---
category: ''
date: 2006/09/15 02:09
description: ''
link: ''
priority: ''
slug: '44'
tags: linux
title: Logging in style
type: text
updated: 2006/09/15 02:09
url_type: ''
---
Let's try a little classical logic:

Logs are the administrator's best friend.

Linux is the favourite operating system for many administrators.

Ergo, Linux has a very nice logging system.

**BZZZZZT** Linux has an **adequate** logging system. At least compared
to what you get with some other operating systems, where often you have 
no place to look for the reason of your misery.
 
On Linux, your misery is usually visible :-)
 
How You Are Probably Doing It Now
---------------------------------
 
You are very likely to be running syslogd, which is a 
pretty traditional unixy syslog implementation, or syslog-ng, which is
the same thing, only different. We'll assume you are using syslog from 
now on.

It's configured via /etc/syslog.conf, which usually looks like this::

  # Log all kernel messages to the console.
  # Logging much else clutters up the screen.
  #kern.*                                                 /dev/console
  
  # Log anything (except mail) of level info or higher.
  # Don't log private authentication messages!
  *.info;mail.none;authpriv.none;cron.none                /var/log/messages
  
  # The authpriv file has restricted access.
  authpriv.*                                              /var/log/secure
  
  # Log all the mail messages in one place.
  mail.*                                                  -/var/log/maillog
  
  
  # Log cron stuff
  cron.*                                                  /var/log/cron
  
  # Everybody gets emergency messages
  *.emerg                                                 *
  
  # Save news errors of level crit and higher in a special file.
  uucp,news.crit                                          /var/log/spooler
  
  # Save boot messages also to boot.log
  local7.*                                                /var/log/boot.log

To make a long story short: the left column is *facility.priority*
The right column is where you log it.
 
For example, a critical message from your mail server software, will probably 
be mail.critical and be logged to /var/log/maillog.

A single message can be logged in as many places as you want.

The applications decide what facility they use and what priority their messages are.

Simple, right? Yes. But not very good.

Rotation
""""""""

Suppose I know that whenever I connect to your mail server, you log a line, 
about 60 bytes.

Now, suppose I connect to your server 10 times per second for three days.
That's 150MB of logs.

Now suppose my 20 best friends do it, too. That's 3GB of logs.

Basically, with some effort, anyone can clog your disk.

Oh, but your logs **rotate** I hear. Log rotation means you cut your logs every once in a while, delete older data, maybe compress not-so-old data, and that way the logs
don't grow indefinitely. You probably use logrotate for this.

But just how large will your log get? Consider that the default rotation period is 
usually weekly, and usually you keep 4 older copies... but it doesn't matter: if you
rotate based on time, you have no upper bound to the size of your logs.

It would be better to rotate by size of the log, or a combination of both things.

Who Manages Logs?
"""""""""""""""""

I usually manage the whole system. However, I think it's a good idea if you have
the possibility of delegating specific subsystems to other admins.

Now suppose you are my sub-admin in charge of service FOO.
 
Now, you want to debug something, so you need to change FOO's logging to catch
debug priority messages.

How do you do that? Well, you have to call me, because there is a centralized log
configuration. (Unless FOO simply ignores system logging, which sucks in a 
completely different way).

Basically, we are not putting the management of logging for FOO close to FOO. We
are putting it close to syslog. Maybe that's good. Maybe not.

Where's the log?
""""""""""""""""

Unless you have a clear idea of what facility and priority your app uses, how do 
you know where it's logging? What happens if you only catch part of the log?

It would be nicer if each service had a specific place where it logged! Uniform 
is **good**.

What happens if syslog dies?
""""""""""""""""""""""""""""

Well, you don't log anymore. So please make it a `managed service`_, because life 
without logs sucks.

.. _managed service: http://cr.yp.to/daemontools/faq/create.html#why

So, what can we use?
--------------------

Well, as long as you use something like runit_ or daemontools_, you can use one 
of the bazillion logging tools that use the "give me a folder name and data on 
stdin" model. I am partial to svlogd_ but there are a million others.

That solves many things:

* There is no syslog, so it can't die. There is one logger for each service. And
  it's managed anyway, so it bounces back up.

* The log is wherever you tell it to be. Standardize in /var/log/FOO or somesuch.

* You can choose under what user the logger runs. So, whoever you want manages it.

* Most loggers offer you size or time-based rotation. And you don't need to
  configure logrotate (you don't **need** logrotate)

But what about the apps that want to use syslogd and don't work as a managed service with logging? 

Well, they do it by writing to /dev/log, a pseudo-device which pipes the data to
syslog.

Then, you can use socklog_ a lovely drop-in drop-dead gorgeous replacement for syslogd.
Use it, configure it for unix socket (using socklog-conf), start it (using runit's 
runsv), and enjoy::

  [root@myhost socklog]# pwd
  /var/log/socklog
  [root@myhost socklog]# ls -lR
  .:
  total 48
  drwxr-x--- 2 root root 4096 Sep 14 21:16 auth
  drwxr-x--- 2 root root 4096 Sep 14 21:16 cron
  drwxr-x--- 2 root root 4096 Sep 14 21:16 daemon
  drwxr-x--- 2 root root 4096 Sep 14 21:16 debug
  drwxr-x--- 2 root root 4096 Sep 14 21:16 ftp
  drwxr-x--- 2 root root 4096 Sep 14 21:16 kern
  drwxr-x--- 2 root root 4096 Sep 14 21:16 local
  drwxr-x--- 2 root root 4096 Sep 14 21:16 mail
  drwxr-x--- 2 root root 4096 Sep 14 21:16 main
  drwxr-x--- 2 root root 4096 Sep 14 21:16 news
  drwxr-x--- 2 root root 4096 Sep 14 21:16 syslog
  drwxr-x--- 2 root root 4096 Sep 14 21:16 user
  
  ./auth:
  total 8
  -rw-r--r-- 1 root root   34 Sep 14 21:16 config
  -rw-r--r-- 1 root root 1003 Sep 14 22:03 current
  -rw------- 1 root root    0 Sep 14 21:16 lock
  
  ./cron:
  total 4
  -rw-r--r-- 1 root root 22 Sep 14 21:16 config
  -rw-r--r-- 1 root root  0 Sep 14 21:16 current
  -rw------- 1 root root  0 Sep 14 21:16 lock

One folder for each facility, you can filter the data if you want to avoid logging
specific stuff, timestamp any way you want, rotate at will, yada yada yada.

On Arch_ Linux, you can try this by installing my runit and socklog packages from AUR.

It should be pretty painless, but try it in a virtual box first ;-)

.. _AUR: http://aur.archlinux.org

.. _Arch: http://www.archlinux.org

.. _runit: http://lateral.blogsite.org/lateral/stories/36.html

.. _daemontools: http://cr.yp.to/daemontools/

.. _svlogd: http://smarden.org/runit/svlogd.8.html

.. _socklog: http://smarden.org/socklog/