1999-10-23-07:51:20 James R Grinter:
> A lot of people automatically believe that TCP is better than UDP for a
> logging mechanism. "UDP is unreliable", and "it's too easy to lose a packet
> on our network" are common complaints I have in my organisation.
Could be that a lot of people believe it. I for one _know_ it, from personal,
firsthand experience. Corrupted and lost log entries are the observed
consequence of high logging rates when logging over the network with current
syslogs; I've observed this with various systems.
> Yet, I would suggest the most common place for losing a UDP packet is not
> across a LAN but in the buffering at either the sender or the receiver.
That's probably the commonest place, with buffering at routers in between
being a far rarer but occasional contributor.
> You need to have a pretty bad local network to be dropping packets -
> admittedly in an 'attack' scenario this might be the first thing someone
> attempts to create.
If you're logging a message every few seconds, that's absolutely right. But if
you're flinging hundreds or thousands of log entries per second, you really
need a protocol designed to manage buffering and retransmissions and so forth.
For sure, it's possible to implement one atop UDP if you're sufficiently
determined, but it really seems like a waste of effort. That stuff was built
into TCP for a reason.
> If absolute robustness is required then failures must be handled all
> the way back up to the application doing the logging - arguably the
> biggest flaw in Syslog and its usage as it stands today.
Currently the failure mode is "if anything gets slow or goes wrong anywhere,
ignore it and just discard the messages. Don't worry of messages are
corrupted."
If the logging streams were carried over TCP, it would be "if the daemon dies
or the host it's on crashes, there will be a loss of sync for a tcp
reconnection, and when that happens some messages may be lost or duplicated,
depending on buffering". That would not bother me much at all. I sure don't
see any appeal to staying with UDP, unless someone, somewhere _likes_ the
current reliability characteristics.
-Bennett
