Re: Logging practices (and why does it suck in Debian?)

To: Kenneth Vestergaard Schmidt <charon@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: Logging practices (and why does it suck in Debian?)
From: Jamie Heilman <jamie@audible.transient.net>
Date: Wed, 11 Apr 2001 22:10:38 -0700
Message-id: <20010411221038.B17318@audible.transient.net>
In-reply-to: <01041112551700.00852@silence>; from charon@debian.org on Wed, Apr 11, 2001 at 12:55:17PM +0200
References: <01041112551700.00852@silence>

Kenneth Vestergaard Schmidt wrote:

> Before I start this, however, I would really like to know if this is just 
> going to be something I'll do for myself, or if there's anybody else 
> interested in it? Maybe even design it for inclusion in Debian? I personally 
> think this should be done, since the default now sucks (to put it mildly).

Personally I always redo the standard syslog.conf, but I find it can only
be done well if you know what role your machine is going to generally play
ahead of time.  For example on my workstations I remove the uucp, lpr, and
cron entries, because of the programs I traditionaly use those entries
never see enough use to justify seperate log files, I just let them get put
into the syslog.  I also remove the mail logs that are sorted by priority
because a) on my workstations I use nullmailers and hence don't generate
many logs, and b) on my servers I use qmail w/multilogger.  Finally on my
servers I always remove the xconsole dump as X has no place on a secure
server and hence nobody is going to be looking at that pipe anyway.  But
then I can do all this because I already know what kind of logs to expect
during normal usage and I can "budget" for it.  I wouldn't say that my
configuration is going to work for everybody.  Actually the default debian
syslog config is better than many other default configs in that the split
is fairly intuitive.  OTOH there's something to be said for shipping a
lousy a default configuration as it makes people sit down and become more
familiar with the software they are using.

  Syslog and other facility based loggers just generally suck.  Thats not
really Debian's fault and I'm not really sure what you're going to do about
it.  Unfortunately facility based logging has become the standard in Unix,
even though most of the time its not very usefull.  Worse yet syslog just
isn't reliable.  I run syslog-ng on a few machines but its not much better,
though it is an improvement.  I think this is mostly because syslog-ng
tries too hard to be all things to all people in all situations.

  Dan Bernstein's multilog program is the only logger I've seen that offers
various reliability guarentees and actually delivers on them, but it has
some prerequisites for usage that can frequently be difficult to meet.
What I'd really like to see is a facility logger that could collect logs
like traditional syslog but then would let me hand them to something like
multilog to be stored on disk.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality.  Before we know the words
 for it, before we know there are words, out we come bloodied and squalling
 with the knowledge that for all the compasses in the world, there's only
 one direction, and time is its only measure."		-Rosencrantz

Reply to:

Follow-Ups:
- Re: Logging practices (and why does it suck in Debian?)
  - From: Jim Breton <jamesb-debian@alongtheway.com>
- Re: Logging practices (and why does it suck in Debian?)
  - From: Izak Burger <gpf@linuxuser.co.za>

References:
- Logging practices (and why does it suck in Debian?)
  - From: Kenneth Vestergaard Schmidt <charon@debian.org>

Prev by Date: Re: setting up sudo for tail
Next by Date: Re: Logging practices (and why does it suck in Debian?)
Previous by thread: Re: Logging practices (and why does it suck in Debian?)
Next by thread: Re: Logging practices (and why does it suck in Debian?)
Index(es):
- Date
- Thread