Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver

William Herrin <> Tue, 26 February 2013 21:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ADE6821F8586; Tue, 26 Feb 2013 13:28:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wBuvakHKVm2Z; Tue, 26 Feb 2013 13:28:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3AB5221F8578; Tue, 26 Feb 2013 13:28:27 -0800 (PST)
Received: by with SMTP id pb11so4398475veb.33 for <multiple recipients>; Tue, 26 Feb 2013 13:28:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=x-received:mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=GZC7QG4J+OXNRvqSeLMLoz95zqCRLdIC6UrW1o0S/sY=; b=oanJNVgGWFFgfjSLBc6pZ7gt5/lUvhPSmI4cTP6m5w0byjrrdzc8sjEK2/gRmci4CW gDpvs8419gZfjyNac9vsYlWHrtwXwt2VYAW/QiSGKNuosu1KCfyPguSquK8J7DVeNxd7 TJrooaf4DYZdXKvgGUlDBdDjpqvEOwN23OBxPhhZSTMBBvqk/hDGYzpBVM9Dzrb+RTb5 YfjINbQuCcsoWu0cys2w6Lw1toIpAtIioeuD9ELQNyALiqIxAfaWnbJYrsV/fLp8A8Sj 1Fg40AZcUdCA1ttQiQRwuGL4B1uG6isQ93iHYALx4c2i5AmGoutpteGa7A+k9Zz0Z1cF UaZg==
X-Received: by with SMTP id em1mr10913470vdb.48.1361914106536; Tue, 26 Feb 2013 13:28:26 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 26 Feb 2013 13:28:06 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
From: William Herrin <>
Date: Tue, 26 Feb 2013 16:28:06 -0500
X-Google-Sender-Auth: c_xcA49D0xYBV_S350uZWDTq7p0
Message-ID: <>
To: "Aditya Dogra (addogra)" <>
Content-Type: text/plain; charset=ISO-8859-1
X-Mailman-Approved-At: Wed, 27 Feb 2013 08:09:05 -0800
Cc: Christopher LILJENSTOLPE <>, "" <>, "" <>
Subject: Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Feb 2013 21:28:28 -0000

On Sun, Feb 24, 2013 at 11:47 PM, Aditya Dogra (addogra)
<> wrote:
> My point was since syslogs are tried up mostly with
> the base/OS layer , hence it comes pretty much earlier
> than the management plane comes up . And remote
> logging comes in picture when management plane
> comes up . Should syslog's be so reliable that we
> buffer them (in case of udp protocol) or maintain
> sessions (in case of tcp) (and maintain sessions
> during failover/switchovers) so that once management
> plane comes up , we send previous messages also.

Hi Aditya,

I have had servers fail with processes blocked on a syslogger stuck
trying to forward logs to a network syslog server that was no longer
available. Or trying to output logs to a serial console at 9600 bps.
The syslog blocks and then everything else blocks waiting for the

The equipment's overall reliability comes _way_ before the reliable
transmission of any particular log line. I want the logger to quickly
dispose of the message and then accept the next one so that the
processes generating those logs don't

A colleague of mine has something he calls "reliable UDP". The idea
goes like this:

1. Transmit the message with a sequence number AND add it to a local
ring buffer.
2. If the receiver receives an out-of-sequence message, it requests
the retransmission of the missing sequence numbers.
3. If the sender receives a retransmission request, it examines the
ring buffer and retransmits if the message is still available.
4. The ring buffer overwrites its own tail as additional messages are
sent. If retransmission isn't requested before the message is
overwritten then the message is lost.

That sort of thing might be handy for syslog messages, but it the
logger is trying much harder than that, I think it risks getting in
the way of the much more important processes generating the logs.

Bill Herrin

William D. Herrin ................
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004