socklog 2.1.0-8 / usr / share / doc / socklog / network.html

This file is indexed.

/usr/share/doc/socklog/network.html is in socklog 2.1.0-8.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title>socklog - network logging</title>
</head>
<body>
<a href="http://smarden.org/pape/">G. Pape</a><br>
<a href="index.html">socklog</a><br>
<hr>
<h1>socklog - network logging</h1>
<hr>
<a href="#tcp">Logging through TCP</a><br>
<a href="#udp">Logging through UDP</a>
<hr>
Logging via network connection cannot be made reliable. There is always
a possibility for failures. The network connection itself may be down or
the receiving machine has crashed for example. So there must be a
decision, what to do in such cases.
<h2><a name="tcp">The <i>socklog</i> network logging concept</a></h2>
<ul>
  <li>
  logging is still done locally through
  <a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>.
  <li>
  the log is transmitted through a network connection (if possible)
  when <a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>
  decides that <tt>current</tt> is big enough, using
  <a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>'s
  <i>processor</i> feature.
  <li>
  since this transmission cannot be made reliable, there is a tool
  <a href="tryto.1.html">tryto</a> that limits the time to try this
  transmission. See below for examples.
  <li>
  if the transmission of <tt>current</tt> fails, the log will be saved
  locally,
  <a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>
  remembers the failure in its <tt>state</tt> and
  <a href="tryto.1.html">tryto</a> includes the error messages into
  the transmission on the next run, so the remote machine gets the
  information of log transmission failures.
</ul>
There are no restrictions on how to transmit the log data, a separate
process of your choice will do the work, e.g. <i>netcat</i> or
<a href="http://cr.yp.to/ucspi-tcp/tcpclient.html">tcpclient</a>.
This modularity lets you easily insert authentication, compression,
encryption and other things.
<h2>Example setup</h2>
<h3>Log Server (machine receiving log data)</h3>
Setup a <i>socklog-ucspi-tcp</i> service as described in
<a href="configuration.html#ucspi-tcp">Configuration</a> with the following
<tt>socklog-ucspi-tcp/run</tt> and <tt>socklog-ucspi-tcp/log/run</tt>
scripts:
<p>
socklog-ucspi-tcp/run:
<pre>
  #!/bin/sh
  PORT=10116
  exec 2&gt;&amp;1
  exec tcpsvd -vl0 -unobody 0 "$PORT" socklog ucspi TCPREMOTEIP
</pre>
socklog-ucspi-tcp/log/run:
<pre>
  #!/bin/sh
  exec chpst -ulog svlogd -t main/main main/10.0.0.236
</pre>
and socklog-ucspi-tcp/log/main/10.0.0.236/config
<pre>
  # cat 10.0.0.236/config
  -*
  +10.0.0.236:*
</pre>
You will then find all log data from remote hosts that was successfully
transmitted in <tt>main/main/</tt>. Log data from <tt>10.0.0.236</tt>
will additionally be saved in <tt>main/10.0.0.236/</tt>.
<h3>Log client (machine sending log data)</h3>
Change the <i>socklog</i> configuration to use a processor to transmit
the log data:
<p>
socklog-unix/log/run:
<pre>
  #!/bin/sh
  exec chpst -ulog svlogd ./main/main
</pre>
socklog-unix/log/main/main/config
<pre>
  s4096
  n20
  !tryto -pv nc 10.0.0.16 10116
</pre>
and restart the log service:
<pre>
  # sv restart socklog-unix/log
</pre>
On each rotation of
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>'s
<tt>current</tt>, the data will be transmitted to
<tt>10.0.0.16:10116</tt> using <a href="tryto.1.html">tryto</a>
and <i>netcat</i>, failures will be noticed and notified on the next run.
<hr>
<h2><a name="udp">Logging through UDP</a></h2>
Transmitting log messages through UDP should only be used within private
networks.
Logging through UDP doesn't ensure that the log messages actually reach the
log server, and doesn't provide authentication and authorization.
It's the old-style UNIX syslog remote logging, and supported by
<i>socklog</i> for compatibility reasons.


<h2>Example setup</h2>
<h3>Log Server (machine receiving log data)</h3>
Setup a <i>socklog-inet</i> service as described in
<a href="configuration.html#inet">Configuration</a> with the following
<tt>socklog-inet/run</tt> and <tt>socklog-inet/log/run</tt> scripts, and
the following <tt>socklog-inet/log/main/config</tt> log configuration:
<p>
socklog-inet/run:
<pre>
  #!/bin/sh
  exec 2&gt;&amp;1
  exec chpst -Unobody socklog inet 0 514
</pre>
socklog-inet/log/run:
<pre>
  #!/bin/sh
  exec chpst -ulog svlogd -t main/main main/10.0.0.236
</pre>
and socklog-inet/log/main/10.0.0.236/config:
<pre>
  # cat 10.0.0.236/config
  -*
  +10.0.0.236:*
</pre>
You will then find all log messages from remote hosts that were successfully
transmitted in <tt>main/main/</tt>.
Log messages from <tt>10.0.0.236</tt> will additionally be saved in
<tt>main/10.0.0.236/</tt>.
<h3>Log client (machine sending log data)</h3>
Tell socklog to write raw syslog messages without converting syslog
priority and facility to names by adding the -R option:
<p>
socklog-unix/run:
<pre>
  #!/bin/sh
  exec 2>&1
  exec chpst -Unobody socklog -R unix /dev/log
</pre>
Then change the configuration of <i>socklog</i>'s main log directory to tell
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a> to transmit
log messages through UDP:
<p>
/var/log/socklog/main/config:
<pre>
  s9999
  n2
  U10.0.0.16:514
</pre>
Restart the service, and tell the log service to reload its configuration:
<pre>
  # sv restart socklog-unix
  # sv hup socklog-unix/log
</pre>
Now each log message will be sent through UDP to <tt>10.0.0.16:514</tt>, and
not written to the log directory.
If <a href="http://smarden.org/runit/svlogd.8.html">svlogd</a> has trouble
transmitting data through UDP, and is able to detect an error, it logs an
error message followed by the log message to the log directory.
<p>
Of course you can configure <i>socklog</i> to log through UDP while keeping
local logging enabled, and also select log messages to be transmitted through
UDP by pattern.
See the documentation of
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a> for details.
<hr>
<address><a href="mailto:pape@smarden.org">
Gerrit Pape &lt;pape@smarden.org&gt;
</a></address>
<small>$Id: network.html,v 1.19 2006/03/06 12:56:33 pape Exp $</small
</body>
</html>

APT Browse - Built by Thomas Orozco.