G. Pape
socklog

socklog - benefits

Logfile rotation based on file size
Selecting and deselecting log entries
Modular, reliable network logging
Sortable logs
Small code size

Most of the benefits described here are actually benefits of multilog. But since socklog uses multilog as its backend, the benefits apply to syslogging with socklog.

Logfile rotation based on file size

multilog supports automatically rotated logs, there is no need for any other tool running from cron or similar to rotate the logs.

multilog keeps a specified number of logfiles with a maximum file size, so it is possible to calculate a logfile partition properly.

For example, this log/run file

  #!/bin/sh
  LOGDIR=/var/log/socklog
  exec setuidgid log multilog s4999999 n10 ${LOGDIR}/main \
    s999999 n5 -* +kern.* ${LOGDIR}/kern \
    s999999 n5 -* +user.* ${LOGDIR}/user \
    s999999 n5 -* +mail.* ${LOGDIR}/mail \
    s999999 n5 -* +daemon.* ${LOGDIR}/daemon \
    s999999 n5 -* +auth.* +authpriv.* ${LOGDIR}/auth \
    s999999 n5 -* +syslog.* ${LOGDIR}/syslog \
    s999999 n5 -* +news.* ${LOGDIR}/news \
    s999999 n5 -* +cron.* ${LOGDIR}/cron \
    s999999 n5 -* +ftp.* ${LOGDIR}/ftp \
    s999999 n5 -* +local*.* ${LOGDIR}/local \
    s999999 n5 -* +*.debug* ${LOGDIR}/debug

causes multilog to hold maximal 10 logfiles, each of maximal size 4999999 bytes in /var/log/socklog/main/, maximal 5 logfiles, each of maximal size 999999 bytes in /var/log/socklog/kern/, /var/log/socklog/user/, ...

So the maximal used space for all these directories is less then:

10 * 5000000 + 11 * 5 * 1000000 = 105000000 bytes < 110 MB

If there is any service acting up and filling up your logs rapidly, you will never run into a filled up log partition, causing loss of new log entries, even of other services. You can lose old log entries from this service, but will ever have the recent ones.

Please note that above numbers could change if you use multilog with a processor.

Selecting and deselecting log entries

multilog supports selecting and deselecting log lines based on pattern matching, see the multilog documentation for details.

This is much more flexible than the usual syslogd support for selecting log entries by facility and priority. Of course, selecting entries by facility or priority is still possible with socklog and multilog, just like the default socklog-unix configuration shows.

This line selection feature is also used for socklog's instant Log events notification.

Modular, reliable network logging

The socklog-inet service can be used to replace a syslog network server, receiving log messages on UDP port 514. Usually syslog clients try to transmit their logs to that port using UDP. This is just for compatibility.

socklog does not support this UDP network logging on the client side. socklog provides a different modular, reliable Network logging concept instead. Logs are transmitted through network using a TCP connection in the default configuration, log transmission failures are handled. The modular design of daemontools and socklog makes it possible to insert encryption, authentication, compression, and more easily.

Sortable logs

If multilog is told to add timestamps to log lines, the resulting logs are sortable (with sort for example). So it is possible to merge different logs and sort them chronologically without special effort.

Small code size

One of the socklog project's principles is to keep the code size minimal. As of version 0.8.0 of socklog, the socklog.c source contains only about 400 lines of code; the uncat.c source is about 200 lines of code.

This minimizes the possibility of bugs introduced by programmer's fault, and makes it more easy for security related people to proofread the source code.

Of course this also means that socklog never will evolve to a multi-/over-featured, bloated project.

Gerrit Pape <pape@smarden.org>

$Id: benefits.html,v 1.10 2003/01/14 10:48:09 pape Exp $