Archive for the 'Syslog' Category

Dying ‘try’ processes

Note: This syslog entry is puzzling if the system has no program named try, but no cause for concern:

2011-11-19T01:31:21 frodo kernel: pid 47812 (try), uid 0: exited on signal 10 (core dumped)

Source of the program is Perl’s Configure script, which compiles its C library test cases into programs named try. And apparently amd64 systems need to use the function va_copy() because the test case without this function leads to a segfault.

simple log event histograms

Just to preserve it, here’s a useful shell command line to print a histogram of frequent log events:
grep -h 'expr' files | cut -d ' ' -f 1,2 | uniq -c | awk '{step=5; bar = ""; for(i = $1; i>=1; i = i-step) bar = bar "#"; printf $2, $3, bar; }'

Read the rest of this entry »

PHP syslog patch

Given a multiuser webserver with PHP and error logging to syslog. Problem: how do you correlate error messages with users? This patch lets PHP call openlog() with a configurable program name. Read the rest of this entry »

Solaris syslog and message IDs

I finally checked how the Solaris kernel assigns message IDs to its log messages.

Read the rest of this entry »


Und nun der obligatorische Eintrag live vom BSD-Stand auf den Chemnitzer Linux-Tagen.
Mein eigener Vortrag zu den Syslog-RFCs lief gut. Grunix hat auch schon erste Bilder.

Finally, the Syslog RFCs

Today the RFCs for the new Syslog procol and transport were published:

Syslog line length statistic

Time for some useless statistics… Because I had to set some initial buffer sizes in syslogd I took a closer look at my log files. I used all logs from last month and counted the line lengths for every message to get an impression of real-life requirements on message/line lenghts.

Read the rest of this entry »

reliable TCP reconnect made easy

When I came to work on Syslog one of the most disturbing texts I came across was Rainer’s observation “On the (un)reliability of plain tcp syslog…“. The problem is that a sendmsg() system call is nearly always successful — it only indicates local errors (like a full send queue), but no network errors. So even after the other side initiated a connection shutdown one can happily write into the local buffer and only get an error on the second write.

Read the rest of this entry »