Re: [lopsa-tech] log forwarder for graylog2

Sat, 13 Sep 2014 14:15:06 -0700 

On Fri, 12 Sep 2014, David Nolan wrote:


On Friday, September 12, 2014, David Lang <[email protected]> wrote:



In general, I dislike the methodology of writing data to disk for another
file to scrape and do something with. There are just so many things that
can go wrong




It depends on your requirements for those logs and whether losing an entry
due to network/remote service issues is considered higher risk then local
disk / forwarder issues.

For some applications, failure to write a log (locally or remotely) means
denying a transaction.  Most firewalls can do this with synchronous syslog
over TCP. (No TCP ack on syslog packet, no connection allowed.)



note that TCP doesn't give you as much protection as you think. The sending 
software considers it sent when it's handed to the OS TCP stack, but it's only 
some time later that it gets to the far end. If the connection is lost before 
that, the message will be lost.



The Reliable Event Logging Protocol (RELP) adds the application level 
acknowlegement that is needed to actually make it reliable in the face of 
network issues.



But remember that systems at both sides cache the data in RAM, so if the right 
system dies at the wrong time, you can loose data.




To get full audit-grade logging, you need to do the following in your 
application


1. log that you intend to do something

2. try to do it

3. log if you succeded or not.


Then in your logging system, you need to watch for the intent logs without the 
success/failure logs.



When you log, you need to not consider the log written until you have 
confirmation that the log is safe on non-volitile media (which may be faster 
over a network connection to a server with high-end storage than to local 
storage)


David Lang
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/






















					Reply via email to