Re: Bug#435884: ITP: rsyslog -- enhanced multi-threaded syslogd
Pierre Habouzit <madcoder@debian.org> writes:
> The syslog daemon shall not eat anymore than 0.01% of your CPU.
That's just silly. :P
For a cluster of syslog servers, the syslog daemon shall use whatever
CPU time it needs. If it needs more than one CPU, and more than one
CPU is available, then it's a good idea for the syslog daemon to use
more than one CPU.
You have multiple ways for logs to enter:
514/udp - the good old standard.
<whatever>/tcp - tcp syslog, queued on the client side, ensured on
the server side, possibly encrypted if data passes external
networks.
local sockets, doors, etc...
Logs may be filtered and classified according to priority, network,
server group, application, or facility.
You have several places where the log data will go:
Disk
Database
Some analysis application
Custom statistics software with realtime graphs.
IDS (Big, horrible, expensive, java-thingy. Prints Pretty Pictures)
Local antispam-daemons.
> Why would you need to bloat it for god's sake? It reminds me of so
> called network monitors that are so huge, that they mostly measure
> their own fat. A multi-foo syslog daemon is just plain silly.
Not if you run a large network, cluster, server group or if you're an
internet service provider. If you get tens or hundreds of gigabytes
of logs every day, you need a good framework. A mail service for just
1M users alone lots 1GB every few hours. Some of that is interesting,
and everything must be kept for a while.
For your own laptop? Naah, you can keep sysklogd, as it's probably
good enough for your needs.
Remember that Debian is used by more than just you, so calling the
needs of others "silly" may be perceived as short-sighted.
--
Stig Sandbeck Mathisen
Reply to: