ScottO wrote: > - Or, maybe having distributed "collector" syslog servers that somehow > dump back to a central syslog server. So a distributed architecture > approach. > That's the approach we went with. Have local (typically UDP-based) syslog clients dumping to local central syslog-ng server. That server can do any initial filtering to reduce the data it writes to disk, and/or forwards to the next link in the chain. Then those syslog-ng servers dump via TCP to the next syslog-ng layer, etc. We currently have 3 layers and everything's gravy :-) (but then we don't have 1000 hosts - that could be a lot of traffic) Also, your LVM option seems to me to be solving a different problem - one of fault tolerance. As such, surely you could use both options? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed May 10 2006 - 15:59:48 PDT