Where are userspace programs supposed to save their logs?

If you as an ordinary user decide to run a program, the natural place for its logs are in your home directory. Your home directory is meant for you to store all your files, whether they are logs of a program you run or anything else.

If the program is executed as part of the system, running as a typically dedicated system user, then the natural place for its logs is in /var/log. Create a subdirectory /var/log/myapp and give it appropriate permissions so that your application can write there.

If relevant and your operating system allows it, mark the log file as append-only. Only root can do this. This has the advantage that if your application is compromised, it won't be able to erase past logs, which can be very useful for forensic analysis of the compromise. You will need root's intervention to rotate the log: chown so that the log file is can no longer be opened by the application, rename the log file, create a new append-only file with appropriate ownership, then notify the application to open the new empty file.

You can make any application log to the system logs by calling logger(1) or syslog(3).

You can't write to /var/log as a normal user, but the syslog daemon will do it for you if you ask. If you'd like to log messages to the standard system logs (e.g. /var/log/syslog), the 4.4BSD utility logger might be available on your system. It's installed by default on Debian, and is in the bsdutils package on Debian derivatives.

You'll get the advantage of any pre-existing log rotation, maintenance, and monitoring tools, with the disadvantage of needing privileges to read the system logs, and of having your script's messages mixed in with messages from other programs.

$ logger Hello
$ echo Goodbye | logger
$ sudo tail -2 /var/log/syslog
Feb 19 21:16:15 debian-host jander: Hello
Feb 19 21:16:21 debian-host logger: Goodbye

There are several configuration options available; you can read more in man logger.

I'm under the impression userspace programs are expected to discard logs by default. I've seen various programs dump logs wherever they feel like, and its never particularly welcome on my systems; tending to build up in some location that is never noticed unless/until it gets huge.

I would prefer if there was a definite place for them, I'm playing around on my system trying to find a stable place for them.

My first idea was to use /var/run/user/$UID/log, but found that on my system, that is a TMPFS mount, not large enough, or really good for use with logs.

Create a place for them

Since I dont understand /var/run/user well enough to integrate with it, I've chosen to emulate it by hand, for user 1000.

# mkdir /var/log/user
# install -d /var/log/user/1000 --owner 1000 -g 1000 -m 0700

I would recommend sticking to the FHS /var/log spc for the structure within this folder, but the spec free-form so there isn't much to comply with.

Logrotate Config

There is no existing log rotation on this directory provided by your system, I recommend creating one for your system:

# /etc/logrotate.d/userlogs

/var/log/user/*/log/*.log 
/var/log/user/*/log/**/*.log
{
        daily
        missingok
        rotate 7
        compress
        notifempty
        nocreate
}

Below is my previous /var/run/user/1000/log post, I cannot recommend it unless you really know what your doing (And if you do, tell me how to too!)

maybe as follows, but I just made this up because it made sense to me.

/var/run/user/1000/log/<app>.log
/var/run/user/1000/log/<app>/<context>.log

# Integrate with above /var/run/user, probably a bad idea:
# ln -s /var/log/user/1000/ /var/run/user/1000/log