Re: Apple system log facility: questions
Re: Apple system log facility: questions
- Subject: Re: Apple system log facility: questions
- From: Marc Majka <email@hidden>
- Date: Thu, 16 Nov 2006 13:29:16 -0800
I sympathize with your wish - it is really nice to be able to have
*all* the log messages around. You can change the settings in the
startup plist (/System/Library/LaunchDaemons/com.apple.syslogd.plist).
Although I'm not really supposed to describe too much about Leopard
in this forum (it hasn't shipped yet, and we may decide to change
some details at the last minute), we are changing the data store
quite a bit. Hopefully for the better!
The asl.log file is going away. ASL was written on a very tight
schedule, and all we had time to do was make it a very basic data
store. If you look at it, it's just a big flat file with all the
messages encoded with square brackets around key/value pairs. Same
as the "-F raw" format of syslog. The asl.log file works, but it's
weak. In Leopard it's being replaced by "asl.db", which is an actual
database. It has a number of advantages:
- better performance
- better security
- better archival and management
Performance is obvious. Searching (via the asl_search API, the
syslog command, and by Console.app) is done by syslogd, which now has
the duty of being a database server. The database is optimized for
key == value searches for the "standard" keys like Sender, Facility,
and so on. Strings are uniqued and refcounted to reduce the size of
the database.
Security is enhanced by the addition of read access controls. Every
message may have a read-access UID and GID, such that only that user
or members of that group may read the message.
Archival replaces the pruning system that's there in Tiger. Messages
in the active database (asl.db) expire after a configurable time-to-
live (the default is 24 hours). After that they are either deleted
entirely or they are copied to an archive database. By default they
are just deleted. Most users really never look at their log messages
at all. If they do, they are usually looking for an error message
for something bad that just happened on their system, so anything
older than 24 hours is unlikely to be very interesting. However, if
archiving is enabled (a syslogd startup option), then you can keep
log messages as long as you want. syslogd starts a new archive
database for each calendar day. The syslog command lets you read,
search, delete, and copy messages in archive databases. You can keep
them around, burn them on a DVD, or whatever best suits your
administrative needs.
Since syslogd will only be keeping a day's worth of messages in the
database (by default), we are currently still investigating whether
to keep the default for the cut-off filter to only keep NOTICE -
EMERGENCY levels, or to include DEBUG and INFO as well. At the
moment we're still filtering DEBUG and INFO to keep the database
smaller.
--
Marc Majka
On 16 Nov, 2006, at 07:40, Paul Nelson wrote:
I use asl quite a bit with Tiger. I think it is superior to syslog
because
of the ability to put detail into asl.log, and summarize in
system.log.
I never had any trouble figuring out the api. Not sure why this is
even an
issue.
One thing I wish I could do is have users set the logging to debug via
sudo syslog -c 0 -d
and have it stay there after rebooting. A lot of stuff I do needs
to have
debug output during system boot. Having a user in the field change
syslog.conf is often too difficult.
Paul Nelson
Thursby Software Systems, Inc.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden