[logs] Re: Looking for toolkits and products that support RFC3195 -- COOKED

From: Bennett Todd (bet@private)
Date: Wed Aug 03 2005 - 12:24:51 PDT

It's funny; I used to think I wanted my syslog infrastructure to be
reliable and to not lose messages. Now that I've gotten the ability
to do that, I've discovered that I usually would rather have a
logging outage (or slowdown) lose messages, rather than hanging (or
slowing) the apps that are logging to it.

Reliable logging says, the completeness and correctness of your log
capture is more important than the reliability and availability of
your service. While there may be cases where that's true, I find
them to be the exception more than the norm.

So I use unix-dgram and udp, in preference to unix-stream and tcp.

What's really appropriate, I think, is to leave syslog alone,
unreliable but loosely coupled between logging client app and
logging server, and introduce a new, distinctly separate logging
service that offers reliable logging --- and write client apps to
use it only when they've got something to say whose logging is more
important than the app continuing to run. Critical audit events.


LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Wed Aug 03 2005 - 14:19:04 PDT