:: Re: [DNG] ..forensics on systemd or…
Startseite
Nachricht löschen
Nachricht beantworten
Autor: Didier Kryn
Datum:  
To: dng
Betreff: Re: [DNG] ..forensics on systemd or journald logs, was: rc.local removed from Debian 9, rly?
Le 22/11/2017 à 16:46, Arnt Gulbrandsen a écrit :
> Didier Kryn writes:
>>     Well, postgress is a database manager. You have a choice of
>> several others; they must be able to deal with high fluxes of data.
>> None of them is a critical system component.
>
> WTF? Postgres is a critical system component of every single server
> where I've ever installed that. The data in Postgres and the software
> that accesses it are the reason why the server exists at all.


    Good point, I tend to forget that there are special needs for heavy
duty servers; but see below.
>>     System logs are a critical system component and they don't face
>> high fluxes of data. You can, in principle, use syslog for
>> applications with a high flux of logs, but it's at your own risk.
>
> Are you saying one should not use syslog for events caused by
> untrusted users?


    If the reason for having binary logs is performance, it means you
are dealing with really massive logs. If untrusted users cause gigabytes
of logs per day, you can either filter them online, which rsyslog can do
pretty well, or try to use another method. I may have missed something,
but I doubt anybody will ever read such massive logs. Also remember that
syslog() uses one single socket and lock for all processes in the
system, which means that emmiting a log message may imply waiting on a
queue. If you write your own application, you can bypass the syslog()
bottleneck in a number of ways.

    Didier