sorry for the late reply, have been off to a conference... On Thu, 2013-02-21 at 16:25 +0000, Aditya Dogra (addogra) wrote:
> Currently syslog messages collected locally on the network device are > transmitted to the remote syslog servers as per RFC 5424 (UDP protocol > used for transmission) RFC5424 does NOT specify UDP transport. In fact, it does not specify any transport at all, it just describes the format and the stack. Transport mappings are done in RFC5425 - TLS (TCP), the recommended protocol RFC5426 - UDP there is also historic RFC6587 on industry standard plain tcp, but this is just for interoperating with legacy systems, not for new implementation. It is strongly discouraged to use that in new systems. > and RFC 3195 (TCP protocol used for transmission) RFC3195 is a bit dated and would need to be changed to base on RFC5424. This has not yet been done as there was no notable implementation of RFC3195. > > However, we have observed that increasingly, customers are using > syslog messages archived in the remote server for business logic . > > > > In some networks, it is possible that some of the syslog messages may > be dropped due to link failure or other network conditions. > > However, the customers are expecting much higher resiliency for the > syslog messages. > > > > > > The questions we seek clarification are: > > > > a) What are the expectations from the external syslog > delivery? There is a very small window of exposure, see section 5.3 of RFC5425. I also wrote a somewhat more elaborate blog post on this problem, which may be useful for you: http://blog.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html > > > > b) Should we rely on syslog's alone ? Please note that SNMP > traps functionality for network management is also there.? that's something that you need to answer based on your use cases and requirements. As far as my personal experience goes, the loss potential is very slim, and lot's of our customers use the RFC protocols to do biz critical things. Some use other protocols in addition. side-note: modern-day syslogd implementations do not rely on the syslog protocol alone. They accept input from a wide variety of sources, including SNMP. HTH Rainer _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
