/usr/share/doc/socklog/network.html is in socklog 2.1.0-8.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title>socklog - network logging</title>
</head>
<body>
<a href="http://smarden.org/pape/">G. Pape</a><br>
<a href="index.html">socklog</a><br>
<hr>
<h1>socklog - network logging</h1>
<hr>
<a href="#tcp">Logging through TCP</a><br>
<a href="#udp">Logging through UDP</a>
<hr>
Logging via network connection cannot be made reliable. There is always
a possibility for failures. The network connection itself may be down or
the receiving machine has crashed for example. So there must be a
decision, what to do in such cases.
<h2><a name="tcp">The <i>socklog</i> network logging concept</a></h2>
<ul>
<li>
logging is still done locally through
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>.
<li>
the log is transmitted through a network connection (if possible)
when <a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>
decides that <tt>current</tt> is big enough, using
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>'s
<i>processor</i> feature.
<li>
since this transmission cannot be made reliable, there is a tool
<a href="tryto.1.html">tryto</a> that limits the time to try this
transmission. See below for examples.
<li>
if the transmission of <tt>current</tt> fails, the log will be saved
locally,
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>
remembers the failure in its <tt>state</tt> and
<a href="tryto.1.html">tryto</a> includes the error messages into
the transmission on the next run, so the remote machine gets the
information of log transmission failures.
</ul>
There are no restrictions on how to transmit the log data, a separate
process of your choice will do the work, e.g. <i>netcat</i> or
<a href="http://cr.yp.to/ucspi-tcp/tcpclient.html">tcpclient</a>.
This modularity lets you easily insert authentication, compression,
encryption and other things.
<h2>Example setup</h2>
<h3>Log Server (machine receiving log data)</h3>
Setup a <i>socklog-ucspi-tcp</i> service as described in
<a href="configuration.html#ucspi-tcp">Configuration</a> with the following
<tt>socklog-ucspi-tcp/run</tt> and <tt>socklog-ucspi-tcp/log/run</tt>
scripts:
<p>
socklog-ucspi-tcp/run:
<pre>
#!/bin/sh
PORT=10116
exec 2>&1
exec tcpsvd -vl0 -unobody 0 "$PORT" socklog ucspi TCPREMOTEIP
</pre>
socklog-ucspi-tcp/log/run:
<pre>
#!/bin/sh
exec chpst -ulog svlogd -t main/main main/10.0.0.236
</pre>
and socklog-ucspi-tcp/log/main/10.0.0.236/config
<pre>
# cat 10.0.0.236/config
-*
+10.0.0.236:*
</pre>
You will then find all log data from remote hosts that was successfully
transmitted in <tt>main/main/</tt>. Log data from <tt>10.0.0.236</tt>
will additionally be saved in <tt>main/10.0.0.236/</tt>.
<h3>Log client (machine sending log data)</h3>
Change the <i>socklog</i> configuration to use a processor to transmit
the log data:
<p>
socklog-unix/log/run:
<pre>
#!/bin/sh
exec chpst -ulog svlogd ./main/main
</pre>
socklog-unix/log/main/main/config
<pre>
s4096
n20
!tryto -pv nc 10.0.0.16 10116
</pre>
and restart the log service:
<pre>
# sv restart socklog-unix/log
</pre>
On each rotation of
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a>'s
<tt>current</tt>, the data will be transmitted to
<tt>10.0.0.16:10116</tt> using <a href="tryto.1.html">tryto</a>
and <i>netcat</i>, failures will be noticed and notified on the next run.
<hr>
<h2><a name="udp">Logging through UDP</a></h2>
Transmitting log messages through UDP should only be used within private
networks.
Logging through UDP doesn't ensure that the log messages actually reach the
log server, and doesn't provide authentication and authorization.
It's the old-style UNIX syslog remote logging, and supported by
<i>socklog</i> for compatibility reasons.
<h2>Example setup</h2>
<h3>Log Server (machine receiving log data)</h3>
Setup a <i>socklog-inet</i> service as described in
<a href="configuration.html#inet">Configuration</a> with the following
<tt>socklog-inet/run</tt> and <tt>socklog-inet/log/run</tt> scripts, and
the following <tt>socklog-inet/log/main/config</tt> log configuration:
<p>
socklog-inet/run:
<pre>
#!/bin/sh
exec 2>&1
exec chpst -Unobody socklog inet 0 514
</pre>
socklog-inet/log/run:
<pre>
#!/bin/sh
exec chpst -ulog svlogd -t main/main main/10.0.0.236
</pre>
and socklog-inet/log/main/10.0.0.236/config:
<pre>
# cat 10.0.0.236/config
-*
+10.0.0.236:*
</pre>
You will then find all log messages from remote hosts that were successfully
transmitted in <tt>main/main/</tt>.
Log messages from <tt>10.0.0.236</tt> will additionally be saved in
<tt>main/10.0.0.236/</tt>.
<h3>Log client (machine sending log data)</h3>
Tell socklog to write raw syslog messages without converting syslog
priority and facility to names by adding the -R option:
<p>
socklog-unix/run:
<pre>
#!/bin/sh
exec 2>&1
exec chpst -Unobody socklog -R unix /dev/log
</pre>
Then change the configuration of <i>socklog</i>'s main log directory to tell
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a> to transmit
log messages through UDP:
<p>
/var/log/socklog/main/config:
<pre>
s9999
n2
U10.0.0.16:514
</pre>
Restart the service, and tell the log service to reload its configuration:
<pre>
# sv restart socklog-unix
# sv hup socklog-unix/log
</pre>
Now each log message will be sent through UDP to <tt>10.0.0.16:514</tt>, and
not written to the log directory.
If <a href="http://smarden.org/runit/svlogd.8.html">svlogd</a> has trouble
transmitting data through UDP, and is able to detect an error, it logs an
error message followed by the log message to the log directory.
<p>
Of course you can configure <i>socklog</i> to log through UDP while keeping
local logging enabled, and also select log messages to be transmitted through
UDP by pattern.
See the documentation of
<a href="http://smarden.org/runit/svlogd.8.html">svlogd</a> for details.
<hr>
<address><a href="mailto:pape@smarden.org">
Gerrit Pape <pape@smarden.org>
</a></address>
<small>$Id: network.html,v 1.19 2006/03/06 12:56:33 pape Exp $</small
</body>
</html>
|