| 1 |
Am Wed, 25 Feb 2015 10:13:14 +0000 (UTC) |
| 2 |
schrieb Duncan <1i5t5.duncan@×××.net>: |
| 3 |
|
| 4 |
> Rich Freeman posted on Tue, 24 Feb 2015 16:44:59 -0500 as excerpted: |
| 5 |
> |
| 6 |
> > On Tue, Feb 24, 2015 at 3:15 PM, Marc Joliet <marcec@×××.de> wrote: |
| 7 |
> >> |
| 8 |
> >> == Things I have *not* gotten rid of (yet) == |
| 9 |
> >> |
| 10 |
> >> I plan on uninstalling syslog-ng, but haven't done so yet. I simply |
| 11 |
> >> feel better waiting a bit, even though I don't run it anymore. Man, I |
| 12 |
> >> feel silly after typing that... |
| 13 |
> > |
| 14 |
> > Yeah, took me a while to uninstall it, but I don't find much value in |
| 15 |
> > running both. |
| 16 |
> |
| 17 |
> First, welcome to systemd! =:^) I may respond to other parts too but |
| 18 |
> this one's reasonably easy, while my choice is different, so I'll explain |
| 19 |
> what and why... |
| 20 |
> |
| 21 |
> Intro: I chose to keep syslog-ng running here, while I (of course) have |
| 22 |
> journald running as well. I believe the way I have configured both plays |
| 23 |
> to the advantages of each, while discounting the weak areas of each as |
| 24 |
> the other one covers that area. |
| 25 |
> |
| 26 |
> What: |
| 27 |
> |
| 28 |
> 1) Journald is configured to use volatile storage (the /run/log/journal |
| 29 |
> subdir, with /run being tmpfs) ONLY, effectively limiting it to single- |
| 30 |
> session. |
| 31 |
|
| 32 |
Right, I remember that from your thread a while back. |
| 33 |
|
| 34 |
> 2) Syslog-ng is configured pretty much as before, except that I have its |
| 35 |
> systemd USE flag turned on, which builds it with journald support so the |
| 36 |
> two cooperate a bit better. |
| 37 |
[...] |
| 38 |
> Meanwhile, for logs beyond one session, I still prefer traditional text- |
| 39 |
> based logs, tho I suppose that's partly because that's what I'm most used |
| 40 |
> to. But there's several advantages to it that I see: |
| 41 |
|
| 42 |
Personally, I don't mind the binary format, since the engineering advantages |
| 43 |
convinced me (constant-time access, lots of meta-data which you can filter by, |
| 44 |
git-inspired chain of hashes for integrity checking, etc.). |
| 45 |
|
| 46 |
> a) If the system crashes, partially corrupted in-the-crash text logs can |
| 47 |
> be of at least some use after a reboot. Binary journals, not so much. |
| 48 |
|
| 49 |
As Rich mentioned, and as I remember reading myself (on the btrfs ML?), the |
| 50 |
journal will do its best to read back from corrupted logs and is supposedly |
| 51 |
pretty resilient. |
| 52 |
|
| 53 |
> b) As far as I could find, journald has absolutely no mechanism to filter |
| 54 |
> incoming (pre-storage) log entries, while syslog-ng has had (pre-storage) |
| 55 |
> filter mechanisms for ages. Journald seems to have all sorts of outgoing |
| 56 |
> post-storage filter-on-output options, some of which are pretty nifty, |
| 57 |
> but there have been several times in the past where logs filled up with |
| 58 |
> "noise", thousands of repeat entries for something or other that occurs |
| 59 |
> regularly, say once a minute, that I simply do not care about and don't |
| 60 |
> want in my logs at all, but which I can't directly stop at the source for |
| 61 |
> whatever reason. One of them was a kernel bug that triggered for a few |
| 62 |
> kernel cycles, then eventually went away, another was a ksysguard |
| 63 |
> triggered message, with that ksysguard graph updating every second, etc. |
| 64 |
> Unfortunately, while journald makes it easy to filter these out on |
| 65 |
> output, I found no way of preventing their appearance in the journal at |
| 66 |
> all. |
| 67 |
> |
| 68 |
> But syslog-ng lets me dump them without ever actually logging them, or |
| 69 |
> route them to a different log file if I prefer, keeping my primary logs |
| 70 |
> clean. =:^) |
| 71 |
|
| 72 |
That is a very good point, I hadn't thought of that. |
| 73 |
|
| 74 |
However, I think that I prefer the post-filtering approach, since it is in |
| 75 |
principle the more flexible one. At work I sometimes mix the logs from |
| 76 |
different units (e.g., units A and B, and then units B, C, and D). |
| 77 |
|
| 78 |
But I realised today that journalctl has no negation operator! There is, |
| 79 |
however, an RFE for it. |
| 80 |
|
| 81 |
But regardless of what you use, I think that the worst offenders are services |
| 82 |
that write logs themselves (I'm looking at you, samba). |
| 83 |
|
| 84 |
> As a counter-point, however, at least journald does compression to some |
| 85 |
> degree, so tens of thousands of identical or nearly identical messages |
| 86 |
> don't take up as much room as you might expect as they compress very |
| 87 |
> well. =:^) I guess after the first instance, dups basically consist of a |
| 88 |
> timestamp and a pointer to the first message. So they don't take much |
| 89 |
> space. Which is fortunate when some "noise" message starts appearing |
| 90 |
> once a second... and you're storing it in tmpfs, thus in memory! |
| 91 |
> Obviously persistent logs would be similarly space efficient, but I still |
| 92 |
> don't like the idea of not being able to filter out the noise, BEFORE it |
| 93 |
> hits permanent storage, so I just make sure it /doesn't/ hit permanent |
| 94 |
> storage. =:^) |
| 95 |
|
| 96 |
Yeah, I think that's a good use case for pre-filtering: an overly noisy service |
| 97 |
whose logs you purposely want to ignore (for example, because you're still |
| 98 |
testing it - but then again, for that particular case you could probably use |
| 99 |
systemd-nspawn and log to an isolated journal). |
| 100 |
|
| 101 |
> c) I use btrfs for my primary filesystems, and btrfs and journald's |
| 102 |
> binary-format journals don't play so well together. FWIW, the latest |
| 103 |
> systemd-219 has lots of improvements for btrfs users, including some new |
| 104 |
> features that are btrfs-specific (which I never-the-less don't expect to |
| 105 |
> use right away as they're mostly VM/container oriented and I don't do |
| 106 |
> much of that sort of thing, but I may well eventually use them), as well |
| 107 |
> as some changes that should make journaling on btrfs work somewhat |
| 108 |
> better. So this point should be to some degree eliminated after that |
| 109 |
> stuff stabilizes tho part of the fix is journald setting nocow on the |
| 110 |
> journal files and that has other implications I'll skip further |
| 111 |
> discussion of here. However, by limiting journald to tmpfs only, I still |
| 112 |
> get the best benefits of systemd/journald integration (like status |
| 113 |
> including the last few log messages as mentioned above), while |
| 114 |
> eliminating the entire class of btrfs/journald issues. Best of both |
| 115 |
> worlds. =:^) |
| 116 |
|
| 117 |
Well, I'm on an SSD, but even on the laptop I haven't noticed any performance |
| 118 |
issues (yet). Then again, I use autodefrag, so that probably helps. |
| 119 |
|
| 120 |
What's funny though is that the systemd news file |
| 121 |
(http://cgit.freedesktop.org/systemd/systemd/tree/NEWS) occasionally |
| 122 |
refers to non-btrfs file systems as "legacy file sysetms". At least, as a |
| 123 |
btrfs user I think it's funny :) . |
| 124 |
|
| 125 |
> d) Tho I don't do anything with it in my syslog-ng config here, syslog-ng |
| 126 |
> can actually make use of some of the extra information journald passes to |
| 127 |
> it, including trusted per-app filtering and routing. One of the problems |
| 128 |
> that the old syslog approach had was that anything that could log |
| 129 |
> messages could claim to be anything it wanted, and syslog really couldn't |
| 130 |
> tell whether it was telling the truth or not, all it could do is sort and |
| 131 |
> report the messages based on what was claimed. A big bullet-point |
| 132 |
> feature of systemd/journald is that because systemd enforces service |
| 133 |
> separation via control-classes and the like, there's a much stronger |
| 134 |
> guarantee that what systemd/journald says is service X, is REALLY service |
| 135 |
> X and not service Y! But that's not limited to journald. Syslog-ng has |
| 136 |
> for several versions now had the ability to filter, route and report on |
| 137 |
> out-of-log-channel information such as the extra properties that journald |
| 138 |
> associates with each message, that make features such as systemctl status |
| 139 |
> reporting the last few log messages from that service possible, because |
| 140 |
> systemd/journald actually tracks it, AND passes it on to other loggers as |
| 141 |
> well now, providing they're built to use the API provided by the systemd |
| 142 |
> library I mentioned above. And again, for gentooers, syslog-ng is built |
| 143 |
> with that API, against that library, based on USE=systemd. So once |
| 144 |
> that's there, if desired, you can do all sorts of fancy filtering/log- |
| 145 |
> routing/etc based on information such as the application/service name, |
| 146 |
> that systemd passes along to syslog-ng. |
| 147 |
> |
| 148 |
> And again, with syslog-ng, this can be done BEFORE the actual logging if |
| 149 |
> desired, instead of logging everything and filtering only on output, as |
| 150 |
> journald does. =:^) |
| 151 |
|
| 152 |
That's actually pretty cool :) . You're basically using the journal as a log |
| 153 |
accumulator and syslog-ng for routing and post-processing its messages. |
| 154 |
|
| 155 |
Whiles that's not how I want to do things, I still appreciate how cool that |
| 156 |
is :) (and the fact that the journal can be used that way). |
| 157 |
|
| 158 |
> e) I'm simply more comfortable dealing with text-based logs, since I'm |
| 159 |
> used to them and can use whatever tools I want on them, as well as being |
| 160 |
> able to split/sort/route to multiple log files in as simple or complex a |
| 161 |
> setup as I want. =:^) |
| 162 |
> |
| 163 |
> Summary: |
| 164 |
> |
| 165 |
> For me, splitting up logging duties so journald does the collection, but |
| 166 |
> only does session journaling to tmpfs, while syslog-ng still handles the |
| 167 |
> "persistent" logging, gives me the best of both worlds. I love systemd/ |
| 168 |
> journald features such as log-messages-in-status and having seen how |
| 169 |
> useful it is, would seriously find it hard to do without. But at the |
| 170 |
> same time, I can't bring myself to accept persistent logging without the |
| 171 |
> ability to filter out the noise before it hits persistent storage, and |
| 172 |
> journal storage on btrfs is problematic anyway, with both problems nicely |
| 173 |
> solved by handing off to syslog-ng for my persistent storage needs while |
| 174 |
> keeping journald for same-session use, so that's exactly what I do. =:^) |
| 175 |
|
| 176 |
Right :) . |
| 177 |
|
| 178 |
Greetings |
| 179 |
-- |
| 180 |
Marc Joliet |
| 181 |
-- |
| 182 |
"People who think they know everything really annoy those of us who know we |
| 183 |
don't" - Bjarne Stroustrup |
Archives