On 2009 Dec 23, at 20:50, Brad Knowles wrote: > On Dec 23, 2009, at 6:30 PM, Nicholas Tang wrote: > >> You could probably also log to Syslog and have it write those logs to a >> remote Syslog server rather than writing them locally. That won't require a >> network-aware logging module. > > THe disadvantage to remote syslog is that the default protocol is UDP, and in > my experience is very sensitive to latency. On networks that were less than > 1% utilized, I've seen UDP syslog drop over 75% of all the log data. > Packages like syslog-ng allow you the option of doing syslog over a TCP > connection, but that also has some issues.
I manage the central log server framework for a large set of servers. We use UDP. There is no evidence of significant packet loss anywhere. Yes, older networks will have packet loss, be it TCP or UDP. But my experience managing a hefty volume of log data is we just don't see evidence of loss on the network. There are days I wish we did. Then I wouldn't have to worry about the harder problem of merging those various data streams into one time sorted chunk of data, processing it, and storing it for a year. I've seen this statement more than a couple times in the past several years. But network technology has marched on. I do agree with syslog-ng (or similar) as the collector agent, but for a different reason. Regular syslog does not transmit the timestamp with a timezone code, or in Unix time. If the remote servers are not in time sync, or are scattered over multiple time zones, it can be nearly impossible to reasonably sort the data into time order. We use the option to set the time of the log event to the received time, not the time of the sending server. Yes, we periodically review the logs that would be very obvious if any events are missing, and have yet to find a missing log event. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
