Volker Wiegand <[EMAIL PROTECTED]> writes:
> Okay, my opinion was really humble, and since I was the only one to ask
> for UDP support, it has just died. Rest in peace :-)
A lot of people automatically believe that TCP is better than UDP for
a logging mechanism. "UDP is unreliable", and "it's too easy to lose a
packet on our network" are common complaints I have in my
organisation. Yet, I would suggest the most common place for losing a
UDP packet is not across a LAN but in the buffering at either the
sender or the receiver. You need to have a pretty bad local network to
be dropping packets - admittedly in an 'attack' scenario this might be
the first thing someone attempts to create.
If absolute robustness is required then failures must be handled all
the way back up to the application doing the logging - arguably the
biggest flaw in Syslog and its usage as it stands today. Further, the
protocol (over TCP or over UDP) must implement an acknowledgement of
each message received so that it tracks which have been received
(analgous to what TCP itself is doing) and to act as the
application-level "keep-alive" and dead receiver determination.
James.
