Re: tlug: syslog messages...?

[Rex Walters <rex@example.com>]

>>>>> Scott Stone writes:  (on 07 Oct 98)

> 
> What the heck is this:
> 
> Oct  7 19:44:15 porcupine -- MARK --
> 
> I have tons of these -- MARK -- things in /var/log/messages.
> /var/log/messages is set up to receive:
> 
> *.info;mail.none;authpriv.none

Interesting.  Assuming that above line is from /etc/syslog.conf on host
porcupine (and that it is the only applicable line in the file) it
appears that "*" now matches the "mark" facility in syslog.  It used to
be that "*" matched everything *except* mark.

Probably more than you wanted to know, but I've a long association with
syslog:

"Facilities" in syslog are like channels on your TV.  Messages are
logged to syslog over "facilities" with a given "priority".  In
/etc/syslog.conf you specify what actions to take when a message at a
given priority or higher arrives over a given "facility" (channel).

If /etc/syslog.conf on porcupine contains *ONLY* the line:

    *.info; mail.none; authpriv.none	/var/log/messages

(unclear from your post) then it means that:

    1) Any message over any (*) channel at priority "info" or higher is
       sent to /var/log/messages (on porcupine).  (i.e. only messages
       with a priority of "debug" are ignored; in order, the priorities
       are debug, info, notice, warning, error, crit, alert, panic).

    2) Except messages over the "mail" facility, which are ignored.  
       ("none" is a special "priority" meaning nothing should match.)

    3) Except messages over the "authpriv" facility, which are ignored..

In this case you are logging messages over the "mark" facility.  This is
a special facility to provide a kind of "deadman's switch" for logging.
The kernel (or is it syslogd itself?) issues a message over the mark
facility at priority info (I believe) every 20 (?) minutes by default.

The idea is that sometimes you just want to know that everything is
okay.

Say, for example, that you have a server that once every few weeks, for
no apparent reason, just crashes hard.  There is nothing in the logs
indicating a panic or anything, just -blip- away she goes.  Because no
messages are being logged you can't even tell *when* the machine went
down, only when it came back up again.  

On an idle machine, you might not log any syslog messages for hours or
even days.  In this case the logs might show a normal syslog message,
nothing for a few days, then the machine crashes and no more messages
until you notice it's down and boot it back up.  Not very helpful.

To get *some* clue about what's going on, it's useful to explicitly add
a line like:

    mark.*	/var/log/messages

in /etc/syslog.conf.  This will log a timestamp (--MARK--) in the
messages file every twenty minutes.

Syslog is flexible and useful, but it's a security hole, uses a baroque
configuration syntax, isn't well understood by almost anybody, is a
performance pig, and it kinda glosses over important corner cases (like
rotating logs without losing messages).  

Hey!  Whaddaya know!  It was written by Eric Allman!  

(Not fair, of course, sendmail and syslog were both *VERY* important
milestones in the history of Unix -- it's just that their time is just
past IMHO.)

If you want fast reliable logging, I strongly recommend looking at
cyclog (part of the daemontools package at
"http://pobox.com/~djb/daemontools.html").  Not as flexible as syslog,
but a whole lot faster and MUCH more reliable.

Regards,
-- 
Rex
---------------------------------------------------------------
Next Meeting: 10 October, 12:30 Tokyo Station Yaesu central gate
Featuring the IMASY Eng. Team on "IPv6 - The Next Generation IP"
Next Nomikai: 20 November, 19:30  Tengu TokyoEkiMae 03-3275-3691
---------------------------------------------------------------
Sponsor: PHT, makers of TurboLinux http://www.pht.co.jp