Since I got great feedback from this list regarding a centralized logging set of questions before, I figured I would get thoughts from everyone regarding this. Two Options for the host machines sending to Collectors and/or Central Server. One has them keeping regular syslogd and forwarding to a collector using udp. Then the collector would filter out unneccessary stuff, do some processing, etc. before passing onto a central server (with the edges and central using syslog-ng). The second has the hosts getting syslog-ng, then doing some filtering on each host before sending to the collectors over tcp, before the collector possibly does additional filtering, analysis, etc. before forwarding on to the central server (again, with the edges and central using syslog-ng). I guess some things that I have been thinking about are: is possibly slightly less data sent over tcp more or less efficient network bandwidth-wise, than sending all the data over udp? The obvious piece of not having to replace syslog with syslog-ng across thousands of hosts is a huge win, plus the individual hosts not doing any filtering, keeps them using their cycles and resources for their main duties and not analyzing logs. Thoughts?? Thanks again, Scott _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed May 24 2006 - 12:15:46 PDT