[logs] Central Log Server

From: Philip Webster (pjwebster@private)
Date: Wed Oct 01 2003 - 20:13:15 PDT

  • Next message: Mikael Olsson: "Re: [logs] *NIX logger syslog message format"

    Thanks to all who responded to my previous email (High Network Load). 
    Some more research has led me to some more questions ...
    TCP Reliability
    There has been much discussion on this list and elsewhere about the 
    unreliability of UDP, but how about TCP.  Does anyone have any stats 
    regarding which situations will cause a loss of data when using TCP to 
    log remotely?  We have a pretty good network here ... reliable, 
    redundant services, etc ... so the main problems I see are from either 
    load on the machines (maintaining TCP connections, SSL/SSH, etc) or 
    network saturation.  Has anyone encountered and solved these solutions 
    before whilst still maintaining a central log host setup?
    Alternative Methods
    I will be looking at using a single central syslog server, as we need to 
    collect data from devices which only know about 'classic' syslog, and 
    cannot log via any other mechanism.  We also want to have as much data 
    as possible collected in real-time, so I'll be implementing syslog over 
    TCP as well (encrypted where possible).  In addition, some shell/perl 
    scripts will routinely collect logs from remote hosts in the event that 
    data logged over the network got lost (syslog client machines will log 
    both locally and to the central server).  Michael Poon (Re: Central 
    syslog server best practices?, 13/08/01) wrote of a similar 
    configuration ... a little more complex, but the same basic idea.  Does 
    anyone have any comments or suggestions in regard to this or similar setups?
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 06:26:20 PDT