Re: /bin/sh

To: debian-devel@lists.debian.org
Subject: Re: /bin/sh
From: Russ Allbery <rra@debian.org>
Date: Wed, 15 May 2013 10:42:48 -0700
Message-id: <[🔎] 87vc6k5ecn.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 87ppwsdahz.fsf@qurzaw.varnish-software.com> (Tollef Fog Heen's message of "Wed, 15 May 2013 08:26:32 +0200")
References: <[🔎] E1UZlyN-0006S7-Sx@swivel.zugschlus.de> <[🔎] 20130511092210.GC3334@frosties> <[🔎] 20130511163303.GC6595@virgil.dodds.net> <[🔎] loom.20130511T202028-509@post.gmane.org> <[🔎] 1368298349.12318.19.camel@tomoyo> <[🔎] 20130511194430.GB21041@codelibre.net> <[🔎] 1368302901.12318.36.camel@tomoyo> <[🔎] 20130514232654.GC3377@vauxhall.crustytoothpaste.net> <[🔎] 5192D3C4.8070209@michaelbiebl.de> <[🔎] 5192D6F4.6090004@physik.fu-berlin.de> <[🔎] 20130515051344.GA20161@vauxhall.crustytoothpaste.net> <[🔎] 87ppwsdahz.fsf@qurzaw.varnish-software.com>

Tollef Fog Heen <tfheen@err.no> writes:
> ]] "brian m. carlson" 

>> It means that it works completely differently from every existing Unix
>> log parser on the planet.  syslog is hardly "no formatting at all".

> syslog and other log files isn't structured particularly well.

That's the understatement of the year.  I'm not sure which part of the
traditional syslog format is more fun.  Is it the missing year in the
timestamp?  Is it the program field that may or may not be present?  Is it
the PID field that's sometimes not a PID at all?

There are syslog plain-text file formats that are almost sane and use some
sort of structured key-value syntax that you can parse normally.  The
default, however, is not.

I've written a *lot* of syslog parsers for various log analysis problems.
One of the biggest problems for large-scale log analysis if you care about
the timestamps is that parsing human-readable dates into something useful,
like seconds from epoch, is *painfully* slow.  For grins, try stracing a
typical syslog log parser that hasn't been extensively optimized and watch
the gettimeofday() and stat("/etc/localtime") calls scroll as fast as your
terminal can display them.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: /bin/sh (was Re: jessie release goals)
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Steve Langasek <vorlon@debian.org>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Thorsten Glaser <tg@debian.org>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Josselin Mouette <joss@debian.org>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Josselin Mouette <joss@debian.org>
- Re: /bin/sh (was Re: jessie release goals)
  - From: "brian m. carlson" <sandals@crustytoothpaste.net>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Michael Biebl <email@michaelbiebl.de>
- Re: /bin/sh (was Re: jessie release goals)
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: /bin/sh (was Re: jessie release goals)
  - From: "brian m. carlson" <sandals@crustytoothpaste.net>
- Re: /bin/sh (was Re: jessie release goals)
  - From: Tollef Fog Heen <tfheen@err.no>

Prev by Date: Re: Upcoming libgd2-{xpm,noxpm}-dev -> libgd2-dev transition
Next by Date: Re: /bin/sh
Previous by thread: Re: /bin/sh (was Re: jessie release goals)
Next by thread: on binary logs (was: Re: /bin/sh)
Index(es):
- Date
- Thread