1 |
Rich Freeman posted on Tue, 24 Feb 2015 16:44:59 -0500 as excerpted: |
2 |
|
3 |
> On Tue, Feb 24, 2015 at 3:15 PM, Marc Joliet <marcec@×××.de> wrote: |
4 |
>> |
5 |
>> == Things I have *not* gotten rid of (yet) == |
6 |
>> |
7 |
>> I plan on uninstalling syslog-ng, but haven't done so yet. I simply |
8 |
>> feel better waiting a bit, even though I don't run it anymore. Man, I |
9 |
>> feel silly after typing that... |
10 |
> |
11 |
> Yeah, took me a while to uninstall it, but I don't find much value in |
12 |
> running both. |
13 |
|
14 |
First, welcome to systemd! =:^) I may respond to other parts too but |
15 |
this one's reasonably easy, while my choice is different, so I'll explain |
16 |
what and why... |
17 |
|
18 |
Intro: I chose to keep syslog-ng running here, while I (of course) have |
19 |
journald running as well. I believe the way I have configured both plays |
20 |
to the advantages of each, while discounting the weak areas of each as |
21 |
the other one covers that area. |
22 |
|
23 |
What: |
24 |
|
25 |
1) Journald is configured to use volatile storage (the /run/log/journal |
26 |
subdir, with /run being tmpfs) ONLY, effectively limiting it to single- |
27 |
session. |
28 |
|
29 |
2) Syslog-ng is configured pretty much as before, except that I have its |
30 |
systemd USE flag turned on, which builds it with journald support so the |
31 |
two cooperate a bit better. |
32 |
|
33 |
Without looking too much into details, I believe USE=systemd for syslog-ng |
34 |
tells it to build against a library systemd/journald provides for that |
35 |
purpose, such that syslog-ng's "system" source listens to journald |
36 |
instead of /dev/log and the kernel (dmesg) directly. |
37 |
|
38 |
What I can say is that while I've seen complaints from others about |
39 |
loggers getting duplicate entries (from systemd and the kernel both, for |
40 |
instance) in some cases, or missing entries in others (the OP, here), |
41 |
I've not noticed anything like that, here, and I believe it's due to the |
42 |
above -- only having the "system" and internal syslog-ng sources |
43 |
configured so syslog-ng isn't getting the same message from two sources, |
44 |
and building with the systemd USE flag, which basically configures syslog- |
45 |
ng's system source to be lazy and let journald feed it, instead of doing |
46 |
all the work of fetching and parsing the kernel and syslog socket on its |
47 |
own. |
48 |
|
49 |
Why: |
50 |
|
51 |
I love the journald/systemd integration -- having the last few log |
52 |
messages on systemctl status <service> makes troubleshooting within the |
53 |
same session **MUCH** easier, and the other information journald keeps is |
54 |
also useful. But, for me at least, that's most useful in the same |
55 |
session. Once I reboot and the information I'm looking for is in a |
56 |
previous session, the usefulness of that extra information goes down |
57 |
quite a bit. |
58 |
|
59 |
Meanwhile, for logs beyond one session, I still prefer traditional text- |
60 |
based logs, tho I suppose that's partly because that's what I'm most used |
61 |
to. But there's several advantages to it that I see: |
62 |
|
63 |
a) If the system crashes, partially corrupted in-the-crash text logs can |
64 |
be of at least some use after a reboot. Binary journals, not so much. |
65 |
|
66 |
b) As far as I could find, journald has absolutely no mechanism to filter |
67 |
incoming (pre-storage) log entries, while syslog-ng has had (pre-storage) |
68 |
filter mechanisms for ages. Journald seems to have all sorts of outgoing |
69 |
post-storage filter-on-output options, some of which are pretty nifty, |
70 |
but there have been several times in the past where logs filled up with |
71 |
"noise", thousands of repeat entries for something or other that occurs |
72 |
regularly, say once a minute, that I simply do not care about and don't |
73 |
want in my logs at all, but which I can't directly stop at the source for |
74 |
whatever reason. One of them was a kernel bug that triggered for a few |
75 |
kernel cycles, then eventually went away, another was a ksysguard |
76 |
triggered message, with that ksysguard graph updating every second, etc. |
77 |
Unfortunately, while journald makes it easy to filter these out on |
78 |
output, I found no way of preventing their appearance in the journal at |
79 |
all. |
80 |
|
81 |
But syslog-ng lets me dump them without ever actually logging them, or |
82 |
route them to a different log file if I prefer, keeping my primary logs |
83 |
clean. =:^) |
84 |
|
85 |
As a counter-point, however, at least journald does compression to some |
86 |
degree, so tens of thousands of identical or nearly identical messages |
87 |
don't take up as much room as you might expect as they compress very |
88 |
well. =:^) I guess after the first instance, dups basically consist of a |
89 |
timestamp and a pointer to the first message. So they don't take much |
90 |
space. Which is fortunate when some "noise" message starts appearing |
91 |
once a second... and you're storing it in tmpfs, thus in memory! |
92 |
Obviously persistent logs would be similarly space efficient, but I still |
93 |
don't like the idea of not being able to filter out the noise, BEFORE it |
94 |
hits permanent storage, so I just make sure it /doesn't/ hit permanent |
95 |
storage. =:^) |
96 |
|
97 |
c) I use btrfs for my primary filesystems, and btrfs and journald's |
98 |
binary-format journals don't play so well together. FWIW, the latest |
99 |
systemd-219 has lots of improvements for btrfs users, including some new |
100 |
features that are btrfs-specific (which I never-the-less don't expect to |
101 |
use right away as they're mostly VM/container oriented and I don't do |
102 |
much of that sort of thing, but I may well eventually use them), as well |
103 |
as some changes that should make journaling on btrfs work somewhat |
104 |
better. So this point should be to some degree eliminated after that |
105 |
stuff stabilizes tho part of the fix is journald setting nocow on the |
106 |
journal files and that has other implications I'll skip further |
107 |
discussion of here. However, by limiting journald to tmpfs only, I still |
108 |
get the best benefits of systemd/journald integration (like status |
109 |
including the last few log messages as mentioned above), while |
110 |
eliminating the entire class of btrfs/journald issues. Best of both |
111 |
worlds. =:^) |
112 |
|
113 |
d) Tho I don't do anything with it in my syslog-ng config here, syslog-ng |
114 |
can actually make use of some of the extra information journald passes to |
115 |
it, including trusted per-app filtering and routing. One of the problems |
116 |
that the old syslog approach had was that anything that could log |
117 |
messages could claim to be anything it wanted, and syslog really couldn't |
118 |
tell whether it was telling the truth or not, all it could do is sort and |
119 |
report the messages based on what was claimed. A big bullet-point |
120 |
feature of systemd/journald is that because systemd enforces service |
121 |
separation via control-classes and the like, there's a much stronger |
122 |
guarantee that what systemd/journald says is service X, is REALLY service |
123 |
X and not service Y! But that's not limited to journald. Syslog-ng has |
124 |
for several versions now had the ability to filter, route and report on |
125 |
out-of-log-channel information such as the extra properties that journald |
126 |
associates with each message, that make features such as systemctl status |
127 |
reporting the last few log messages from that service possible, because |
128 |
systemd/journald actually tracks it, AND passes it on to other loggers as |
129 |
well now, providing they're built to use the API provided by the systemd |
130 |
library I mentioned above. And again, for gentooers, syslog-ng is built |
131 |
with that API, against that library, based on USE=systemd. So once |
132 |
that's there, if desired, you can do all sorts of fancy filtering/log- |
133 |
routing/etc based on information such as the application/service name, |
134 |
that systemd passes along to syslog-ng. |
135 |
|
136 |
And again, with syslog-ng, this can be done BEFORE the actual logging if |
137 |
desired, instead of logging everything and filtering only on output, as |
138 |
journald does. =:^) |
139 |
|
140 |
e) I'm simply more comfortable dealing with text-based logs, since I'm |
141 |
used to them and can use whatever tools I want on them, as well as being |
142 |
able to split/sort/route to multiple log files in as simple or complex a |
143 |
setup as I want. =:^) |
144 |
|
145 |
Summary: |
146 |
|
147 |
For me, splitting up logging duties so journald does the collection, but |
148 |
only does session journaling to tmpfs, while syslog-ng still handles the |
149 |
"persistent" logging, gives me the best of both worlds. I love systemd/ |
150 |
journald features such as log-messages-in-status and having seen how |
151 |
useful it is, would seriously find it hard to do without. But at the |
152 |
same time, I can't bring myself to accept persistent logging without the |
153 |
ability to filter out the noise before it hits persistent storage, and |
154 |
journal storage on btrfs is problematic anyway, with both problems nicely |
155 |
solved by handing off to syslog-ng for my persistent storage needs while |
156 |
keeping journald for same-session use, so that's exactly what I do. =:^) |
157 |
|
158 |
|
159 |
-- |
160 |
Duncan - List replies preferred. No HTML msgs. |
161 |
"Every nonfree program has a lord, a master -- |
162 |
and if you use the program, he is your master." Richard Stallman |