socklog - small and secure replacement for syslogd
How to install socklog
Upgrading from previous versions of socklog
How to use dietlibc
Using on solaris
Benefits
Configuration
Examples
Network logging
Log events notification
The socklog-conf program
The socklog program
The tryto program
The uncat program
socklog in cooperation with djb's daemontools is a small and secure replacement for syslogd. There are three main features, syslogd provides:
- receiving syslog messages from an unix domain socket (/dev/log) and writing them to various files on disk depending on facility and priority.
- receiving syslog messages from an udp socket (0.0.0.0:514) and writing them to various files on disk depending on facility and priority.
- writing received syslog messages to an udp socket (a.b.c.d:514)
socklog provides the first two features with the help of daemontools` svscan, supervise and multilog, provides a different network logging concept and additionally does log event notification.
multilog has a built in logfile rotation based on file size, so there is no need for any cron jobs or similar to rotate the logs. Log partitions can be calculated properly.
socklog runs on Linux, glibc 2.1.0 or higher, or dietlibc, OpenBSD, and FreeBSD. socklog reportedly runs on Solaris. If it runs for you on any other operating systems, please let me know.
socklog is small, secure, reliable.
socklog is run under daemontools' supervise, writing syslog messages it receives from an unix domain socket path (/dev/log) or an inet udp socket ip:port (0.0.0.0:514) through a pipe provided by svscan to a multilog process.
socklog can be run as an ucspi application to listen to an unix domain stream socket and for centralized or more flexible distributed logging (see network logging).
If socklog listens to an udp socket, it prepends ip: (a.b.c.d: ) to each syslog message it receives, where a.b.c.d is the ip address of the connecting system.
If the environment variables $UID and/or $GID are present, socklog will drop permissions to those ids after creating and binding to the socket (not in ucspi mode).
socklog converts syslog facility and priority information to names (facility.priority) as found in /usr/include/syslog.h at compile time if present, you can use this for multilog's line selecting by pattern.
A proper run file for supervise is:
#!/bin/sh exec 2>&1 exec envuidgid nobody socklog unix /dev/logSee envuidgid (# man envuidgid) and socklog (# man socklog).
A proper log/run file for supervise is:
#!/bin/sh
LOGDIR=/var/log/socklog
exec setuidgid log multilog s4999999 n10 ${LOGDIR}/main \
s999999 n5 -* +kern.* ${LOGDIR}/kern \
s999999 n5 -* +user.* ${LOGDIR}/user \
s999999 n5 -* +mail.* ${LOGDIR}/mail \
s999999 n5 -* +daemon.* ${LOGDIR}/daemon \
s999999 n5 -* +auth.* +authpriv.* ${LOGDIR}/auth \
s999999 n5 -* +syslog.* ${LOGDIR}/syslog \
s999999 n5 -* +news.* ${LOGDIR}/news \
s999999 n5 -* +cron.* ${LOGDIR}/cron \
s999999 n5 -* +ftp.* ${LOGDIR}/ftp \
s999999 n5 -* +local*.* ${LOGDIR}/local \
s999999 n5 -* +*.debug* ${LOGDIR}/debug
See
setuidgid
(# man setuidgid) and
multilog
(# man multilog).
socklog can be discussed on the log mailing list owned by D. J. Bernstein about replacements for syslog.
socklog is also available as Debian GNU/Linux package, just add
deb http://smarden.org/pape/Debian sarge unofficial deb-src http://smarden.org/pape/Debian sarge unofficialto /etc/apt/sources.list on Debian GNU/Linux sarge,
deb http://smarden.org/pape/Debian woody unofficial deb-src http://smarden.org/pape/Debian woody unofficialto /etc/apt/sources.list on Debian GNU/Linux woody and
# apt-get updateThen install the package socklog as usual with apt-get, dpkg or dselect, e.g.:
# apt-get install socklog
See INSTALL on how to install socklog and Configuration for setting up socklog services.
See http://smarden.org/socklog/ for recent informations.
Gerrit Pape <pape@smarden.org> $Id: index.html,v 1.29 2002/07/22 07:52:34 pape Exp $