SourceForge Logo Syslog Automation and Archive Handler

What is Sarah?

Sarah (Syslog Automated Rotation and Archive Handler) is a logfile archival tool similar to older programs such as newsyslog. It is designed to be run periodically out of cron, and will trim, rotate, archive, and delete log files based on criteria laid out in its config file.

That's a pretty general overview, and begs the obvious question:

Why should I use Sarah instead of my OS's log rotation tool?

Put simply, Sarah is intended to be much more flexible than whatever came with your OS. The idea for Sarah was originally conceived when I first had to administrate a farm of Solaris machines (Solaris comes with no log rotation tool whatsoever). However, it quickly became apparent that with a little work it could easily improve on the tools included with other POSIX operating systems. For further discussion, see the feature list.

Where can I get Sarah?

The current release of Sarah is version 0.9b. There are now two main distrubution points:

Sarah is also included in the FreeBSD ports tree at /usr/ports/sysutils/sarah/

Development of Sarah takes place at SourceForge. Visit the Sarah project page here.

How do I install Sarah?

There are several simple steps to installation:

  1. Edit the top of the sarah program, changing the path to perl and the $config, $compBin, $compSuffix, $rotate_msg and $syslogdPID variables to suit your system and taste. The defaults there will match most current systems. $compBin and $compSuffix may be changed to use any compression program, not just gzip. sarah has been tested using gzip, compress, bzip and bzip2, but any compression program which will accept the -f (force) switch will work as long as you set $compSuffix correctly.
  2. Copy sarah into the binary directory of your choice. /usr/local/bin/ is the usual choice.
  3. Copy sarah.conf.sample into the location you set for $config at the top of sarah, then modify it to meet your needs. By default, the config file is stored as /usr/local/etc/sarah.conf
  4. If you want, copy the man page (sarah.1) into the man section 1 directory. Don't worry if you choose not to do this. You can still access the sarah documentation by typing 'perldoc sarah'
  5. Set cron to run sarah periodically. Sarah is normally run as root every minute. Consult the crontab(1) or crontab(5) man pages on your system if you're not certain how to do this. Common crontab entries for sarah might look like one of these: 
       * * * * *            /usr/local/bin/sarah
   * * * * *    root    /usr/local/bin/sarah
    Check the perl documentation ('perldoc sarah') or the sarah(1) man page for command line arguments you may want to use.


What other documentation is there?

At present, just the POD documentation included with Sarah. Once Sarah is installed you can access it by typing `perldoc sarah` in your shell, or if you've installed the man page, `man sarah`. You can also view the Sarah man page online: sarah(1)

What support is there for Sarah?

There are two mailing lists for Sarah users:

sarah-announce:
This list carries announcements about new releases and updates to the software. Subscribe to this if you just want to know when something new happens. Traffic is extremely low -- approximately one message every couple of months.
sarah-support:
This is for discussion among users of Sarah. It's useful for getting help, reporting bugs, or requesting new features. All are welcome, though I wouldn't recommend subscribing to this if you're already on sarah-announce; all -announce messages are copied to -support.
You can subscribe to both of these mailing lists by sending a message to sarah-announce-request@conundrum.com or sarah-support-request@conundrum.com with the subject "subscribe", or by visiting the web interface at http://www.conundrum.com/ecartis/

If you have a request or comment to make, but don't want to get involved in a mailing list, I would invite you to email me personally at mattp@conundrum.com. Please note however that if it seems appropriate I may copy any replies to the support list. Also available is the SourceForge's Tracker system, which you can use to submit bug reports, ask for support, or request a feature.

So what features does Sarah have already?

The current feature list is already, I believe, well ahead of the default tools, and is growing steadily. Here's what's there now:

Ability to set default parameters for any following log entries
If you have a dozen log files, all rotated at the same time of day, just set the rotation time once, rather than repeating duplicate information for all entries.
Rotation based on date and/or time and/or file size
The date/time specification for file rotation is extremely flexible, based primarily on the logic used by Vixie Cron. The size specification is also flexible, allowing you to specify file size in bytes, kilobytes, megabytes, gigabytes, and terabytes. Unlike some other rotation tools, you can also alter the logical operation used when both a date and size are specified for a file (AND vs. OR).
Rotate files into an alternate directory
Each log file has the option of having its archived files stored somewhere other than the directory where the log itself resides. This is useful for keeping your log directories clean when you keep a large number of log files, or for storing old logs in a central repository such as on an NFS mounted filesystem.
Ordinal or date-based archive naming
Archived logs can be named with an ordinal extention (.0 for most recent, .1 for next most recent, .2 the next, etc.) or with a date extension of the form .yyyymmdd-x, where x is 0 for the first log rotated that day, 1 for the next, etc.
Sortable archive file names
Index numbers on archive files are always padded to allow a listing of files to sort correctly.
Syslog reporting
Sarah can send send errors or other output to syslogd instead of, or as well as, to STDERR.

License

Copyright © 2000-2002, Matt Pounsett. This software is distributed under the terms of the GNU General Public License.