2003-05-13T14:17:10 Marcus J. Ranum: > http://www.loganalysis.org/sections/discussions/index.html Thanks for the pointer; I found that a very interesting highlights page. When I saw the topic "Syslog UDP unreliability" that reminded me of something I've turned up in some loging system design tasks recently, I don't recall having seen it discussed here (but I may have missed it). It's easy to say criticize UDP transported syslog. But even ignoring the fanout issue (it's easy for a UDP daemon to accept traffic from arbitrarily many different clients, it's rather more work to scale that up for TCP transport), I think this misses an interesting point. I like having both TCP and UDP available in modern syslogd replacements. TCP is lovely when you prize reliability in overload conditions; but I've had occasions when I'd rather run the risk of losing messages, when the alternative is to force the log-writer to stall. Any log-writer will have some bound on the amount of backlog it can buffer; a system designed for 100% perfect guaranteed never a lost log message will inevitably increase the risk of writers eventually becoming unavailable. If your log writer is a machine whose availability is more critical than its log messages, UDP transported syslog is an appealing mechanism. Obviously care needs to be made in such judgement calls; any time you deliberately elect to use UDP you are deliberately choosing to lose any strong hope of a forensic guarantee of log completeness. But log completeness isn't a requirement in all contexts. -Bennett
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 20:29:18 PDT