1 |
Am Wed, 25 Feb 2015 10:13:14 +0000 (UTC) |
2 |
schrieb Duncan <1i5t5.duncan@×××.net>: |
3 |
|
4 |
> Rich Freeman posted on Tue, 24 Feb 2015 16:44:59 -0500 as excerpted: |
5 |
> |
6 |
> > On Tue, Feb 24, 2015 at 3:15 PM, Marc Joliet <marcec@×××.de> wrote: |
7 |
> >> |
8 |
> >> == Things I have *not* gotten rid of (yet) == |
9 |
> >> |
10 |
> >> I plan on uninstalling syslog-ng, but haven't done so yet. I simply |
11 |
> >> feel better waiting a bit, even though I don't run it anymore. Man, I |
12 |
> >> feel silly after typing that... |
13 |
> > |
14 |
> > Yeah, took me a while to uninstall it, but I don't find much value in |
15 |
> > running both. |
16 |
> |
17 |
> First, welcome to systemd! =:^) I may respond to other parts too but |
18 |
> this one's reasonably easy, while my choice is different, so I'll explain |
19 |
> what and why... |
20 |
> |
21 |
> Intro: I chose to keep syslog-ng running here, while I (of course) have |
22 |
> journald running as well. I believe the way I have configured both plays |
23 |
> to the advantages of each, while discounting the weak areas of each as |
24 |
> the other one covers that area. |
25 |
> |
26 |
> What: |
27 |
> |
28 |
> 1) Journald is configured to use volatile storage (the /run/log/journal |
29 |
> subdir, with /run being tmpfs) ONLY, effectively limiting it to single- |
30 |
> session. |
31 |
|
32 |
Right, I remember that from your thread a while back. |
33 |
|
34 |
> 2) Syslog-ng is configured pretty much as before, except that I have its |
35 |
> systemd USE flag turned on, which builds it with journald support so the |
36 |
> two cooperate a bit better. |
37 |
[...] |
38 |
> Meanwhile, for logs beyond one session, I still prefer traditional text- |
39 |
> based logs, tho I suppose that's partly because that's what I'm most used |
40 |
> to. But there's several advantages to it that I see: |
41 |
|
42 |
Personally, I don't mind the binary format, since the engineering advantages |
43 |
convinced me (constant-time access, lots of meta-data which you can filter by, |
44 |
git-inspired chain of hashes for integrity checking, etc.). |
45 |
|
46 |
> a) If the system crashes, partially corrupted in-the-crash text logs can |
47 |
> be of at least some use after a reboot. Binary journals, not so much. |
48 |
|
49 |
As Rich mentioned, and as I remember reading myself (on the btrfs ML?), the |
50 |
journal will do its best to read back from corrupted logs and is supposedly |
51 |
pretty resilient. |
52 |
|
53 |
> b) As far as I could find, journald has absolutely no mechanism to filter |
54 |
> incoming (pre-storage) log entries, while syslog-ng has had (pre-storage) |
55 |
> filter mechanisms for ages. Journald seems to have all sorts of outgoing |
56 |
> post-storage filter-on-output options, some of which are pretty nifty, |
57 |
> but there have been several times in the past where logs filled up with |
58 |
> "noise", thousands of repeat entries for something or other that occurs |
59 |
> regularly, say once a minute, that I simply do not care about and don't |
60 |
> want in my logs at all, but which I can't directly stop at the source for |
61 |
> whatever reason. One of them was a kernel bug that triggered for a few |
62 |
> kernel cycles, then eventually went away, another was a ksysguard |
63 |
> triggered message, with that ksysguard graph updating every second, etc. |
64 |
> Unfortunately, while journald makes it easy to filter these out on |
65 |
> output, I found no way of preventing their appearance in the journal at |
66 |
> all. |
67 |
> |
68 |
> But syslog-ng lets me dump them without ever actually logging them, or |
69 |
> route them to a different log file if I prefer, keeping my primary logs |
70 |
> clean. =:^) |
71 |
|
72 |
That is a very good point, I hadn't thought of that. |
73 |
|
74 |
However, I think that I prefer the post-filtering approach, since it is in |
75 |
principle the more flexible one. At work I sometimes mix the logs from |
76 |
different units (e.g., units A and B, and then units B, C, and D). |
77 |
|
78 |
But I realised today that journalctl has no negation operator! There is, |
79 |
however, an RFE for it. |
80 |
|
81 |
But regardless of what you use, I think that the worst offenders are services |
82 |
that write logs themselves (I'm looking at you, samba). |
83 |
|
84 |
> As a counter-point, however, at least journald does compression to some |
85 |
> degree, so tens of thousands of identical or nearly identical messages |
86 |
> don't take up as much room as you might expect as they compress very |
87 |
> well. =:^) I guess after the first instance, dups basically consist of a |
88 |
> timestamp and a pointer to the first message. So they don't take much |
89 |
> space. Which is fortunate when some "noise" message starts appearing |
90 |
> once a second... and you're storing it in tmpfs, thus in memory! |
91 |
> Obviously persistent logs would be similarly space efficient, but I still |
92 |
> don't like the idea of not being able to filter out the noise, BEFORE it |
93 |
> hits permanent storage, so I just make sure it /doesn't/ hit permanent |
94 |
> storage. =:^) |
95 |
|
96 |
Yeah, I think that's a good use case for pre-filtering: an overly noisy service |
97 |
whose logs you purposely want to ignore (for example, because you're still |
98 |
testing it - but then again, for that particular case you could probably use |
99 |
systemd-nspawn and log to an isolated journal). |
100 |
|
101 |
> c) I use btrfs for my primary filesystems, and btrfs and journald's |
102 |
> binary-format journals don't play so well together. FWIW, the latest |
103 |
> systemd-219 has lots of improvements for btrfs users, including some new |
104 |
> features that are btrfs-specific (which I never-the-less don't expect to |
105 |
> use right away as they're mostly VM/container oriented and I don't do |
106 |
> much of that sort of thing, but I may well eventually use them), as well |
107 |
> as some changes that should make journaling on btrfs work somewhat |
108 |
> better. So this point should be to some degree eliminated after that |
109 |
> stuff stabilizes tho part of the fix is journald setting nocow on the |
110 |
> journal files and that has other implications I'll skip further |
111 |
> discussion of here. However, by limiting journald to tmpfs only, I still |
112 |
> get the best benefits of systemd/journald integration (like status |
113 |
> including the last few log messages as mentioned above), while |
114 |
> eliminating the entire class of btrfs/journald issues. Best of both |
115 |
> worlds. =:^) |
116 |
|
117 |
Well, I'm on an SSD, but even on the laptop I haven't noticed any performance |
118 |
issues (yet). Then again, I use autodefrag, so that probably helps. |
119 |
|
120 |
What's funny though is that the systemd news file |
121 |
(http://cgit.freedesktop.org/systemd/systemd/tree/NEWS) occasionally |
122 |
refers to non-btrfs file systems as "legacy file sysetms". At least, as a |
123 |
btrfs user I think it's funny :) . |
124 |
|
125 |
> d) Tho I don't do anything with it in my syslog-ng config here, syslog-ng |
126 |
> can actually make use of some of the extra information journald passes to |
127 |
> it, including trusted per-app filtering and routing. One of the problems |
128 |
> that the old syslog approach had was that anything that could log |
129 |
> messages could claim to be anything it wanted, and syslog really couldn't |
130 |
> tell whether it was telling the truth or not, all it could do is sort and |
131 |
> report the messages based on what was claimed. A big bullet-point |
132 |
> feature of systemd/journald is that because systemd enforces service |
133 |
> separation via control-classes and the like, there's a much stronger |
134 |
> guarantee that what systemd/journald says is service X, is REALLY service |
135 |
> X and not service Y! But that's not limited to journald. Syslog-ng has |
136 |
> for several versions now had the ability to filter, route and report on |
137 |
> out-of-log-channel information such as the extra properties that journald |
138 |
> associates with each message, that make features such as systemctl status |
139 |
> reporting the last few log messages from that service possible, because |
140 |
> systemd/journald actually tracks it, AND passes it on to other loggers as |
141 |
> well now, providing they're built to use the API provided by the systemd |
142 |
> library I mentioned above. And again, for gentooers, syslog-ng is built |
143 |
> with that API, against that library, based on USE=systemd. So once |
144 |
> that's there, if desired, you can do all sorts of fancy filtering/log- |
145 |
> routing/etc based on information such as the application/service name, |
146 |
> that systemd passes along to syslog-ng. |
147 |
> |
148 |
> And again, with syslog-ng, this can be done BEFORE the actual logging if |
149 |
> desired, instead of logging everything and filtering only on output, as |
150 |
> journald does. =:^) |
151 |
|
152 |
That's actually pretty cool :) . You're basically using the journal as a log |
153 |
accumulator and syslog-ng for routing and post-processing its messages. |
154 |
|
155 |
Whiles that's not how I want to do things, I still appreciate how cool that |
156 |
is :) (and the fact that the journal can be used that way). |
157 |
|
158 |
> e) I'm simply more comfortable dealing with text-based logs, since I'm |
159 |
> used to them and can use whatever tools I want on them, as well as being |
160 |
> able to split/sort/route to multiple log files in as simple or complex a |
161 |
> setup as I want. =:^) |
162 |
> |
163 |
> Summary: |
164 |
> |
165 |
> For me, splitting up logging duties so journald does the collection, but |
166 |
> only does session journaling to tmpfs, while syslog-ng still handles the |
167 |
> "persistent" logging, gives me the best of both worlds. I love systemd/ |
168 |
> journald features such as log-messages-in-status and having seen how |
169 |
> useful it is, would seriously find it hard to do without. But at the |
170 |
> same time, I can't bring myself to accept persistent logging without the |
171 |
> ability to filter out the noise before it hits persistent storage, and |
172 |
> journal storage on btrfs is problematic anyway, with both problems nicely |
173 |
> solved by handing off to syslog-ng for my persistent storage needs while |
174 |
> keeping journald for same-session use, so that's exactly what I do. =:^) |
175 |
|
176 |
Right :) . |
177 |
|
178 |
Greetings |
179 |
-- |
180 |
Marc Joliet |
181 |
-- |
182 |
"People who think they know everything really annoy those of us who know we |
183 |
don't" - Bjarne Stroustrup |