From owner-freebsd-questions  Tue May 16  7:46:39 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from rasp.eng.cam.ac.uk (rasp.eng.cam.ac.uk [129.169.8.8])
	by hub.freebsd.org (Postfix) with ESMTP id 03F3337B660
	for <freebsd-questions@FreeBSD.ORG>; Tue, 16 May 2000 07:46:34 -0700 (PDT)
	(envelope-from jpmg@eng.cam.ac.uk)
Received: from tigger.eng.cam.ac.uk
          (via root@tigger.eng.cam.ac.uk [129.169.80.71])
          by rasp.eng.cam.ac.uk with ESMTP id PAA23285;
          Tue, 16 May 2000 15:46:25 +0100 (BST)
Received: from tulip.eng.cam.ac.uk
          (via mailuser@tulip [129.169.81.11])
          by tigger.eng.cam.ac.uk with ESMTP id PAA23284;
          Tue, 16 May 2000 15:46:19 +0100 (BST)
From: jpmg@eng.cam.ac.uk
Date: Tue, 16 May 2000 15:46:18 +0100 (BST)
Message-Id: <200005161446.27130@tulip.eng.cam.ac.uk>
Received: (via jpmg@localhost)
          by tulip.eng.cam.ac.uk id PAA27130;
          Tue, 16 May 2000 15:46:18 +0100 (BST)
To: robert@namodn.com
Subject: Re: access logging via syslog ( apache )
Cc: freebsd-questions@FreeBSD.ORG
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> On the other hand, is there any userland way to force
> a daemon to use TCP rather than UDP? Is there something
> essential about UDP that syslog cannot do without?

As I remember it, the reason why you want syslog to use UDP is so that
it can get on and handle the next request.  If syslog starts blocking
(which it would if you required reliable delivery to a remote syslogd,
unless you go multithreaded locally), then all hell breaks loose on
your local machine, since things that are attempting to syslog stuff
now block.  This is not somewhere you want to go.

The downside is unreliability (and this certainly suggests that one
shouldn't be using syslog to a remote machine for security-relevant
logging, despite the advantage that you can secure a remote syslog
host up to the eyeballs, since network congestion is probably one of
the easiest things for an attacker to trigger).

The solution is, I suppose for syslog to use a reliable transport (or
implement a reliable transport over UDP), and to go multithreaded.

Even if you do this, though, you'd want to add the ability to require
some facilities (auth springs to mind) to be syslogged synchronously
(ie the syslog() call wouldn't return until the logging had been
successfully completed).

Hmmm.  I feel a son-of-syslogd project coming on ... 8-)

-patrick.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message