David,

Sorry for the late reply.

In my experience: it depends...

Under Linux/Unix, it is most common to have a single instance of the
syslog process running. All other processes communicate with that
process via local IPC, but the ultimate sender is the single instance of
syslogd running. I have seen some deployments where multiple syslogd's
run on a single machine. This is rare and, if so, almost always because
of different security domains (e.g. have a different process listen to
locally generated messages vs. Network received messages).

>From a design perspective, it might be a choice to have multiple
processes make up for the syslog subsystem. A real-world example is SDSC
syslogd, which runs different stacks in different processes. Rsyslog
also has the RFC 3195 receiver separated. AFAIK these processes do not
share internal information. It is questionable if such can always be
assumed.

Under Windows, it is common to have different syslog sender processes,
but typically only one receiver is running. This stems back to the fact
that there is no syslog subsystem is available on Windows so every
vendor brings in its own. The key difference to *nix is that here each
program is itself a syslog sender, while under *nix each program formats
the MSG part of the message, passes that to an API and the syslogd picks
and sends it from there (effectively relaying the message).

I hope this information is useful.

Rainer

> -----Original Message-----
> From: David Harrington [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, December 12, 2006 9:36 PM
> To: [EMAIL PROTECTED]
> Subject: [Syslog] Syslog-mib-11
> 
> Hi,
> 
> In my latest review of syslog-mib-11, I have started to believe that
> Tom was right when he questioned the MIB module design, which models
> multiple syslog entities in a table, so one SNMP engine deals with
> multiple syslog senders, relays, and/or recievers on the same host. 
> 
> This adds complexity in the MIB design that I am not convinced is
> necessary. As the terminology in the MIB document has gotten closer to
> other WG documents, this has become somewhat clearer to me.
> 
> Tom recommended that the MIB module only model a single syslog entity.
> Different instantations of the MIB module can be represented as
> existing in different contexts (e.g. in different communities), so one
> SNMP engine can still deal with multiple syslog senders, relays,
> and/or receivers on the same host, but the MIB module itself becomes
> simpler. 
> 
> We should be sure the MIB module reflects real world requirements. I
> do not have much operational experience, so I need your input.
> 
> In real deployments, is it **typical** to have multiple syslog stacks
> running on the same host, each with a different bind address and port
> number and config file? or is it more common for most applications to
> share one syslog process (e.g., daemon) that operates via one
> address/port?
> 
> David Harrington
> [EMAIL PROTECTED] 
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> 
> 
> 
> _______________________________________________
> Syslog mailing list
> Syslog@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/syslog
> 

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog

Reply via email to