn't exactly pleasant to grok, but from what I can tell, msyslog
    uses a simple non-rolling buffer to store messages in memory when it
    can't reach the remote host.  This means (again, from what I can tell)
    that if you set the buffer to, say, 8k, and you get 20k worth of logs
    generated while the loghost is unreachable, then only the first 8k of
    those logs are queued--the rest are discarded.  Since the buffer is
    stored in memory, I'd be hesitant to make it exceptionally large (as
    opposed to a system that queued messages on-disk); also, on the off
    chance that the daemon died before reconnecting with the loghost, the
    buffer would, it appears, be lost entirely.
    	Alejo, if you're still on-list, let me know if I'm
    missing something here.
    
    	-- Sweth.
    
    -- 
    Sweth Chandramouli      Idiopathic Systems Consulting
    svcat_private      http://www.idiopathic.net/
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 08:25:51 PST