On Thu, Oct 02, 2003 at 01:13:15PM +1000, Philip Webster wrote: > network saturation. Has anyone encountered and solved these solutions > before whilst still maintaining a central log host setup? As far as reliability when network outages occur, syslog-ng specifically allows you to configure a FIFO - which basically means it'll cache up to "n" records when the TCP channel blocks or dies, and will flow those cached records through when the other end is up again. Obviously there are limits (there always are): how many records you allow it to cache impacts how much memory you allocate to the syslog-ng client, this cache is in-memory, so will be lost if the syslog-ng client dies for some reason, etc. We run a three-tier'ed syslog-ng environment. Each site points its syslog clients (Unix, Routers, Switches, Windows+ntsyslog, printers) at its central syslog server (i.e. over UDP), and the central syslog servers replicate their data to a "corporate" central syslog server (over TCP). i.e. each site has a central syslog server, and the corporation has a central syslog server containing (most) of the entire companies syslog data. We make use of the leaf-node syslog clients configs to remove "chatty" junk that we don't want filling up the site Syslog server, and use syslog-ngs internal filtering to reduce the amount of that data that needs to flow over the WAN to the corporate central syslog server. e.g. some of our PIXes are VERY noisy, so specific alerts that we want logged *somewhere*, but we don't want logged centrally can be fine-tuned... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 20:01:19 PDT