First, Robert, I wanted to say that Pound has been great for the
company I work for---we're serving ~ 3M hits/9GB data per day through
a single PIII/1Ghz proxy server, and, frankly, if the box were any
more lightly loaded, it might shut itself off out of sheer boredom.

The version we're running has been lightly hacked, though, to do
CLF+vhost logging to a local file.  This gives us a single log to run
through our analysis scripts, avoids syslog's overhead, and inherent
unreliability, etc.

Observing that few of my ideas are truly new, I wonder if:

 a) anyone else is interested in this functionality, and

 b) would such a feature be accepted into the official pound
    distribution?

Mike[...]

On Tuesday 02 December 2003 17:26, Michael Alan Dorman wrote:[...]

Thanks - and glad you like it.
[...]

Not to spoil your enthusiasm, but I think this is already available in Pound 
as it stands:

- you can log to any syslog facility you care - define your syslog to send 
local4 (for example) to its own file and you're done.
- you can log to stdout/stderr. In conjunction with daemontools this gives you 
a nice stand-alone solution (without syslog).
- logging to a file is not really compatible with the Pound design: one of the 
goals is to avoid writing anything to disk for improved security.
- Pound allows you to do CLF (with or without vhost) - use LogLevel 3 or 4 for 
that. We normally use LogLevel 3 for webalizer input.
[...]

If it's useful - certainly. Perhaps you should first check on the answers 
above though?[...]

Robert Segall <roseg(at)apsis.ch> writes:[...]

Well, it's certainly close---as attested by the fact that my patch is
only 12 new lines of code (although it's also unconfigurable and
unconditional, so that 12 lines is for the "it works for me" case;
doing something suitable for consumption by others would be more code,
of course).
[...]
[...]

I, personally, have issues with these solutions, though I certainly
understand that they won't bother everyone:

 * syslog is not generally designed for high-volume logging

 * you have to scrape the syslog and/or pound prefix crud off the log
   information

 * access information is mixed with error reports in syslog

 * daemontools license requires that I build binaries myself, meaning
   additional sysadmin overhead

I realize these are largely things I could work around one way or the
other, but for me, at least, the easier solution was to have pound
output exactly what I wanted, exactly where I wanted it.
[...]

I am certainly sympathetic to this, though I am uncertain how writing
the log directly vs. the stderr/daemontools differ substantially in
their security implications.  At the same time, I don't pretend that I
am the end-all, be-all of security gurus.
[...]

Sure.  In fact, I'm using a cut-and-pasted copy of one of those bits
of code, just writing directly to a file---I just have issues with the
additional steps currently needed to get the output to the point where
I can actually analyze it.
[...]

Well, I did consider those options before making my changes, and their
cost/benefit did not compare with that of my patch---however, I also
understand that you may consider my patch "a solution in search of a
problem".

Anyway, I've attached it---it's short, and at least one person has
expressed interest.  If you decide you want to include it, great, I'd
be happy to flesh it out to be configurable, etc.

If you don't want to, that's fine, too---pound is nice and clean and
maintaining the patch for my own use will not be an onerous task.

Honestly, if you disagree with its utility I would rather see you
reject the patch, because I prefer maintainers who take the time to
make reasonable judgements about these things than those who include
code "because it's there".  I'm happy to take my time to make my case,
but crap code has a way of getting entrenched. ;)

Mike[...]

On Tuesday 02 December 2003 23:13, Michael Alan Dorman wrote:[...]

Actually syslogng is - and remote logging is always a possibility.
[...]

One line cut(1)/sed(1)...
[...]

Not if you separate them by level - it is a question of syslog configuration. 
You can easily send the .info stuff to one file and others to another.
[...]

One-time job, and worth the effort.
[...]

Sure - that's why we distribute source. Have fun.
[...]

When a process writes to the disk it already has:

- permission for it (remember - the log may be outside the jail).
- an open file descriptor.

Both are possible attack vectors. By sending UDP datagrams to syslog we let 
syslog deal with it (in the hope they did a good job of avoiding the usual 
vulnerabilities), rather than putting the overhead in Pound.
[...]

Attached?
[...]

Don't worry Mike, we would be happy to see patches. It is just that in this 
case we probably wouldn't integrate them for the reasons I explained. It 
would be good however if you could make the patch available online somewhere 
so that whoever wants it could pick it up at their leisure. Let me know and 
I'll make a note of it on the Pound web page.[...]

Michael Alan Dorman <mdorman(at)debian.org> writes:[...]

Except, of course, I didn't.

Mike[...]