nsca and nrpe2 syslog facility

Andreas Ericsson ae at op5.se
Tue Nov 20 11:00:14 CET 2007


Brian A. Seklecki wrote:
> nsca.c @ line 134 of 1450
> 
>   openlog("nsca",LOG_PID|LOG_NDELAY,LOG_DAEMON); 
>  
>   prototype: void openlog(const char *ident, int logopt, int facility);
> 
> We should probably make that a config-file defined variable.  At the
> *very* least, a GNU autoconf compile-time configure option -> #DEFINE
> 

Err... say what now?

> Default syslog.conf(5)'s everywhere are going to split the destination
> into a variety of files (because of priorities), which is insanely
> annoying.
> 

First off, let's get one thing straight right from the start.
Syslog uses a facility and severity pair which, combined, is called
priority. It's actually a single number, calculated like so:

	pri = (fac << 3) + sev

What people normally do (in my experience) is to put logs from
different *facilities* in one file, and additionally log LOG_WARN
or LOG_ERR and above to somewhere else.

And no, most default syslog.conf files won't split nrpe logs to
several destinations. They will all end up in /var/log/messages
due to this line:

*.info;mail,cron,kern.none                    /var/log/messages

which tells syslogd to log all facilities with a severity worse
than "info" to /var/log/messages. mail, cron and kernel logs
are explicitly exempted.

> Most big shops end up using syslog-ng and filter on program:
> 
>    filter f_prog_nrpe { program("nrpe"); };
> 

You could add something like this:
daemon.*          /var/log/message/daemon.log

to get all NRPE logs in one file. Granted, it will be along with
every other application that logs to the LOG_DAEMON facility, but
you really don't want filter your events based on severity. That
way you can get a "WARNING: Internal inconsistency. Attempting autofix"
in one logfile and then immediately after "ERROR: Autofix failed,
quitting" in another logfile.

> Then we can route it out to destinations regardless of priorities before
> fall-back facility.priority(*) wildcard gets caught.  
> 

Sure, but since there aren't enough facilities for every program to have
its own, the facilities need to be shared. I fail to see the problem here,
since so far the only ones you've mentioned are downright wrong.

> For example, there's only one or two LOG_DEBUG's, but the config file
> only defines a boolean log statement.
> 

True that. I wouldn't mind having various verbosity levels in nrpe, but
that's got absolutely *NOTHING* to do with openlog(3).

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/




More information about the Developers mailing list