[logs] Re: Looking for toolkits and products that support RFC3195 -- COOKED

• Previous message: 345345@private: "[logs] research on log analysis techniques"
• In reply to: Bennett Todd: "[logs] Re: Looking for toolkits and products that support RFC3195 -- COOKED"
• Next in thread: Joost van Baal: "[logs] Re: Looking for toolkits and products that support RFC3195 -- COOKED"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually I came across a very similar situation myself recently. I've 
setup an reliable logging system using message queuing infrastructure and 
a database.
A configuration change stopped the queue being emptied and eventually the 
source of the logs couldn't log and was blocked.

An alternative to the lossy logging you propose, Bennett, would be to back 
off to a different logging solution. i.e. I'm planning to add an 
enhancement such that if the log message cannot be submitted to the queue 
then it is written to a file and the administrator is notified in some 
way. Then the administrator can fix the problem and then resubmit the 
messages from the file to the queue.

Note: I speak for myself, not my employer.

Cheers,
Edward


Edward Sargisson BSc, BCom
Consultant
IBM Business Consulting Services
Wellington, New Zealand
DDI: + 64-4-462-3586, Mob: + 64-21-254-8927
P O Box 38 993, Wellington, NEW ZEALAND
edward.j.sargisson@private





Bennett Todd <bet@private> 
Sent by: 
loganalysis-bounces+edward.j.sargisson=nz1.ibm.com@private
04/08/2005 07:24

To
"Moehrke, John (GE Healthcare)" <John.Moehrke@private>
cc
loganalysis@private
Subject
[logs] Re: Looking for toolkits and products that support RFC3195 -- 
COOKED






It's funny; I used to think I wanted my syslog infrastructure to be
reliable and to not lose messages. Now that I've gotten the ability
to do that, I've discovered that I usually would rather have a
logging outage (or slowdown) lose messages, rather than hanging (or
slowing) the apps that are logging to it.

Reliable logging says, the completeness and correctness of your log
capture is more important than the reliability and availability of
your service. While there may be cases where that's true, I find
them to be the exception more than the norm.

So I use unix-dgram and udp, in preference to unix-stream and tcp.

What's really appropriate, I think, is to leave syslog alone,
unreliable but loosely coupled between logging client app and
logging server, and introduce a new, distinctly separate logging
service that offers reliable logging --- and write client apps to
use it only when they've got something to say whose logging is more
important than the app continuing to run. Critical audit events.

-Bennett
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• application/octet-stream attachment: attw7k8m.dat

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: 345345@private: "[logs] research on log analysis techniques"
• In reply to: Bennett Todd: "[logs] Re: Looking for toolkits and products that support RFC3195 -- COOKED"
• Next in thread: Joost van Baal: "[logs] Re: Looking for toolkits and products that support RFC3195 -- COOKED"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed Aug 03 2005 - 15:36:00 PDT