Logging

Gyepi SAM gyepi at praxis-sw.com
Thu Jul 22 23:33:25 CEST 2004


On Sun, Jul 18, 2004 at 08:34:23PM -0400, David Relson wrote:
> Bogofilter's logging is done with:
> 
>     openlog("bogofilter", LOG_PID, LOG_MAIL);
>     syslog(LOG_INFO,...);
>     closelog();
> 
> I'll confess I don't know exactly how the output file, though
> /etc/syslog.conf is involved.  On my Mandrake system, messages go to
> /var/log/messages and /var/log/syslog.  I'd be very pleased to have the
> messages go to a bogofilter-only file.

> Possibly the next bit of /etc/syslog.conf controls the behavior:
> 
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;;news.none;authpriv.none	-/var/log/messages
> 
> I suggest reading up on syslog() and finding what's what.  Maybe you'll
> then be able to tell us all how it all works!

As the snippet of documentation shows, syslogd uses the logging "facility" (LOG_MAIL, in this case) and the
log level (LOG_INFO, in this case) for selecting destinations for log entries.
Since other mail related programs would use the same logging facilities, there
is no standard way to filter bogofilter specific entries to a file.

If you really want to do that, I can think of three ways to do it.

1. Pipe all "mail.info" entries into a named pipe and write a program to
monitor and read the contents of the named pipe. The program can then write
entries that matched a bogofilter specific regex to a file.  This could get
messy since the pipe will block syslogd when the buffer gets full.

2. Write a program to monitor /var/log/maillog and pick out the bogofilter
specific entries. This is safer and could be made to work very well. I did
something similar a while back and it works quite well. The trick is to use
existing tools whenever possible. svscan, daemontools, tail, and a little perl
is all you need. Let me know if you're interested in this solution and I'll
elaborate.

3. Give up on regular syslogd and install syslog-ng from http://www.balabit.com
or Gerrit Pape's socklog from http://smarden.org/socklog, which is best suited
to a site that already uses daemontools.

Of course, one could also change bogofilter to not use syslog at all.
On a busy system, syslogd should be the logger of last resort and least preference.
It will frequently use more CPU time and generate more disk IO than the
clients generating log messages!


-Gyepi



More information about the Bogofilter mailing list