LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Journal - a proposed syslog replacement

The Journal - a proposed syslog replacement

Posted Nov 19, 2011 17:19 UTC (Sat) by PO8 (guest, #41661)
In reply to: The Journal - a proposed syslog replacement by endecotp
Parent article: The Journal - a proposed syslog replacement

I certainly agree with your second statement; see my comments above.

For the first, I'm not sure requiring HW is a non-starter. It would have to be cheap---say $20 or less---to start with. Eventually, motherboard manufacturers would just start throwing it on the board, increasing the price of the board by $.50 given reduced costs and increased volume. We've seen that pattern over and over with dedicated hardware. Another possible path in this case is to make an append-only store controller part of the TPM spec (if it isn't already---I haven't looked).

There was a time (and I lived through it) where it was believed that memory protection hardware for microprocessors was a non-starter. Eventually people decided to pay: partly for security reasons. So there's some hope.

(Log in to post comments)

The Journal - a proposed syslog replacement

Posted Nov 19, 2011 17:57 UTC (Sat) by endecotp (guest, #36428) [Link]

> I'm not sure requiring HW is a non-starter. It would
> have to be cheap---say $20 or less---to start with.

Here's an idea that I had a while ago: make a USB dongle that appears to be a USB-to-serial converter. Data that is sent to it is recorded in its flash; you configure your system to send log messages to it like a serial console.

My aim was to have a "dying breath" log for machines where networked logging wasn't feasible, e.g. a single co-located server. The idea is that if there is a kernel panic and the critical last log messages don't make it to the disk, they might still make it to this device. You could then re-mount it, potentially on another machine, where it would appear as a storage device containing the log files.

You could make this relatively secure by not allowing a transition from logging mode to read mode without re-plugging.

This could be implemented by a simplish microcontroller with USB device functionality. Maybe a bit more than a PIC, but not much more.

One thing that I was unsure of was how likely it would be that the host's USB system would keep running for long enough after a kernel crash. Perhaps a real serial device, or a console video recorder, would work in more cases. This device would be rather pointless if it were no more reliable than the disk.

Anyway, just a tangential thought for you all...

There are already such devices on the market...

Posted Nov 20, 2011 8:04 UTC (Sun) by khim (subscriber, #9252) [Link]

What you are describing looks awfully close to the "P33 JailBreak dongle".

PS3 Jailbreak works by overflowing receiving buffer in the PS3 so it needs to emulate four or five (depending on Jailbreak payload) USB devices, return bogus information with jailbreak code, etc. Significantly more then what your "logging device" should do. These devices price is starting from about $10 retail and this is with tiny runs so not much of the "economy of scale". More expensive ones (in the aforementioned range of about $20) may even emulate USB stick to make use after successfull JailBreak more pleasant!

In short: what you are describing looks perfectly doable.

The Journal - a proposed syslog replacement

Posted Nov 23, 2011 22:42 UTC (Wed) by cas (subscriber, #52554) [Link]

Here's an idea that I had a while ago: make a USB dongle that appears to be a USB-to-serial converter. Data that is sent to it is recorded in its flash; you configure your system to send log messages to it like a serial console.

This bit of the idea is good

You could make this relatively secure by not allowing a transition from logging mode to read mode without re-plugging.

but this bit isn't. It would make more sense and be far more usable if the USB dongle presented two devices.

The first device being a (perhaps serial) output device for writing log entries with maybe a control option for rotating log files by YYYYMMDD or whatever. each line sent to the device should have a "filename" (or syslog facility, or some other identifier) as the first word/field, with the remainder of the line being the log entry

The second a *read-only* USB storage device for reading the logs whenever you like.

so, the one device would provide write-once/append-only logging, and random read access to those logs

such a device could be made dirt cheap, too. it's just a USB flash disk with a slightly more capable processor & USB interface

The Journal - a proposed syslog replacement

Posted Dec 20, 2011 7:46 UTC (Tue) by topher (guest, #2223) [Link]

For the first, I'm not sure requiring HW is a non-starter. It would have to be cheap---say $20 or less---to start with.

Yes, it is a non-starter. There is no computer (or parts) manufacturer that is going to start including specialized hardware, even if it only cost $0.01us, for a system that doesn't exist yet, and that hasn't been adopted.

Especially when a lot of people, including some of us who have spent years dealing with logging retention, access, security, processing, alerting, etc, look at this and think it's a bad idea.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds