techblog 

Over the past few weeks, I have been building a central syslog server. I wanted this log server to be very reliable and never lose any log messages. There are two ways I could protect against failure of the log server: first, was to have 2 syslog servers and send all the logs to both of them. Then each night to run some kind of reconciliation script to merge the logs into one. The other option was to run a single syslog server on a cluster. In addition I planned to use a syslog server that supports TCP instead of UDP and to encrypt the traffic using stunnel. I decided to go with the cluster option and to use Polyserve Matrix Server to do the clustering.

I was planning to use syslog-ng but the production release (1.6.x) will lose messages if the syslog-ng service fails over in the cluster. See here for an explanation. There is a development release of syslog-ng 2 (1.9.x) that claims to fix this issue, however the support for sun streams seems to be incomplete or broken and I am not keen on using beta code on production servers.

So - what other options are there? Well, there is an IETF WG looking at reliable syslog. I found a couple of implimentations of this. One is the San Diego Supercomputer Center Secure Syslog (SDSCsyslog) and the other is rsyslog. SDSCsyslog doesn’t appear to have any current development being done on it and the mailing lists are almost inactive. rsyslog appears very active but from my reading of the syslog website it only supports the listener part of RFC 3195.

There is also msyslog. It supports TCP but not RFC 3195. However the last release of this was in early 2003.

For now I plan to stick with the current production release of syslog-ng but keep an eye on how rsyslog develops and look to moving to that in the future.