How Should an Application's Logs Work? 93
emmjayell writes "You've been there, loaded up a new application (think server-based app like Apache or Samba ...), it's working okay for a few days or a few months, then the intermittent problems start. Usually it's the CEO or someone else of relative importance that is the first victim. You can't readily duplicate the problem, so you go to find out where the application put's it's logs - maybe it's in var/log/messages - maybe in it's own directory - sometimes it's right there and available in some administrative GUI. So what makes you happiest when diagnosing the problem? Do you want tools to access it? UI or command line? Do you want it formatted to use tools like cut and sed? Do you have any examples of an app that does a great job with system logging and diag logging? Background: My team is working on an application that is gearing up for a first release. We have a logging framework in place already (we are using Apache: logging.apache.org/) -- so that covers how we are logging, but not what we should log and how it should be laid out for optimal use."
My favorite logging app... (Score:4, Insightful)
Even though it is resource intensive, I prefer the developer log everything, and let me decide how verbose or terse I want the logs to be.
Re:My favorite logging app... (Score:2)
http://logging.apache.org/log4j/ [apache.org]
Re:My favorite logging app... (Score:1, Offtopic)
I hate going off-topic, but we all know
Some logging suggestions. (Score:2)
1. When your app creates a new log file, put in a header. In the header put the following information : retention period, logging level, full application path and name, where the source code to this application is located, who (at the time the code was last changed) can accurately interpret the contents of this log file, the original intent / purpose of the log file, the time / date stamp of the creation of the file. If you can look
Where's the log file?? (Score:1)
Re:Where's the log file?? (Score:1)
loggin and microsoft (Score:5, Funny)
Any kid of log is fine with me as long as it's there and it gives me some kind of insight into what's going wrong, e.g. "can't open this file," "that file's corrupt," "null pointer." Of course, text files are nice, because you can actually search through them.
Sadly, most applications for M$ operating systems usually just leave things like, "Error #543892157893421 occured." When you go to look up what error 84901257893423 is, no one in the world seems to have had it. Tech support proceeds to blame your hardware vendor, who blames your software vendor, ad nauseum. Seems like most applications for m$ operating systems just pull error numbers out of their asses.
Re:loggin and microsoft (Score:2)
Re:loggin and microsoft (Score:2)
This is standard computer procedure. Years ago I was working in a group where we used a Data General minicomputer. We were having some flaky behavior with it so we had a field tech come in and work on it. This guy, a hardware guy, determines that it is a problem with the software. He calls into DG to work out the software issue, and the DG software people start telling him that it must be a hardware is
Re:loggin and microsoft (Score:2, Funny)
To paraphrase, utopia cannot begin until the last SW field tech is strangled with the entrails of the last HW field tech.
FYI (Score:3, Informative)
Re:loggin and microsoft (Score:4, Informative)
Enjoy.
tyvm (Score:2)
Re:tyvm (Score:4, Funny)
Re:loggin and microsoft (Score:1)
When Where Who What (Score:5, Insightful)
When from Where did What by Whom
When = ISO 8601 Timestamp [iso.org] (from)
Where = IP Adress / Name of computer...
Who = which Login
What requested file foo/bar?a=213b=dfg
Re: (Score:3, Interesting)
Re:When Where Who What (Score:2)
For "big" applications you really can't do this because of bind variables. (You can, but it would add another level of complexity to your logging)
If you don't know I mean, then lucky you.
Re: (Score:2)
Bind Variable? (Score:2)
Re:Bind Variable? (Score:1)
'Bind variables' are, essentially, a database optimization. If you repeatedly execute many queries with the same structure, but different data values, you'll cause the underlying DBMS to repeatedly parse those statements. If you give the DBMS enough of a hint that the statements are, essentially, of the same structure, you can buy quite a l
Re:Bind Variable? (Score:2)
I'm not sure "parameterized queries" is what the GGP meant by "bind variables", because he mentioned that "bind variables" might only be used on "large applications." Truthfully, I thought everyone always used parameterized queries on all calls to the dabase, from all applications, large and small.
And yes, the Perl MySQL drivers have supported this for at least the last 6 years.
Re:Bind Variable? (Score:1)
Parameterized queries are pretty much a given if you're writing stored procs anyway (yes, we're all doing that). And I bet there's a single occurence somewhere of a non-parameterized query that's more efficient than a parameterized one.
Re:Bind Variable? (Score:2)
By "large" I meant "heavily used". It just has to be worth it to see the performance improvement that not parsing the statement for the 1000th time in an hour.
Not everyone uses parameterized queries because not everyone has to worry/encountered this optimization. One of the biggest negatives I get from programmers is that using bind variables makes it hard to figure out exactly what is happening.
Re:Bind Variable? (Score:1)
With bind variables you are sidestepping the entire problem of escaping special characters in your data, and many charset problems are solved automatically by the database driver.
SQL injection becomes almost[*] impossible, that alone justifies using it everywhere (IMHO).
[*] Only almost, because sometimes outside parameters are used to choose the name of a table or column, bind variable
Re:Bind Variable? (Score:2)
Re:When Where Who What (Score:2)
For "big" applications you really can't do this because of bind variables. (You can, but it would add another level of complexity to your logging)
I've done it in Java, and it's no big deal. You simply implement PreparedStatement with a logging feature, then dump the parameters + sql in the event of an exception. If you don't want to do that, you can usually get the pre-bind query in the event of an exception.
Re:When Where Who What (Score:2)
What about the insert of the insert of the insert of the log data?
And then you should probably be logging the insert of the insert of the insert of the insert of the log data.. and don't forget the insert of the insert of the insert of the insert^#(I*$&%*&
Error: maximum recursion depth exceeded.
Re:When Where Who What (Score:1)
Re:When Where Who What (Score:1)
Seriously, there's no way out of this one. Anyone have a logging-to-file system that, er, logs its logging in a file
Re:When Where Who What (Score:2, Insightful)
Re:When Where Who What (Score:1)
Re:When Where Who What (Score:2)
syslog! (Score:4, Insightful)
I say this as a sysadmin for a large number (several thousands) of servers. So many problems could be solved by Apache et al using, and modifying where necessary, the existing solutions. But they don't, they roll their own, and so we see problems.
I realize this is a sorta OT rant, but it's causing major problems for me at work and so I think it's justified. Stuff like rotatelog has functionality to tell Apache "dump your logs, I'm rotating the file!" (which by the way doesn't always work) which could be easily rolled into a single notification of the syslog daemon. But it isn't. For whatever perverse reason, Apache and many others decided to roll their own.
It pisses me the fuck off, having to deal with it. The greatest shortcoming by far of OSS is this insistency on reimplemtning proven, robust, existing solutions in favor of a trivial fix. This is a particularly egregious example, one the OSS world would be served well by acknowledging.
Re:syslog! (Score:4, Interesting)
SELECT SUM(transfersize)/1024 FROM logs.apache WHERE vhost = "files.darien.ca" AND date > "2005-05-01 00:00:00" AND date "2005-06-01 00:00:00"
Now I have the amount of bandwidth (in kilobytes) that was served from my files site in the month of May. Doing this with raw logs is absurdly slow in comparison, and only gets moreso as time goes on. If you want to archive them in compressed format, you can do 'mysqldump --where="date
So my recommendation for logging: support mysql!
Re:syslog! (Score:4, Insightful)
tab separated plain text logging is just fine and dandy. Syslog is great because it has a standard format so any tools you make will just keep on trucking.
If you want a db of it do it in batch mode when you need it i.e.
zcat messages.0.gz | syslogtodb | grep httpd | mysql httpd
Why waste those CPU cycles indexing millions of lines of logging you'll never look at ?
Re:syslog! (Score:1)
Re:syslog! (Score:2)
Or, just do the Best of Both Worlds(tm) and dump your log to the database every night as part of the log rotation.
Re:syslog! (Score:2)
Alternatively, there is a Pg logging module for Apache (dblog, IIRC).
Re:syslog! (Score:4, Informative)
That's partially because Apache runs on Windows, which doesn't use syslog by default. Syslog also runs differently on different Unixes, and since not all Unixes are open-source, you can't always fix it.
Re:syslog! (Score:1)
I agree with the parent's rant that Unix progs don't necessarily exploit existing interfaces like syslog or tcp wrappers guess - my pet peeve is people not universally using --version or --help as parameters - perhaps if everyone continues to complain....
Another si
Re:syslog! (Score:2)
It pisses me the fuck off, having to deal with it. The greatest shortcoming by far of OSS is this insistency on reimplemtning proven, robust, existing solutions in favor of a trivial fix. This is a particularly egregious example, one the OSS world would be served well by acknowledging.
If you're adminning apps that use log4j, know that a syslog appender exists and can be used with a configuration change.
The logs are in the log directory (Score:5, Informative)
If you have simple logging needs, log via syslog and leave the details to the site.
For more complex needs, especially if you have several logs,
Obviously, the logs should be a text file. You ask if special tools should be provided. For text files we already have grep, sed, awk, perl.
The exception is if you are providing some kind of administrative GUI, say a web app. Logs that relate to specific functionality should be near the controls for that functionality. By using a GUI you are saying "I don't want to get my hands dirty" which, for time-pressed admins, is a perfectly legitimate approach for apps with complicated configuration architectures (Sendmail, WebShere 5). So the GUI should take away the complexity of having to know where the logs are. It should always be possible, though, to get at the text of the logs and run standard tools against them.
MHO.
Favorite logging (Score:3)
The alternative is to log everything in great detail, but do so in such a way as to make it truly trivial for me to strip out everything except the specific events in which I'm interested, in the level of detail in which I'm interested.
Re:Favorite logging (Score:1)
Re:Favorite logging (Score:2)
Re:Favorite logging (Score:2)
We, who don't, use the log4j [apache.org] framework. If I had one word to put into an ad for log4j it would be "flexibility". You can configure (at runtime!) what where and how your app logs things. Severity level, application-defined types of events, event data (wan't dd/yyyy/mm date format?
log4j (Score:3, Informative)
Configurable log levels, and you can define your own appenders.
Eg, I typically configure an email appender for severe/fatal errors, so they come straight to my inbox. Often I know of problems before the users do as a result of this.
Also, something described in one the Pragmatic Series of books is an RSS appender - just point your RSS reader at the channel, and wait for any errors to occur.
Re:log4j (Score:1)
the big problem with logging from java web pages is that many programmers forget that the server is multi-threaded; the answer is to have a local variable created at the start of each page from a static synchronized number which allows you to track which thread is generating the debug.
Re:It's a log (Score:2, Funny)
You've been there, sitting at a console peering at your application's newly created text log file after a crash. The question, naturally, turns to editors. Should you open it with vi? Maybe emacs? Is nano the tool you're looking for?
What editor makes you happiest when viewing log files? Do you enjoy navigating with intuitive kay combinations? Does syntax highlighting make your day? Do you have any examp
Re:It's a log (Score:1, Informative)
Re:It's a log (Score:2)
I resent that!
sendmail (Score:1)
A good reference (Score:5, Informative)
http://www.faqs.org/docs/artu/ch05s02.html [faqs.org]
Document and be grep-friendly (Score:5, Interesting)
I really don't much care where logs are kept or what particular format they are in. However, it's important that the man page tells me where the logs are, and clearly documents the format of the log files. What do flags mean? What do particular messages mean?
Also, formatting the logs in such a way that they can be quickly searched with grep or parsed by a simple script is most helpful. One of my favorite loggers does this:
This lets me see everything in chronological order, but I can quickly parse the log. Splitting on ':' will yeild the first two feilds consistently, and the first four chars are *always* the type of log message. So doing something like:
Lets me immediately see all the errors for a given day. The key to good logging is, IMO, making sure that the logs can be parsed effectively.
Re:Document and be grep-friendly (Score:3, Informative)
#1 wastes space with colons. that means you technically have the split on ": ", not " ".
#2 doesn't put the date first. That means if you're merging logs from multiple sources, you can't just sort them.
#3 uses some bizarre ridiculous date format that the author probably made up himself. Where does "May" come from? Is it dependent on the locale? Why does it have "05.May"?? What is CDT? There is more than one time zone that has abbreviation CDT. And if you're talking C
Re:Document and be grep-friendly (Score:2)
These errors are famously generated by the unix lp drivers, which assumed that any error a printer reported that wasn't offline or out of paper was on fire.
Re:Document and be grep-friendly (Score:1)
"#1 wastes space with colons."
It actually looks like it's using the colon as the field separator to avoid having to deal with whitespace in the message. Although colons could also be present in the message, they're far less likely to occur than spaces. True, it's probably a nasty optimization, and I'm not sure why the colons are augmented with spaces, but it's not all bad.
"#2 doesn't put the date first."
Agreed, but, as you point o
Always rotate your log files (Score:3, Insightful)
You'd be amazed how many Internet applications crash simply because the logs fill up the partition that hosts the application.
This problem was threefold, because:
1. The logfiles should never get that size
2. Logs should usually exist on a seperate partition like
3. People usually ignore the messages in a Production debug log
I run 12 moderate websites. We easily generate 5GB of logfiles a week (Rotated). It used to be 10GB, but then I switched off debug logging and fixed the most common errors.
When I started my current job 1 year ago, I deleted 40GB of logs which ran back to year 2000.
Re:Always rotate your log files (Score:1)
Re:Always rotate your log files (Score:2)
Log rotation should definately be flexible.
Coerce Consistency (Score:5, Informative)
So, in order to make storage, analysis and reporting easy, your framework should attempt to coerce a consistent approach to the data logged - even the plaintext "human readable" data if you can. If you can do the same with metadata about the event (e.g. ID fields, links to online KBs etc), so much the better.
BB
User configurable levels of logging (Score:3, Insightful)
Errors should be clear (Score:5, Insightful)
What really matters to me is that errors get logged nicely. "Error number #57575" or even "permission denied" doesn't help at all. It needs to be specific "permission denied while opening file
Just remember, the people installing your software and using probably don't the first thing about the way it works on the inside. You have to explain to them what went wrong and give them clues on how to fix it in a short error line.
Oh, it's also nice to have a link back to the original source line that caused the problem. In C, use __FILE__, __LINE__, and __func__ (if you have it) so that if I'm really stumped I can download your source, quickly find the error and start working backwards to find the cause. However, this could get confusing if there are a number of different versions of your code floating around, and it's not as important as the other things I mentioned.
-David
The client was denied access by configuration rule (Score:4, Insightful)
To paraphrase an Apache (1.x) error I recently encountered, was: "The client was denied access by configuration rule.".
First of all: which rule did the denial? Second: does the program recall the file or line this rule was in or on? Simply having the text or location of a rule would be a huge help in debugging.
For Postfix with large mail volume use... (Score:2)
Set it up with cron, get a mail every day and keep them for a few days. Saves you a lot of headache.
For all other stuff use egrep (or grep), awk and sed. I did my own scripts to search for specific abuses. vim in command line mode may also come in handy.
Tips for writing scriptable UNIX programs (Score:2, Insightful)
1. Use stdout and stderr appropriately: I should be able to run "foo > file" and see warnings on my console, but only get useful data in the file. Don't write messages to stdout if they aren't useful output. C++ has std::clog too. Don't make scripts use "grep -v" to remove random status messages or whatever.!
2. prefix your warnings/error
Windows 2000 (Score:3, Informative)
Re:Windows 2000 (Score:2)
Re:Windows 2000 (Score:2)
It's more than that. The format matters too. The Linux way is to dump everything into a text file and let the human figure it out. There is no clear boundary between log messages, for example. Some messages are logged with several entries. There is no way to tell what the severity of the error is except by filtering certain logs into different files.
Re:Windows 2000 (Score:1)
Any real problem, and it's like finding a needle in a haystack. grep is a much more useful tool in sorting out what's going on.
To be fair, the Windows Event Log GUI has a filtering mechanism, but I find grep to be much easier to use in practice. Further, the filtering mechanism is limited to the logging services notion of catagories ("Source" "Event Catagory", "Severity" "System"). Most of the time that I need to troubleshoot problems these catagories obscur
Make sure you ID the section of code (Score:2)
For example, if I am coding in perl on apache I might have a handler called 'employees.pm'
sub add_employee
{
try { [something that generates an error]}
catch {
log("Error 1001 at employees.add_employee.100: Can't find the file $filename");
}
try { [something else that generates an error]}
c
Re:Make sure you ID the section of code (Score:2)
Exceptions are great to *REDUCE* the clutter created by the endless if(doit){ error() }; sequences in non-exception-savy programming languages, but you just seem to use exceptions as some different type of return code for your functions.
You assume that some specific exception is thrown by your functions, because you don't distinguish between the possible causes in your catch{} blocks.
I'd say, a better way of writing would have been:
try {
all_your();
Allow turning off/on without reboot needed (Score:1)
How do you alert someone that something's wrong? (Score:1)
Integrate with the OS' logging (Score:2)
Do not invent your own.
Use the openlog(3) and syslog(3). Document the facility you are going to use (like LOG_LOCAL0) and allow it to be changed through config-file or command-line option.
Once there, use different priorities for messages of different importance (from LOG_DEBUG to LOG_EMERG) -- the verbosity can be set once during the config-processing through the openlog(3).
There are tools to process such logs, rotate them, and to send messages to a central location. You don't need to worry about t