Re: central logging host vs. reliability of receiving a message

["nate" <debian-user@aphroland.org>]

Martin wrote:

> I know that it uses udp so the reliability part must be somewhere in
> the application (that is for standard syslog). According to
> http://www.balabit.com/network-security/syslog-ng/features/ syslog-ng
> supports sending messages over TCP so that would solve the problem but
> I remember that "drop in replacement" wasn't quite true for syslog-ng,
> I may be wrong.

To do basically the same thing as syslog, apt-get install syslog-ng will
work just fine. If you want to change the protocol it uses to TCP, or
increase the default buffer size(syslog-ng will buffer log events if
the remote server is down and transmit them when it returns) then you
need further config, though it's pretty simple.

I've been using syslog-ng exclusively for several years now without
much issue. Can't imagine a reason to use the original syslog anymore.
Though another project rsyslog seems to have popped up recently(at least
as far as I'm concerned), haven't spent any time looking at it though.

> If anyone has a couple of good links to throw at my boss so that I can
> back up the pro's of centralized logging with hard facts (con's are
> also welcome) I'd be greatful,

I'd say show him the flash videos on www.splunk.com

nate