Tom Perrine wrote: >Absolutely. The "too many sockets" argument just doesn't buy it for >me. That said, one of the problems that we think we have solved is >how to handle thousands (tens of thousands?) of long-lived TCP >sessions. Why did you bother? I am just kinda curious, but code-wise and efficiency-wise having the client buffer locally and then connect every so often is pretty good. The client can disconnect if it's sat there for more than a second without sending something, or something like that... The only downside I can think of is a hackquer getting into the machine and zapping the log where it's queued. But that is really a false economy because the hackquer can just as easily send a bogus ARP or routing update or ICMP bomb to block traffic to the logging host and force the client to local-buffer anyhow... > Our system adds new input processes to handle more incoming >connections as needed. And no, not one proc per connection :-) And >procs that have no open connections do go away... > >I was thinking in terms of 10K hosts logging to a single log host. Yeah. Non-persistent connections would make that 10K scale a WHOLE LOT, y'know? >I guess we could ask Eric, right? :-) (I seem to recall, probably >incorrectly, that Eric wrote the first syslog daemon?) Yes. Eric has given many good things to the security community, in terms of job security. ;) However, I promised him I'd never bash sendmail again for being buggy, after I'd gotten a chance to read some web server and browser code. The Web makes syslog and sendmail look splendid by comparison. ;) mjr. --- Marcus J. Ranum - Computer and communications Security Expertise mjrat_private (http://www.ranum.com) _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 15:56:15 PST