| 1 |
Rich Freeman posted on Tue, 24 Feb 2015 16:44:59 -0500 as excerpted: |
| 2 |
|
| 3 |
> On Tue, Feb 24, 2015 at 3:15 PM, Marc Joliet <marcec@×××.de> wrote: |
| 4 |
>> |
| 5 |
>> == Things I have *not* gotten rid of (yet) == |
| 6 |
>> |
| 7 |
>> I plan on uninstalling syslog-ng, but haven't done so yet. I simply |
| 8 |
>> feel better waiting a bit, even though I don't run it anymore. Man, I |
| 9 |
>> feel silly after typing that... |
| 10 |
> |
| 11 |
> Yeah, took me a while to uninstall it, but I don't find much value in |
| 12 |
> running both. |
| 13 |
|
| 14 |
First, welcome to systemd! =:^) I may respond to other parts too but |
| 15 |
this one's reasonably easy, while my choice is different, so I'll explain |
| 16 |
what and why... |
| 17 |
|
| 18 |
Intro: I chose to keep syslog-ng running here, while I (of course) have |
| 19 |
journald running as well. I believe the way I have configured both plays |
| 20 |
to the advantages of each, while discounting the weak areas of each as |
| 21 |
the other one covers that area. |
| 22 |
|
| 23 |
What: |
| 24 |
|
| 25 |
1) Journald is configured to use volatile storage (the /run/log/journal |
| 26 |
subdir, with /run being tmpfs) ONLY, effectively limiting it to single- |
| 27 |
session. |
| 28 |
|
| 29 |
2) Syslog-ng is configured pretty much as before, except that I have its |
| 30 |
systemd USE flag turned on, which builds it with journald support so the |
| 31 |
two cooperate a bit better. |
| 32 |
|
| 33 |
Without looking too much into details, I believe USE=systemd for syslog-ng |
| 34 |
tells it to build against a library systemd/journald provides for that |
| 35 |
purpose, such that syslog-ng's "system" source listens to journald |
| 36 |
instead of /dev/log and the kernel (dmesg) directly. |
| 37 |
|
| 38 |
What I can say is that while I've seen complaints from others about |
| 39 |
loggers getting duplicate entries (from systemd and the kernel both, for |
| 40 |
instance) in some cases, or missing entries in others (the OP, here), |
| 41 |
I've not noticed anything like that, here, and I believe it's due to the |
| 42 |
above -- only having the "system" and internal syslog-ng sources |
| 43 |
configured so syslog-ng isn't getting the same message from two sources, |
| 44 |
and building with the systemd USE flag, which basically configures syslog- |
| 45 |
ng's system source to be lazy and let journald feed it, instead of doing |
| 46 |
all the work of fetching and parsing the kernel and syslog socket on its |
| 47 |
own. |
| 48 |
|
| 49 |
Why: |
| 50 |
|
| 51 |
I love the journald/systemd integration -- having the last few log |
| 52 |
messages on systemctl status <service> makes troubleshooting within the |
| 53 |
same session **MUCH** easier, and the other information journald keeps is |
| 54 |
also useful. But, for me at least, that's most useful in the same |
| 55 |
session. Once I reboot and the information I'm looking for is in a |
| 56 |
previous session, the usefulness of that extra information goes down |
| 57 |
quite a bit. |
| 58 |
|
| 59 |
Meanwhile, for logs beyond one session, I still prefer traditional text- |
| 60 |
based logs, tho I suppose that's partly because that's what I'm most used |
| 61 |
to. But there's several advantages to it that I see: |
| 62 |
|
| 63 |
a) If the system crashes, partially corrupted in-the-crash text logs can |
| 64 |
be of at least some use after a reboot. Binary journals, not so much. |
| 65 |
|
| 66 |
b) As far as I could find, journald has absolutely no mechanism to filter |
| 67 |
incoming (pre-storage) log entries, while syslog-ng has had (pre-storage) |
| 68 |
filter mechanisms for ages. Journald seems to have all sorts of outgoing |
| 69 |
post-storage filter-on-output options, some of which are pretty nifty, |
| 70 |
but there have been several times in the past where logs filled up with |
| 71 |
"noise", thousands of repeat entries for something or other that occurs |
| 72 |
regularly, say once a minute, that I simply do not care about and don't |
| 73 |
want in my logs at all, but which I can't directly stop at the source for |
| 74 |
whatever reason. One of them was a kernel bug that triggered for a few |
| 75 |
kernel cycles, then eventually went away, another was a ksysguard |
| 76 |
triggered message, with that ksysguard graph updating every second, etc. |
| 77 |
Unfortunately, while journald makes it easy to filter these out on |
| 78 |
output, I found no way of preventing their appearance in the journal at |
| 79 |
all. |
| 80 |
|
| 81 |
But syslog-ng lets me dump them without ever actually logging them, or |
| 82 |
route them to a different log file if I prefer, keeping my primary logs |
| 83 |
clean. =:^) |
| 84 |
|
| 85 |
As a counter-point, however, at least journald does compression to some |
| 86 |
degree, so tens of thousands of identical or nearly identical messages |
| 87 |
don't take up as much room as you might expect as they compress very |
| 88 |
well. =:^) I guess after the first instance, dups basically consist of a |
| 89 |
timestamp and a pointer to the first message. So they don't take much |
| 90 |
space. Which is fortunate when some "noise" message starts appearing |
| 91 |
once a second... and you're storing it in tmpfs, thus in memory! |
| 92 |
Obviously persistent logs would be similarly space efficient, but I still |
| 93 |
don't like the idea of not being able to filter out the noise, BEFORE it |
| 94 |
hits permanent storage, so I just make sure it /doesn't/ hit permanent |
| 95 |
storage. =:^) |
| 96 |
|
| 97 |
c) I use btrfs for my primary filesystems, and btrfs and journald's |
| 98 |
binary-format journals don't play so well together. FWIW, the latest |
| 99 |
systemd-219 has lots of improvements for btrfs users, including some new |
| 100 |
features that are btrfs-specific (which I never-the-less don't expect to |
| 101 |
use right away as they're mostly VM/container oriented and I don't do |
| 102 |
much of that sort of thing, but I may well eventually use them), as well |
| 103 |
as some changes that should make journaling on btrfs work somewhat |
| 104 |
better. So this point should be to some degree eliminated after that |
| 105 |
stuff stabilizes tho part of the fix is journald setting nocow on the |
| 106 |
journal files and that has other implications I'll skip further |
| 107 |
discussion of here. However, by limiting journald to tmpfs only, I still |
| 108 |
get the best benefits of systemd/journald integration (like status |
| 109 |
including the last few log messages as mentioned above), while |
| 110 |
eliminating the entire class of btrfs/journald issues. Best of both |
| 111 |
worlds. =:^) |
| 112 |
|
| 113 |
d) Tho I don't do anything with it in my syslog-ng config here, syslog-ng |
| 114 |
can actually make use of some of the extra information journald passes to |
| 115 |
it, including trusted per-app filtering and routing. One of the problems |
| 116 |
that the old syslog approach had was that anything that could log |
| 117 |
messages could claim to be anything it wanted, and syslog really couldn't |
| 118 |
tell whether it was telling the truth or not, all it could do is sort and |
| 119 |
report the messages based on what was claimed. A big bullet-point |
| 120 |
feature of systemd/journald is that because systemd enforces service |
| 121 |
separation via control-classes and the like, there's a much stronger |
| 122 |
guarantee that what systemd/journald says is service X, is REALLY service |
| 123 |
X and not service Y! But that's not limited to journald. Syslog-ng has |
| 124 |
for several versions now had the ability to filter, route and report on |
| 125 |
out-of-log-channel information such as the extra properties that journald |
| 126 |
associates with each message, that make features such as systemctl status |
| 127 |
reporting the last few log messages from that service possible, because |
| 128 |
systemd/journald actually tracks it, AND passes it on to other loggers as |
| 129 |
well now, providing they're built to use the API provided by the systemd |
| 130 |
library I mentioned above. And again, for gentooers, syslog-ng is built |
| 131 |
with that API, against that library, based on USE=systemd. So once |
| 132 |
that's there, if desired, you can do all sorts of fancy filtering/log- |
| 133 |
routing/etc based on information such as the application/service name, |
| 134 |
that systemd passes along to syslog-ng. |
| 135 |
|
| 136 |
And again, with syslog-ng, this can be done BEFORE the actual logging if |
| 137 |
desired, instead of logging everything and filtering only on output, as |
| 138 |
journald does. =:^) |
| 139 |
|
| 140 |
e) I'm simply more comfortable dealing with text-based logs, since I'm |
| 141 |
used to them and can use whatever tools I want on them, as well as being |
| 142 |
able to split/sort/route to multiple log files in as simple or complex a |
| 143 |
setup as I want. =:^) |
| 144 |
|
| 145 |
Summary: |
| 146 |
|
| 147 |
For me, splitting up logging duties so journald does the collection, but |
| 148 |
only does session journaling to tmpfs, while syslog-ng still handles the |
| 149 |
"persistent" logging, gives me the best of both worlds. I love systemd/ |
| 150 |
journald features such as log-messages-in-status and having seen how |
| 151 |
useful it is, would seriously find it hard to do without. But at the |
| 152 |
same time, I can't bring myself to accept persistent logging without the |
| 153 |
ability to filter out the noise before it hits persistent storage, and |
| 154 |
journal storage on btrfs is problematic anyway, with both problems nicely |
| 155 |
solved by handing off to syslog-ng for my persistent storage needs while |
| 156 |
keeping journald for same-session use, so that's exactly what I do. =:^) |
| 157 |
|
| 158 |
|
| 159 |
-- |
| 160 |
Duncan - List replies preferred. No HTML msgs. |
| 161 |
"Every nonfree program has a lord, a master -- |
| 162 |
and if you use the program, he is your master." Richard Stallman |
Archives