> If that's what's worrying you, you should definitely do UDP at the > edge and do first-order analysis and event compaction at the edge, > compress the logfiles at the edge then just use something like rsync > over SSH to get the data back to your central. > > Syslogs compress _really_ well - on the order of 90% or so (your > mileage may vary) I hear what you are saying here, I wasn't as concerned with the data load from the edge to the collectors, as I am from network load from all the hosts to the edges. > > All that said, in general it's not a good idea to proceed with a design > before you've done some back of the envelope measurement and > determined if it's possible or not. You might find out that the data > rates you're dealing with are insignificant, anyhow. Last time I saw > someone go into a syslog design that hadn't thought it through was > buying and fielding big bad-ass machines and my back of the envelope > estimates showed that a 30 gig iPod would have had about the > right amount of processing and storage for his syslog load... Understood. Still very early in the planning/research stage, hope to get to some testing in the next couple weeks to get a better sense of the loads, etc. Just not sure if rolling out syslog-ng to all the hosts is the best thing to do, when I can just do filtering, carving, etc. at the edge and central levels. > > mjr. > > Thanks, Scott _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sun May 28 2006 - 00:12:59 PDT