[logs] Error messages from syslogd

[Marcin Antkiewicz]

> One nifty thing about syslog is that you can actually make that policy
> decision in the local syslog server/agent -- just have the local
> syslog server make the decision about what to do with the

I agree and I understand your position. At the same time 
it's a bandaid solution which, I think, is what Marcus wants to point
out.

Syslog, as a system log, is useless at present without massive filtering,
due to noise and disregard for standards. Syslog as transport for app 
logs suffers from simmilar set of problems, but it's desireable for 
different uses.

There are benefits to filtering and demultiplexing the log stream on 
localhost, but you will essentially end up maintaining many instances of 
small filters rather than few huge ones. One way or another, maintaining
control of syslog streams in a typical enterprise environment is much 
harder than ensuring that it's done correctly on a rack of machines.

Using syslog-ng in the way you describe is a good start, but as the number 
of hosts, platforms, apps, or political boundaries grows, saying  "we 
will use syslog-ng, and come up with a set of filters for it..." gets a 
bit hard.

--
Marcin Antkiewicz
IT Security / Project Roadblocks dpt.