Re: Central logging methods and thoughts

One of the wackier ideas I have had to solve this problem, is to use a private IRC server.

(waits for laughter to subside...)

But seriously, I think it could work quite well. Standard syslog is flawed at a large site central logging because we ran out of channels, and that got me thinking. Here are some of the things that I think would be good about using IRC for application logging:

With IRC you have easy bot's to save the log to disk, and you can do that in more than one location to have redundancy of storage
When you are tracing a live problem, you can just log in to the appropriate logging IRC channel (with the appropriate security) and watch the log
Support staff could use regular IRC client features to alert them to error strings as soon as they occur within the log
The protocol is lightweight, well supported, and requires no extra daemons/libraries to be installed on your servers.
Multiple servers running the same application (eg. a web farm) could log to a single channel, thus automatically interleaving into a single time-sorted log (each server would use a different nick to allow easy source identification)

Syslog does, of course, have many benefits. Not least of which is the ability to chose local/remote/local+remote logging via the syslog config. There are also extensions to syslog which address some of it's weaknesses.

I'd be very interested if anyone has ever done anything like this. Of course I have left may issues unaddressed, like security etc.

Update: Specifically, I'm very interested to hear if anyone has ever implemented some form of logging server using POE

Comment on Re: Central logging methods and thoughts

Replies are listed 'Best First'.
Re^2: Central logging methods and thoughts by 5mi11er (Deacon) on Oct 10, 2005 at 14:50 UTC
Wow, I'm not an IM'er, never have been; but, I think this borders on brilliance. The thing that sucked me in the most about your idea is the channels, and with the ability to name channels however you'd like, there are potentially infinite channel names (ok, pedantically, it only approaches infinity; I assume there is a character limit for the channel names). I imagine being able to create a channel for, perhaps, different network device types, say, Cisco Routers, and another for, say, Nortel Switches, and yet another for Checkpoint Firewall routers. Changing hats, as a server guy, I could create my own set of server channels keeping track of resources like drive space, memory, cpu usage; and changing hats again, as an application developer/baby-sitter, I can create channels for the interoperation of various applications that all work together, etc. Now some of these abilities are already in syslog, but we're pretty limited in the number of channels we can use, so trying to coordinate between all the groups to agree on the "standards" to keep from "poluting" one anothers syslog files could get pretty ugly. I also like the relatively light weight for the "broadcast" ability of the syslog information. I'm not very familiar with the actual IRC protocol implementations, but way back when, I think I recall that if you wanted to create an IRC 'server', that server just had to ask (and receive permission) to receive the IRC messages; and similarly a client simply had to ask a server to be able to receive the appropriate messages. This seems to be fairly light weight, and things are even better if IRC now can actually use multicasting. ++ many times for this very cool idea. -Scott	[reply]
Re^2: Central logging methods and thoughts by radiantmatrix (Parson) on Oct 11, 2005 at 21:25 UTC
On its face, it might seem like a good idea. The problem is that IRC was intentionally designed to accomodate delays in communication. The timestamp in a given log is the timestamp for when the client recieves the message. Lag in the network, on the IRC server, or on the client machine could easily lead to inaccurate timestamp data -- even to the point of causing events to appear in a different order from which they happened (from different processes). A partial solution would be sender-side timestamps, but then you have authority issues as well (how do you know someone doesn't accidently duplicate a login ID for a given application? what about multiple instances?). Most of these are solvable, but rely heavily on the senders to do the right thing. A solution which I have seen work well is implemented over a database, with a logging daemon running on each local host. It works sort of like this: an application performs IPC (in this case, it was an XML message to the local daemon using a telnet protocol) sending a few pieces of information (pid, status-code{1=warn, 2=err, etc.}, description). The local daemon timestamps it in the order recieved, and creates DB transactions that log the relevant info, from the daemon (including it's timestamp, the host name, etc.). In this setup, all applications log verbosely (not quite 'trace', but about 'debug' level), and the daemon can be configured to drop or forward messages at various levels. So, we can move to 'debug' on a given machine with one instruction to its daemon. There are some problems with the whole thing, but it has served us well overall. <-radiant.matrix-> A collection of thoughts and links from the minds of geeks The Code that can be seen is not the true Code "In any sufficiently large group of people, most are idiots" - Kaa's Law	[reply]
Re^3: Central logging methods and thoughts by aufflick (Deacon) on Oct 11, 2005 at 23:39 UTC
Agreed that a simple protocol like IRC has issues with security & integrity. You would have to trust yourself and your colleagues notto be stupid or evil. With the system you use, do you find that you have scaling problems with the db inserts? I assume that the local daemon will retry if the db becomes unavailable, but what does your app do if the local daemon becomes unavailable?	[reply]
Re^4: Central logging methods and thoughts by radiantmatrix (Parson) on Oct 12, 2005 at 20:40 UTC
We don't tend to have scaling issues with the DB because we have an HA database system. I don't know the details, but there are several "satellite" servers that accept queriers, and together they form a sort of "logical database" that is relplicated, in turn, to a more solid archive. I could be explaining it wrong, as I didn't set it up. The local daemon dying is one of the issues. Until recently, apps dealt with this in undefined ways (by which I mean the authors chose, there was no standard). Just recently, we decided that we'd write app-named files to a specific directory, which the daemon scans and uploads (and cleans) at startup. I have reservations about this, though -- it seems like asking for trouble. Powers that be know there are issues with this too, but no one (including me) has come up with a better idea yet... <-radiant.matrix-> A collection of thoughts and links from the minds of geeks The Code that can be seen is not the true Code "In any sufficiently large group of people, most are idiots" - Kaa's Law	[reply]
Re^5: Central logging methods and thoughts by aufflick (Deacon) on Oct 12, 2005 at 23:05 UTC