Re: [gentoo-user] syslog-ng: how to read the log files - gentoo-user

From:	covici@××××××××××.com
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] syslog-ng: how to read the log files
Date:	Mon, 23 Feb 2015 19:27:04
Message-Id:	`17966.1424719614@ccs.covici.com`
In Reply to:	Re: [gentoo-user] syslog-ng: how to read the log files by "Canek Peláez Valdés"

1

Canek Peláez Valdés <caneko@×××××.com> wrote:

2

3

> On Mon, Feb 23, 2015 at 11:49 AM, <covici@××××××××××.com> wrote:

4

> >

5

> > Canek Peláez Valdés <caneko@×××××.com> wrote:

6

> >

7

> > > On Mon, Feb 23, 2015 at 3:41 AM, <covici@××××××××××.com> wrote:

8

> > > >

9

> > > > Marc Joliet <marcec@×××.de> wrote:

10

> > > >

11

> > > > > Am Mon, 23 Feb 2015 00:41:50 +0100

12

> > > > > schrieb lee <lee@××××××××.de>:

13

> > > > >

14

> > > > > > Neil Bothwick <neil@××××××××××.uk> writes:

15

> > > > > >

16

> > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote:

17

> > > > > > >

18

> > > > > > >> > I wonder if the OP is using systemd and trying to read the

19

> > > journal

20

> > > > > > >> > files?

21

> > > > > > >>

22

> > > > > > >> Nooo, I hate systemd ...

23

> > > > > > >>

24

> > > > > > >> What good are log files you can't read?

25

> > > > > > >

26

> > > > > > > You can't read syslog-ng log files without some reading

27

> software,

28

> > > usually

29

> > > > > > > a combination of cat, grep and less. systemd does it all with

30

> > > journalctl.

31

> > > > > > >

32

> > > > > > > There are good reasons to not use systemd, this isn't one of

33

> them.

34

> > > > > >

35

> > > > > > To me it is one of the good reasons, and an important one.  Plain

36

> text

37

> > > > > > can usually always be read without further ado, be it from rescue

38

> > > > > > systems you booted or with software available on different

39

> operating

40

> > > > > > systems.  It can be also be processed with scripts and sent as

41

> email.

42

> > > > > > You can probably even read it on your cell phone.  You can still

43

> read

44

> > > > > > log files that were created 20 years ago when they are plain text.

45

> > > > > >

46

> > > > > > Can you do all that with the binary files created by systemd?  I

47

> can't

48

> > > > > > even read them on a working system.

49

> > > > >

50

> > > > > What Canek and Rich already said is good, but I'll just add this:

51

> it's

52

> > > not like

53

> > > > > you can't run a classic syslog implementation alongside the systemd

54

> > > journal.

55

> > > > > On my systems, by *default*, syslog-ng kept working as usual,

56

> getting

57

> > > the logs

58

> > > > > from the systemd journal.  If you want to go further, you can even

59

> > > configure

60

> > > > > the journal to not store logs permanently, so that you *only* end up

61

> > > with

62

> > > > > plain-text logs on your system (Duncan on gentoo-amd64 went this

63

> way).

64

> > > > >

65

> > > > > So no, the format that the systemd journal uses is most decidedly

66

> *not*

67

> > > a reason

68

> > > > > against using systemd.

69

> > > > >

70

> > > > > Personally, I'm probably going to uninstall syslog-ng, because

71

> > > journalctl is

72

> > > > > *such* a nice way to read logs, so why run something whose output

73

> I'll

74

> > > never

75

> > > > > read again?  I recommend reading

76

> > > > > http://0pointer.net/blog/projects/journalctl.html for examples of

77

> the

78

> > > kind of

79

> > > > > stuff you can do that would be cumbersome, if not *impossible* with

80

> > > regular

81

> > > > > syslog.

82

> > > >

83

> > > > Except that I get lots of messages about the system journal missing

84

> > > > messages when forwarding to syslog, so how can I make sure this does

85

> not

86

> > > > happening?

87

> > >

88

> > > Could you please show those messages? systemd sends *everything* to the

89

> > > journal, and then the journal (optionally) can send it too to a regular

90

> > > syslog. In that sense, it's impossible for the journal to miss any

91

> message.

92

> > >

93

> > > The only way in which the journal could miss messages is at very early

94

> boot

95

> > > stages; but with a proper initramfs (like the ones generated with

96

> dracut),

97

> > > even those get caught. You get to put an instance of systemd and the

98

> > > journal inside the initramfs, and so it's available almost from the

99

> > > beginning.

100

> > >

101

> > > And if you use gummiboot, then you can even log from the moment the UEFI

102

> > > firmware comes to life.

103

> >

104

> > So, I get lots of messages in my regular syslog-ng /var/log/messages

105

> > like the following:

106

> > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to

107

> > syslog missed 15 messages.

108

> >

109

> > So, I saw a post on Google to up the queue length, and I uped it to 200,

110

> > but no joy, still get the messages like the one above.

111

>

112

> Are you using the unit file provided by syslog-ng (systemd-delta doesn't

113

> mention syslog)? Also, is /etc/systemd/system/syslog.service is a link

114

> to /usr/lib/systemd/system/syslog-ng.service?

115

>

116

> I do, and I don't get any of those messages. I use the default journal

117

> configuration. According to [1], this should be fixed.

118

>

119

> Regards.

120

>

121

> https://github.com/balabit/syslog-ng/issues/314

122

123

At the time when I did this there was no syslog-ng.service in

124

/usr/lib/systemd/system, now there is, but my unit file is like this:

125

126

[Unit]

127

Description=System Logger Daemon

128

Documentation=man:syslog-ng(8)

129

130

[Service]

131

Sockets=syslog.socket

132

ExecStart=/usr/sbin/syslog-ng -F

133

ExecReload=/bin/kill -HUP $MAINPID

134

#Restart=on-failure

135

136

[Install]

137

WantedBy=multi-user.target

138

Alias=syslog.service

139

140

Is there a reason why this should not work?

141

142

--

143

Your life is like a penny.  You're going to lose it.  The question is:

144

How do

145

you spend it?

146

147

         John Covici

148

         covici@××××××××××.com

1	Canek Peláez Valdés <caneko@×××××.com> wrote:
2
3	> On Mon, Feb 23, 2015 at 11:49 AM, <covici@××××××××××.com> wrote:
4	> >
5	> > Canek Peláez Valdés <caneko@×××××.com> wrote:
6	> >
7	> > > On Mon, Feb 23, 2015 at 3:41 AM, <covici@××××××××××.com> wrote:
8	> > > >
9	> > > > Marc Joliet <marcec@×××.de> wrote:
10	> > > >
11	> > > > > Am Mon, 23 Feb 2015 00:41:50 +0100
12	> > > > > schrieb lee <lee@××××××××.de>:
13	> > > > >
14	> > > > > > Neil Bothwick <neil@××××××××××.uk> writes:
15	> > > > > >
16	> > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote:
17	> > > > > > >
18	> > > > > > >> > I wonder if the OP is using systemd and trying to read the
19	> > > journal
20	> > > > > > >> > files?
21	> > > > > > >>
22	> > > > > > >> Nooo, I hate systemd ...
23	> > > > > > >>
24	> > > > > > >> What good are log files you can't read?
25	> > > > > > >
26	> > > > > > > You can't read syslog-ng log files without some reading
27	> software,
28	> > > usually
29	> > > > > > > a combination of cat, grep and less. systemd does it all with
30	> > > journalctl.
31	> > > > > > >
32	> > > > > > > There are good reasons to not use systemd, this isn't one of
33	> them.
34	> > > > > >
35	> > > > > > To me it is one of the good reasons, and an important one. Plain
36	> text
37	> > > > > > can usually always be read without further ado, be it from rescue
38	> > > > > > systems you booted or with software available on different
39	> operating
40	> > > > > > systems. It can be also be processed with scripts and sent as
41	> email.
42	> > > > > > You can probably even read it on your cell phone. You can still
43	> read
44	> > > > > > log files that were created 20 years ago when they are plain text.
45	> > > > > >
46	> > > > > > Can you do all that with the binary files created by systemd? I
47	> can't
48	> > > > > > even read them on a working system.
49	> > > > >
50	> > > > > What Canek and Rich already said is good, but I'll just add this:
51	> it's
52	> > > not like
53	> > > > > you can't run a classic syslog implementation alongside the systemd
54	> > > journal.
55	> > > > > On my systems, by default, syslog-ng kept working as usual,
56	> getting
57	> > > the logs
58	> > > > > from the systemd journal. If you want to go further, you can even
59	> > > configure
60	> > > > > the journal to not store logs permanently, so that you only end up
61	> > > with
62	> > > > > plain-text logs on your system (Duncan on gentoo-amd64 went this
63	> way).
64	> > > > >
65	> > > > > So no, the format that the systemd journal uses is most decidedly
66	> not
67	> > > a reason
68	> > > > > against using systemd.
69	> > > > >
70	> > > > > Personally, I'm probably going to uninstall syslog-ng, because
71	> > > journalctl is
72	> > > > > such a nice way to read logs, so why run something whose output
73	> I'll
74	> > > never
75	> > > > > read again? I recommend reading
76	> > > > > http://0pointer.net/blog/projects/journalctl.html for examples of
77	> the
78	> > > kind of
79	> > > > > stuff you can do that would be cumbersome, if not impossible with
80	> > > regular
81	> > > > > syslog.
82	> > > >
83	> > > > Except that I get lots of messages about the system journal missing
84	> > > > messages when forwarding to syslog, so how can I make sure this does
85	> not
86	> > > > happening?
87	> > >
88	> > > Could you please show those messages? systemd sends everything to the
89	> > > journal, and then the journal (optionally) can send it too to a regular
90	> > > syslog. In that sense, it's impossible for the journal to miss any
91	> message.
92	> > >
93	> > > The only way in which the journal could miss messages is at very early
94	> boot
95	> > > stages; but with a proper initramfs (like the ones generated with
96	> dracut),
97	> > > even those get caught. You get to put an instance of systemd and the
98	> > > journal inside the initramfs, and so it's available almost from the
99	> > > beginning.
100	> > >
101	> > > And if you use gummiboot, then you can even log from the moment the UEFI
102	> > > firmware comes to life.
103	> >
104	> > So, I get lots of messages in my regular syslog-ng /var/log/messages
105	> > like the following:
106	> > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to
107	> > syslog missed 15 messages.
108	> >
109	> > So, I saw a post on Google to up the queue length, and I uped it to 200,
110	> > but no joy, still get the messages like the one above.
111	>
112	> Are you using the unit file provided by syslog-ng (systemd-delta doesn't
113	> mention syslog)? Also, is /etc/systemd/system/syslog.service is a link
114	> to /usr/lib/systemd/system/syslog-ng.service?
115	>
116	> I do, and I don't get any of those messages. I use the default journal
117	> configuration. According to [1], this should be fixed.
118	>
119	> Regards.
120	>
121	> https://github.com/balabit/syslog-ng/issues/314
122
123	At the time when I did this there was no syslog-ng.service in
124	/usr/lib/systemd/system, now there is, but my unit file is like this:
125
126	[Unit]
127	Description=System Logger Daemon
128	Documentation=man:syslog-ng(8)
129
130	[Service]
131	Sockets=syslog.socket
132	ExecStart=/usr/sbin/syslog-ng -F
133	ExecReload=/bin/kill -HUP $MAINPID
134	#Restart=on-failure
135
136	[Install]
137	WantedBy=multi-user.target
138	Alias=syslog.service
139
140	Is there a reason why this should not work?
141
142	--
143	Your life is like a penny. You're going to lose it. The question is:
144	How do
145	you spend it?
146
147	John Covici
148	covici@××××××××××.com

Gentoo Archives: gentoo-user