It's funny; I used to think I wanted my syslog infrastructure to be reliable and to not lose messages. Now that I've gotten the ability to do that, I've discovered that I usually would rather have a logging outage (or slowdown) lose messages, rather than hanging (or slowing) the apps that are logging to it. Reliable logging says, the completeness and correctness of your log capture is more important than the reliability and availability of your service. While there may be cases where that's true, I find them to be the exception more than the norm. So I use unix-dgram and udp, in preference to unix-stream and tcp. What's really appropriate, I think, is to leave syslog alone, unreliable but loosely coupled between logging client app and logging server, and introduce a new, distinctly separate logging service that offers reliable logging --- and write client apps to use it only when they've got something to say whose logging is more important than the app continuing to run. Critical audit events. -Bennett
_______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 03 2005 - 14:19:04 PDT