[logs] Error messages from syslogd

Mordechai T. Abzug morty at frakir.org
Thu Jul 12 14:38:45 PDT 2007 

[If the moderator choses not to forward this, I would not cast blame.]

On Thu, Jul 12, 2007 at 10:33:45AM -0400, Marcus J. Ranum wrote:
> Mordechai T. Abzug wrote:
> >I would love to live in a world where all code put into production is
> >bug-free.  In practice, we live in a world where code put into
> >production usually contains bugs.
> 
> Hang on - you asked me "what's wrong with this" and I told
> you. Then you reply "but we don't live in an ideal world" - that's
> cheating. If your precondition for wrongness is that things
> stay wrong, then - of course - nothing ever gets better.  :)

I can realistically control how much logging is included in programs I
write or specify.  I cannot realistically eliminate bugs in the
programs I write or specify.  So bugs are a given, and verbose logging
is a valid response to that reality.  I am not aware of any software
package that has been immune to bugs.

> You're also conflating a couple problems - we're not talking
> about buggy code, here, we're talking about error handling.

They go hand-in-hand.  Programs have problems for any of a number of
reasons, which might be internal bugs, and might be external.  A
well-written program compensates for such problems to the extent
possible.  Independent of whether the problem is a bug or something
else, and whether the program is well-written or not, logging helps
one find out what is failing.

> This is pointless - now you're just making excuses for
> mediocrity. OK, so you bought some crap and you have to
> fix it. The problem is that if you presuppose that it's crap
> then you can also assume that the only "useful" messages
> you'll have in syslog are things like:
> (datetime) program: uh, wow: socket operation on non socket

The reality of my experience is that programmers often do a better job
on their logging than they do in the actual code.  After all, logs are
easy, whereas correct code can be hard.  Sure, there are times when
the program fails and the logs don't help you, but that's more the
exception that the rule.  Isn't that *why* non-security people were
using logs for all the years before regulatory compliance became an
issue?  I know that's true for me.

In different terms, I'm not making excuses for mediocrity, I'm
accepting the reality of mediocrity and requesting that people
comensate accordingly.

> Hang on, if you're assuming that the vendor is too stupid to write a
> decent crash dump, you have to assume that they're too stupid to
> write a decent syslog message, too. Stop making excuses for
> lameness, OK?

<shrug>.  Again, the reality of the many products out there is that
they have useful log messages, and crash dumps that are either
non-existent or not nearly as useful.  And remember that the program
doesn't always crash!  If a mail server just mysteriously stops
sending nessafes, or suddenly jumps to 100% CPU, you don't get a crash
dump.  If you're lucky, the mail server is logging messages telling
you the mail server can't reach the DNS servers (because some bozo
broke a router ACL) or that it is looping the email in a why that
bypasses normal loop detection.

> That makes you part of the problem, not part of the solution. The
> only way to get rid of the crap that is out there is to be
> absolutely, ruthlessly, utterly intolerant of crap.

All software is crappy.  Some software is more crappy than others.

> My point in the previous posting is that if an application
> identifies a system error it ABSOLUTELY should put that in the log
> because things like "file system full" or "file table full" are
> going to affect other processes. But stuff like program internal
> consistency error checks?

Oh!  Sorry, I thought you were referring to obscure logged error
messages in general, not just the internal consistency checks.

> As I said before: that program:
> a) should not have had such an amateurish error - obviously it was
>         coded by someone young and foolish. ;)
> b) should have offered a succint diagnosis of the problem to the
>         vendor so you didn't have to run around trying to figure it
>         out

And it did indeed provide a succinct diagnosis.  So thanks.  :)

> What you're saying, in a nutshell is: "the suckage that I understand
> is better, because I understand it."

Could be.  Time will tell, assuming one of the "cool new" logging
schemes ever achieves widespread adoption.

- Morty

More information about the LogAnalysis mailing list