{"id":19061919,"url":"https://github.com/c-blake/kslog","last_synced_at":"2026-01-19T12:05:12.400Z","repository":{"id":85956857,"uuid":"236847829","full_name":"c-blake/kslog","owner":"c-blake","description":"Minimalistic Kernel-Syslogd For Linux in Nim","archived":false,"fork":false,"pushed_at":"2024-10-28T13:06:56.000Z","size":52,"stargazers_count":12,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-28T16:50:52.361Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Nim","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/c-blake.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-28T21:38:44.000Z","updated_at":"2024-10-28T13:07:00.000Z","dependencies_parsed_at":"2023-07-15T03:02:13.629Z","dependency_job_id":null,"html_url":"https://github.com/c-blake/kslog","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c-blake%2Fkslog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c-blake%2Fkslog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c-blake%2Fkslog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c-blake%2Fkslog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/c-blake","download_url":"https://codeload.github.com/c-blake/kslog/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223770417,"owners_count":17199680,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T00:23:57.987Z","updated_at":"2026-01-19T12:05:12.394Z","avatar_url":"https://github.com/c-blake.png","language":"Nim","funding_links":[],"categories":["systemd-journald","Development Tools"],"sub_categories":["Logging"],"readme":"Privilege and Complexity\n========================\nI mostly wrote this because I wanted to run my kernel/system logger not as\nroot.  I looked into doing this with `syslog-ng` and it seemed hard to get\nright.  `CAP_SYS_ADMIN` or whatnot also seem used.  I had a hunch that over\nthe years feature bloat had exploded sysloggers beyond reason making what I\nwanted unnecessarily difficult.  For what most people use it for, it should\nreally be a simple program anyway.  syslog-ng is over 300,000 lines of C.\nEven busybox syslogd clocks in at over 1,000 lines.\n\nInstead of all that jazz, I give you `kslog` - under 200 lines of Nim that\nlikely does all you really need in two easy pieces - a few dozen line easily\naudited privileged `kslog_open.nim` and 125-ish line `kslog.nim`.\n\nSadly, `kslog-open` (*not* `kslog`) must run as root to manipulate `/dev/`.\nAt this late date, there is probably no relocating of `/dev/log` or making\nbinding of Unix domain sockets easier.  This opening phase is *all* `kslog`\nneeds elevated privilege for.  `kslog-open` just does this minimal work to\nset up input file descriptors 0,3 and then drops privilege \u0026 exec's `kslog`.\n`kslog` itself only needs permission to open its output files for write.\nIf said output files already exist with `syslog`-user writable permission,\nthe `syslog` user need not even have permission to create new files in\n`/var/log`.  Wide ability to write to `/dev/log` always affords an easy\nfill-the-disk attack, of course.\n\nLog Contents\n=============\nPriority \u0026 facility numbers are retained in `kslog` logs.  I doubt there is a\nbetter way to learn how to filter out informational|debug messages by altering\n`maxLevel` than looking at a big list of examples.  `grep '\\\u003cP[67],F[0-9]'\n/var/log/msgs` does just that.  Personally, I keep all priority levels, but\nPF-retention also makes it easy to grep for important things, too, while also\nkeeping the convenience of just one file.  Dropping these fields (and calendar\nyears!) harkens to disk space concerns long since past.\n\nLog Rotation\n============\nPersonally, I only do this every several years or so, but if disk space in\n`/var/log/` is at a premium (a bad idea, but sometimes things happen), you\ncan still rotate logs.  Since `kslog` never re-opens output files, showing\nhow to do this reliably here is warranted.  Would be external log rotators\nshould SIGSTOP `kslog`, copy files, then truncate logs to zero, then SIGCONT.\nTo avoid losing msgs from filled backlogs, care should be taken to not leave\n`kslog` suspended indefinitely or even very long.  An example shell script is\n`log-arch` using the also included `cp_trunc.nim` program which usually only\nhas to suspend kslog for \"around milliseconds\".  Considering times are only\n1-second resolution, it is doubtful that delay would ever matter.\n\nRemote Logs\n===========\nWhen you want remote logs on some more trusted machine then I recommend\nproviding remote `rsync` access to local logs made by `kslog`.  Provided\nthis access is one-way (trusted can access `kslogs` but not vice versa),\nI'd think this adequate protection/detection from intruders altering logs.\nIt is much lower tech just using ssh/rsync/etc. which you likely already\nknow how to use and additionally supports logs updated by entities other\nthan syslog (e.g. `wtmp`).  Detecting even transient revocation of such\nremote access by a local intruder is also easy.  This idea does not solve\nthe problem of literally zero local space for logs, though a network FS\nmay (while still copying from less to more trusted domains).\n\nEfficiency\n==========\nCompiled Nim programs are efficient.  I routinely see CPU usage in the range\n50..400 parts per ***billion*** with an RSS under 2 MiB.  This obviously varies\nbased on how much your system logs.  In any event, while I have not measured it\nI strongly suspect this program uses much less space/time than, say, syslog-ng.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fc-blake%2Fkslog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fc-blake%2Fkslog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fc-blake%2Fkslog/lists"}