[Mimedefang] Re: potential stock syslogd caveats
Jeremy Mates
jmates at sial.org
Mon Mar 1 15:45:24 EST 2004
* Les Mikesell <les at futuresource.com>
> What happens to a server if it is logging via tcp and the syslog-ng
> receiving it can't keep up writing to disk? In the past I've seen
> local unix socket connections kill named and sendmail when syslog
> couldn't keep up - and of course there was no log about why... The
> server in question was also collecting remote logs from several cisco
> routers around the time of the first Code Red virus but still, given a
> choice between killing a server and dropping a syslog message, I'd
> prefer to drop the message.
Bandwidth throttle incoming data such that no one host can overrun the
disk, or for yakky systems where the logs tend to repeat, keep them on
UDP. syslog-ng does do some degree of buffering, though I have not
stress tested it.
Another option would be to keep the loghost on a different system than
what is running named/sendmail...
For more about logging issues, perhaps see the LogAnalysis mailing list:
http://lists.shmoo.com/mailman/listinfo/loganalysis
More information about the MIMEDefang
mailing list