On Tue, Apr 02, 2002 at 10:37:03AM -0800, Devin Kowatch wrote: > Humm... the independent log hosts is an interesting idea. Do you just > use the worm media as an archive? Most places that use WORM do it for archival purposes; in theory, if you could find WORM media with a fast enough write speed, you could use it for initial queuing storage, but I don't know of anyone who has actually done so. > How difficult is it to go back and > reconsile the two logs? It depends on how rigorous you want to be. If the loghosts and the hosts logging to them are all on a quiet switched network with no intervening WAN links, you can probably get away with having each loghost pull over the most recently rolled logfiles from the other hosts and each doing a diff against the most recently rolled local logfiles. Once the networks start getting saturated or you start getting WAN-level latency, however, the machines will start receiving messages in different orders and with different timestamps. The timestamp issue can be solved by just comparing the files after cutting the timestamps out, on the assumption that if all of the lines are present and in the same order then the timestamps are irrelevant. Once the orders start differing, however, things get more interesting; you need to do things like comparing "rolling windows" of each file and trying to match a given line in the local file to any of the lines in the current window of the alternate file that has the same message text and a timestamp within some reasonable interval (a la diff, but with extra logic for the timestamps). -- Sweth. -- Sweth Chandramouli Idiopathic Systems Consulting svcat_private http://www.idiopathic.net/ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 12:38:01 PST