Actually, the root problem cause - IMHO - is udp AND a single daemon. I would suggest to set up at least two machines and let them store everything as duplicate. Different physical locations wouldn't hurt. As long as you need to accept udp syslog, I would set up some relay machines close to the emiting devices, make them keep a local log and then forward it via a reliable connection (RFC3195/COOKED preferred) to the central deamon. You can do this today with SDSC syslogd and in the future - I expect - with many more... Rainer > -----Original Message----- > From: Florin Andrei [mailto:florin@private] > Sent: Monday, September 22, 2003 9:04 PM > To: loganalysis@private > Subject: Re: [logs] High Network Load > > > On Fri, 2003-09-19 at 06:32, Paul Robertson wrote: > > > > Don't put all your logs in one basket. > > > > I can't imagine what design criteria fed into "Log > everything over the > > network to a single server," but you should re-evaluate it fairly > > critically. Disk is slow, everyting going to one logging > daemon, logging > > to one filesystem (probably through one route) is going to be > > not-the-best-architectural-idea-anyone's-ever-had. > > It depends on what are you trying to accomplish. > > I can see the truth in your rebuttal, but there is a fair amount of > truth in the original message too. > Centralising syslog is good if you must analyse the information that > syslog provides in a centralised fashion. Sure, there are > lots of things > you could do with SNMP, but i don't think the areas covered by syslog > and SNMP are mutually inclusive (i.e. the same). > > -- > Florin Andrei > http://florin.myip.org/ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Sep 24 2003 - 11:48:29 PDT