On Thu, 5 May 2005, Taylor, Grant wrote:
Why where a FIFO and a program which parses and transmit the data to another system any faster than syslog/syslog-ng/ulogd/etc? (Why reinvent the wheel?)
It is my belief that Syslog and the mechanism that it uses to log is not meant for extreme volume of login. As I understand it Syslog will log each and every individual packet that passes through the IPTables LOG target individually, thus causing a write through the kernel in to SysLog space and possibly to disk for a VERY small amount of data.
That depends on how syslog is configured - you can easily disable syncing at every log event.
Yes, but doing so may cause loss of logging, or maybe it'll just delay some messages due to not sync'ing at once. Lack of experience here :p
I do use the non-sync feature to some extend; doesn't seem to cause too much delay, though.
-- Kind regards, Mogens Valentin
