[sudo-users] centralized iolog deployment
konrad rzentarzewski
konrad.rzentarzewski at artegence.com
Wed Mar 28 19:14:10 EDT 2012
i've seen recent discussion ("sudoreplay logs from syslog-server") from
mid-september and i'd like to add 3 cents about it.
i think syslog sink is superior over sslogger for several reasons.
recent deployments allow reliable delivery of large messages (tcp, relp)
and structured data delivery (ie. cee). additionally it may employ
signed storage, so that tampering with data on destination server is not
possible. last but not least - with disk buffering all sessions will
eventually be delivered to loghost, even when sudo has been used on
server (temporarly) without network connection. i don't think that
sslogger provide any of those features, and i'm sure there are more
advantages on running standard syslog daemon (ie. no additional network
daemon exposed infrastructure-wide, some complex routing and relaying
rules between data centers, and possibly others).
performance-wise i think it shouldn't be a problem, as most of
interactive sessions are being run with ssh, so any server that can
handle concurent interactive sessions should be also able to log them in
real time.
the biggest problem i can see here is that there is a need to abstract a
structured stream data for centralized logging, so that anybody can
attach some "sink" and - on the other side "consumer" that will be able
to parse and search logs like sudoreplay does currently with plain
files.
one nice solution would be to use some structured data (like json or
yaml with proper encoding) and pipe it into external process, which may
implement data storage or transport (either with relp, rest or whatever
is suitable for site administrator). the same deserialized structured
data should be subject for analysis and reporting. it may be needed to
assume given (fixed) layout of structured logs (splited accross files
and directories) on receiver side, which should take into account
that multiple sources (originating servers) may be multiplexed in
output or sorted by directories.
once we would have a plugin that could export such structured data i'd
be very happy to write experimental adapters for relp and/or restful api
in some scripting language to evaluate its performance and suitability
for centralised deployments.
what do you think? is anybody else working on similiar approach?
--
konrad rzentarzewski - Senior SA, Artegence sp. z o.o.
Office: +48.223801313 NOC: +48.222010500 ARTE42-RIPE
Ten mail nie stanowi pisma i zamówienia handlowego wg.
Kodeksu spółek handlowych (Dz.U. 2000 nr 94 poz. 1037)
<legal_blurb>
Spółka wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy
dla m.st. Warszawy Wydział XIII Gospodarczy Krajowego Rejestru Sądowego pod
numerem KRS 0000066610
NIP: 521-30-18-541
wysokość kapitału zakładowego: 51 500,00 PLN
</legal_blurb>
More information about the sudo-users
mailing list