G. Pape

socklog - small and secure replacement for syslogd


Version 1 of socklog is obsolete, see here for the current stable release of socklog.


How to install socklog
Upgrading from previous versions of socklog
How to use dietlibc
Using on solaris

Benefits
Configuration
Examples
Network logging
Log events notification

The socklog-conf program
The socklog program
The tryto program
The uncat program


socklog in cooperation with djb's daemontools is a small and secure replacement for syslogd. There are three main features, syslogd provides:

socklog provides the first two features with the help of daemontools' svscan, supervise and multilog, provides a different network logging concept and additionally does log event notification.

multilog has a built in logfile rotation based on file size, so there is no need for any cron jobs or similar to rotate the logs. Log partitions can be calculated properly.

socklog runs on Linux, glibc 2.1.0 or higher, or dietlibc, OpenBSD, and FreeBSD. socklog reportedly runs on Solaris and NetBSD. If it runs for you on any other operating systems, please let me know.

socklog is small, secure, reliable.


socklog is run under daemontools' supervise, writing syslog messages it receives from an unix domain socket path (/dev/log) or an inet udp socket ip:port (0.0.0.0:514) through a pipe provided by svscan to a multilog process.

socklog can be run as an ucspi application to listen to an unix domain stream socket and for centralized or more flexible distributed logging (see network logging).

If socklog listens to an udp socket, it prepends ip: (a.b.c.d: ) to each syslog message it receives, where a.b.c.d is the ip address of the connecting system.

If the environment variables $UID and/or $GID are present, socklog will drop permissions to those ids after creating and binding to the socket (not in ucspi mode).

socklog converts syslog facility and priority information to names (facility.priority) as found in /usr/include/syslog.h at compile time if present, you can use this for multilog's line selecting by pattern.


A proper run file for supervise is:
  #!/bin/sh
  exec 2>&1
  exec envuidgid nobody socklog unix /dev/log
See envuidgid (# man envuidgid) and socklog (# man socklog).

A proper log/run file for supervise is:

  #!/bin/sh
  LOGDIR=/var/log/socklog
  exec setuidgid log multilog s4999999 n10 ${LOGDIR}/main \
    s999999 n5 -* +kern.* ${LOGDIR}/kern \
    s999999 n5 -* +user.* ${LOGDIR}/user \
    s999999 n5 -* +mail.* ${LOGDIR}/mail \
    s999999 n5 -* +daemon.* ${LOGDIR}/daemon \
    s999999 n5 -* +auth.* +authpriv.* ${LOGDIR}/auth \
    s999999 n5 -* +syslog.* ${LOGDIR}/syslog \
    s999999 n5 -* +news.* ${LOGDIR}/news \
    s999999 n5 -* +cron.* ${LOGDIR}/cron \
    s999999 n5 -* +ftp.* ${LOGDIR}/ftp \
    s999999 n5 -* +local*.* ${LOGDIR}/local \
    s999999 n5 -* +*.debug* ${LOGDIR}/debug
See setuidgid (# man setuidgid) and multilog (# man multilog).
socklog is discussed on the log mailing list owned by D. J. Bernstein about replacements for syslog.
socklog is also available as Debian GNU/Linux package, just add
  deb http://smarden.org/pape/Debian sarge unofficial
  deb-src http://smarden.org/pape/Debian sarge unofficial
to /etc/apt/sources.list on Debian GNU/Linux sarge,
  deb http://smarden.org/pape/Debian woody unofficial
  deb-src http://smarden.org/pape/Debian woody unofficial
to /etc/apt/sources.list on Debian GNU/Linux woody and
  # apt-get update
Then install the package socklog as usual with apt-get, dpkg or dselect, e.g.:
  # apt-get install socklog

See INSTALL on how to install socklog and Configuration for setting up socklog services.
See http://smarden.org/socklog/ for recent informations.
Gerrit Pape <pape@smarden.org>
$Id: index.html,v 1.31.4.3 2005/02/06 11:51:09 pape Exp $