Google

G. Pape
socklog

socklog - examples


listening on unix domain dgram socket /dev/log:

  • a sample socklog-unix/run script:
      #!/bin/sh
      exec 2>&1
      exec softlimit -m 2000000 envuidgid nobody socklog unix /dev/log
      
  • a sample socklog-unix/log/run script:
      #!/bin/sh
      LOGDIR=/var/log/socklog
      exec setuidgid log multilog ${LOGDIR}/main \
        s999999 n10 -* +kern.* ${LOGDIR}/kern \
        s999999 n10 -* +user.* ${LOGDIR}/user \
        s999999 n10 -* +mail.* ${LOGDIR}/mail \
        s999999 n10 -* +daemon.* ${LOGDIR}/daemon \
        s999999 n10 -* +auth.* +authpriv.* ${LOGDIR}/auth \
        s999999 n10 -* +syslog.* ${LOGDIR}/syslog \
        s999999 n10 -* +news.* ${LOGDIR}/news \
        s999999 n10 -* +cron.* ${LOGDIR}/cron \
        s999999 n10 -* +ftp.* ${LOGDIR}/ftp \
        s999999 n10 -* +local*.* ${LOGDIR}/local \
        s999999 n10 -* +*.debug* ${LOGDIR}/debug
      
  • if you want additional tai64n (# man tai64n) timestamps prepended to each message, use this socklog-unix/log/run script as example:
      #!/bin/sh
      LOGDIR=/var/log/socklog
      exec setuidgid log multilog t ${LOGDIR}/main \
        s999999 n10 -* +'* kern.*' ${LOGDIR}/kern \
        s999999 n10 -* +'* user.*' ${LOGDIR}/user \
        s999999 n10 -* +'* mail.*' ${LOGDIR}/mail \
        s999999 n10 -* +'* daemon.*' ${LOGDIR}/daemon \
        s999999 n10 -* +'* auth.*' +authpriv.* ${LOGDIR}/auth \
        s999999 n10 -* +'* syslog.*' ${LOGDIR}/syslog \
        s999999 n10 -* +'* news.*' ${LOGDIR}/news \
        s999999 n10 -* +'* cron.*' ${LOGDIR}/cron \
        s999999 n10 -* +'* ftp.*' ${LOGDIR}/ftp \
        s999999 n10 -* +'* local*.*' ${LOGDIR}/local \
        s999999 n10 -* +'* *.debug*' ${LOGDIR}/debug
      
    note that multilog (# man multilog) patterns apply to the timestamps.

listening on udp network socket 0.0.0.0:514:

  • a sample socklog-inet/run script is:
      #!/bin/sh
      exec 2>&1
      exec softlimit -m 2000000 envuidgid nobody socklog inet 0 514
      
  • a sample socklog-inet/log/run script is:
      #!/bin/sh
      LOGDIR=/var/log/socklog-remote
      exec setuidgid log multilog t ${LOGDIR}/main \
        s4999999 n10 -* +'* 10.0.0.2:*' ${LOGDIR}/10.0.0.2 \
        s4999999 n10 -* +'* 10.0.0.17:*' ${LOGDIR}/10.0.0.17
      

listening on unix domain stream socket /dev/log:

  • a sample socklog-ucspi-unix/run script:
      #!/bin/sh
      exec 2>&1
      exec exec softlimit -m 2000000 \
        unixserver -U `id -u nobody` /dev/log -- \
        socklog ucspi UNIXREMOTEEUID UNIXREMOTEEGID
      
  • a sample socklog-ucspi-unix/log/run script:
      #!/bin/sh
      LOGDIR=/var/log/socklog
      exec setuidgid log multilog ${LOGDIR}/main \
        s999999 n10 -* +'*: *: kern.*' ${LOGDIR}/kern \
        s999999 n10 -* +'*: *: user.*' ${LOGDIR}/user \
        s999999 n10 -* +'*: *: mail.*' ${LOGDIR}/mail \
        s999999 n10 -* +'*: *: daemon.*' ${LOGDIR}/daemon \
        s999999 n10 -* +'*: *: auth.*' +authpriv.* ${LOGDIR}/auth \
        s999999 n10 -* +'*: *: syslog.*' ${LOGDIR}/syslog \
        s999999 n10 -* +'*: *: news.*' ${LOGDIR}/news \
        s999999 n10 -* +'*: *: cron.*' ${LOGDIR}/cron \
        s999999 n10 -* +'*: *: ftp.*' ${LOGDIR}/ftp \
        s999999 n10 -* +'*: *: local*.*' ${LOGDIR}/local \
        s999999 n10 -* +'*: *: *.debug*' ${LOGDIR}/debug
      

reading kernel messages from /dev/klog on BSD:

  • a sample socklog-klog/run script on BSD:
      #!/bin/sh
      exec </dev/klog
      exec 2>&1
      exec softlimit -m 2000000 setuidgid nobody socklog ucspi
      
  • a sample socklog-klog/log/run:
      #!/bin/sh
      LOGDIR=/var/log/socklog-klog
      exec setuidgid log multilog t ${LOGDIR}/main
      

A client for socklog network logging:

  • a sample socklog-unix/log/run script that transmits the logs to a network logging server running the socklog-ucspi-tcp service is:
      #!/bin/sh
      LOGDIR=/var/log/socklog
      LOGSERVERIP=10.0.0.16
      PORT=10116
      exec setuidgid log multilog s4096 n20 \
        !'tryto -pv tcpclient -v $LOGSERVERIP $PORT sh -c "cat >&7"' \
        ${LOGDIR}/main
      

log events notification with wall:

  • a sample socklog-notify/run script that uses wall for notification is:
      #!/bin/sh -e
      PIPE=/var/log/socklog/.notify
      if [ ! -p "$PIPE" ]; then mkfifo -m0620 "$PIPE"; chown log:adm "$PIPE"; fi
      exec <> "$PIPE"
      exec setuidgid log uncat -s49999 -t180 \
        sh -c 'head | wall'
      

Gerrit Pape <pape@smarden.org>
$Id: examples.html,v 1.12 2002/05/31 12:38:49 pape Exp $