Re: Logging: stderr vs syslog?

It all depends on how comfortable you are with loosing some of the log
messages in the event of a server crash or syslog daemon crash.

One of my primary roles is logging with regards to security and
auditing, so I am not comfortable with loosing ANY messages. For me, if
you are not copying log messages to one or more central servers and are
only storing log messages to local log files I would recommend that you
do NOT remove the sync option for syslog.

On the other hand we run some databases that contain only public
information that is transient in nature. Security and auditing are not a
concern in these environments so we could tolerate some message loss if
the server were to crash. The likelihood is low and the loss of some log
lines is not a significant concern. In my opinion disabling the sync
feature in this environment would be acceptable.

You also need to consider that log messages are produced after a program
completes an action, so there is always a small window where the action
is completed but the log message is not yet produced by the application.
If the server crashes at that point you have effectively lost one log
message regardless of the sync setting of your logging infrastructure.

There is no right or wrong answer. It is a judgement call that you will
have to make for your use case.

If any PostgreSQL developers have read this far, perhaps you can add
details on where in the transaction process the log messages are
produced. Are the log messages produced immediately prior to the commit
acknowledgement or after the commit? I think the race condition exists
either way. Either the logs indicate that the action was committed when
it was not, or the commit is completed but the log message was not produced.

I hope I haven't made things more confusing for you.

Evan.

On 08/06/2017 05:29 PM, Don Seiler wrote:
> rsyslog on CentOS7, no central server, just local log files.
>
> I appreciate your suggestion of going to syslog support but I'm more
> interested in how those in the pgsql-admin community handle these
> concerns. I'm not asking for syslog support.
>
> Don.
>
> On Sat, Aug 5, 2017 at 7:31 PM, Evan Rempel <erempel(at)uvic(dot)ca
> <mailto:erempel(at)uvic(dot)ca>> wrote:
>
> Tou are now asking questions that are more appropriate for the
> specific syslog product you are using.
> rsyslog, syslogd, syslog-ng etc.
>
> In general you need to ask yourself what the ramifications of
> loosing the most recent locally stored syslog messages. If you are
> forwarding you syslog message to a central syslog server, or
> perhaps event two syslog servers then the loss of some local
> syslog messages in the event of a local host crash is not very
> significant.
>
> If you can live with the local loss then adding a "no sync" option
> to your syslog configuration is a good idea.
>
> For further details please follow up with your syslog specific
> support channel.
>
> Evan.
>
>
> On 08/04/2017 10:22 PM, Don Seiler wrote:
>> Thanks everyone for your feedback. I've got a test setup running
>> with syslog and logrotate and it's working well.
>>
>> Is there any concern with the syslog file sync where it's
>> suggested to put a dash before the file name to remove the sync
>> requirement?
>>
>> Don.
>>
>> On Aug 4, 2017 2:51 PM, "Evan Rempel" <erempel(at)uvic(dot)ca
>> <mailto:erempel(at)uvic(dot)ca>> wrote:
>>
>> I have been a systems administrator of PostgreSQL since
>> version 7.0. I am also a primary logging architect for a
>> 4000+ device network infrastructure and SEIM alerting
>> infrastructure architect.
>>
>> Syslog is by far the best approach to logging. With the right
>> product it is way FASTER than stderr and there are a ton of
>> tools to parse, analyze, view and report on syslog streams.
>>
>> There is one caveat with PostgreSQL version <= 9.5 and that
>> is that syslog messages are wrapped at approx 80 characters
>> which makes parsing and error detection problematic. pgBadger
>> may address this limitation by unwrapping such logs messages
>> whereas generic log parsing engines do not have any
>> specialized knowledge about how PostgreSQL lines might be
>> wrapped. PostgreSQL version <= 9.5 this is a compile time
>> only option but starting in 9.6 this is a runtime
>> configuration directive.
>>
>> There are two strong reasons for using syslog.
>>
>> 1. In a well architected logging solution the syslog process
>> on the host will also send the log messages to a central log
>> server. This means that if the database server is compromised
>> leading to an untrusted set of log files, there is a trusted
>> copy of the logs on another server.
>>
>> 2. When running a high availability or clustered database all
>> of the logs can be aggregated to a central log server which
>> places all of the logs from all of the database servers into
>> one easy to read/parse/process location.
>>
>> I hope this provides some rationale for using syslog.
>>
>> Evan.
>>
>> On 08/04/2017 09:26 AM, Don Seiler wrote:
>>> I've just inherited a few PostgreSQL DBs, having come from
>>> Oracle land. I'm looking to shore up the logging situation.
>>> Right now we use stderr logging and they get rotated based
>>> on size threshold. I'd like for those old logs to be gzipped
>>> so we can keep more on disk rather than current method of
>>> just deleting old logs to free up space. This is mostly on
>>> pgsql 9.2 with a couple of 9.3, but I'm planning to upgrade
>>> everything to 9.6.3 when I get my feet on solid ground.
>>>
>>> Couple of question around this:
>>>
>>> 1. I thought logrotate would be a no-brainer here, but it
>>> sounds like I should then change to use syslog rather
>>> than stderr. I've read some caveats around syslog
>>> needing to sync files and potentially slow things down.
>>> I'm wondering if any grizzled production postgres
>>> veterans could offer up their experience.
>>> 2. Alternatively I could just keep it going with stderr and
>>> have a separate script run find/gzip on log files beyond
>>> a certain mtime threshold. This would probably be the
>>> quickest to implement, but I'd much rather use logrotate
>>> facilities if there are no strong opinions against using
>>> syslog.
>>>
>>> Thanks in advance for your time, I'm sure I'll be making a
>>> lot of us of these mailing lists in the not-too-distant future.
>>>
>>> Don.
>>>
>>> --
>>> Don Seiler
>>> www.seiler.us <http://www.seiler.us>
>>
>>
>
>
>
>
> --
> Don Seiler
> www.seiler.us <http://www.seiler.us>