Re: [gentoo-user] syslog-ng: how to read the log files - gentoo-user

From:	covici@××××××××××.com
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] syslog-ng: how to read the log files
Date:	Mon, 23 Feb 2015 23:18:46
Message-Id:	`20524.1424733516@ccs.covici.com`
In Reply to:	Re: [gentoo-user] syslog-ng: how to read the log files by "Canek Peláez Valdés"

1

Canek Peláez Valdés <caneko@×××××.com> wrote:

2

3

> On Mon, Feb 23, 2015 at 1:31 PM, <covici@××××××××××.com> wrote:

4

> >

5

> > Marc Joliet <marcec@×××.de> wrote:

6

> >

7

> > > Am Mon, 23 Feb 2015 12:10:18 -0600

8

> > > schrieb Canek Peláez Valdés <caneko@×××××.com>:

9

> > >

10

> > > > On Mon, Feb 23, 2015 at 11:49 AM, <covici@××××××××××.com> wrote:

11

> > > > >

12

> > > > > Canek Peláez Valdés <caneko@×××××.com> wrote:

13

> > > > >

14

> > > > > > On Mon, Feb 23, 2015 at 3:41 AM, <covici@××××××××××.com> wrote:

15

> > > > > > >

16

> > > > > > > Marc Joliet <marcec@×××.de> wrote:

17

> > > > > > >

18

> > > > > > > > Am Mon, 23 Feb 2015 00:41:50 +0100

19

> > > > > > > > schrieb lee <lee@××××××××.de>:

20

> > > > > > > >

21

> > > > > > > > > Neil Bothwick <neil@××××××××××.uk> writes:

22

> > > > > > > > >

23

> > > > > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote:

24

> > > > > > > > > >

25

> > > > > > > > > >> > I wonder if the OP is using systemd and trying to read

26

> the

27

> > > > > > journal

28

> > > > > > > > > >> > files?

29

> > > > > > > > > >>

30

> > > > > > > > > >> Nooo, I hate systemd ...

31

> > > > > > > > > >>

32

> > > > > > > > > >> What good are log files you can't read?

33

> > > > > > > > > >

34

> > > > > > > > > > You can't read syslog-ng log files without some reading

35

> > > > software,

36

> > > > > > usually

37

> > > > > > > > > > a combination of cat, grep and less. systemd does it all

38

> with

39

> > > > > > journalctl.

40

> > > > > > > > > >

41

> > > > > > > > > > There are good reasons to not use systemd, this isn't one

42

> of

43

> > > > them.

44

> > > > > > > > >

45

> > > > > > > > > To me it is one of the good reasons, and an important one.

46

> Plain

47

> > > > text

48

> > > > > > > > > can usually always be read without further ado, be it from

49

> rescue

50

> > > > > > > > > systems you booted or with software available on different

51

> > > > operating

52

> > > > > > > > > systems.  It can be also be processed with scripts and sent

53

> as

54

> > > > email.

55

> > > > > > > > > You can probably even read it on your cell phone.  You can

56

> still

57

> > > > read

58

> > > > > > > > > log files that were created 20 years ago when they are

59

> plain text.

60

> > > > > > > > >

61

> > > > > > > > > Can you do all that with the binary files created by

62

> systemd?  I

63

> > > > can't

64

> > > > > > > > > even read them on a working system.

65

> > > > > > > >

66

> > > > > > > > What Canek and Rich already said is good, but I'll just add

67

> this:

68

> > > > it's

69

> > > > > > not like

70

> > > > > > > > you can't run a classic syslog implementation alongside the

71

> systemd

72

> > > > > > journal.

73

> > > > > > > > On my systems, by *default*, syslog-ng kept working as usual,

74

> > > > getting

75

> > > > > > the logs

76

> > > > > > > > from the systemd journal.  If you want to go further, you can

77

> even

78

> > > > > > configure

79

> > > > > > > > the journal to not store logs permanently, so that you *only*

80

> end up

81

> > > > > > with

82

> > > > > > > > plain-text logs on your system (Duncan on gentoo-amd64 went

83

> this

84

> > > > way).

85

> > > > > > > >

86

> > > > > > > > So no, the format that the systemd journal uses is most

87

> decidedly

88

> > > > *not*

89

> > > > > > a reason

90

> > > > > > > > against using systemd.

91

> > > > > > > >

92

> > > > > > > > Personally, I'm probably going to uninstall syslog-ng, because

93

> > > > > > journalctl is

94

> > > > > > > > *such* a nice way to read logs, so why run something whose

95

> output

96

> > > > I'll

97

> > > > > > never

98

> > > > > > > > read again?  I recommend reading

99

> > > > > > > > http://0pointer.net/blog/projects/journalctl.html for

100

> examples of

101

> > > > the

102

> > > > > > kind of

103

> > > > > > > > stuff you can do that would be cumbersome, if not

104

> *impossible* with

105

> > > > > > regular

106

> > > > > > > > syslog.

107

> > > > > > >

108

> > > > > > > Except that I get lots of messages about the system journal

109

> missing

110

> > > > > > > messages when forwarding to syslog, so how can I make sure this

111

> does

112

> > > > not

113

> > > > > > > happening?

114

> > > > > >

115

> > > > > > Could you please show those messages? systemd sends *everything*

116

> to the

117

> > > > > > journal, and then the journal (optionally) can send it too to a

118

> regular

119

> > > > > > syslog. In that sense, it's impossible for the journal to miss any

120

> > > > message.

121

> > > > > >

122

> > > > > > The only way in which the journal could miss messages is at very

123

> early

124

> > > > boot

125

> > > > > > stages; but with a proper initramfs (like the ones generated with

126

> > > > dracut),

127

> > > > > > even those get caught. You get to put an instance of systemd and

128

> the

129

> > > > > > journal inside the initramfs, and so it's available almost from

130

> the

131

> > > > > > beginning.

132

> > > > > >

133

> > > > > > And if you use gummiboot, then you can even log from the moment

134

> the UEFI

135

> > > > > > firmware comes to life.

136

> > > > >

137

> > > > > So, I get lots of messages in my regular syslog-ng /var/log/messages

138

> > > > > like the following:

139

> > > > > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to

140

> > > > > syslog missed 15 messages.

141

> > > > >

142

> > > > > So, I saw a post on Google to up the queue length, and I uped it to

143

> 200,

144

> > > > > but no joy, still get the messages like the one above.

145

> > > >

146

> > > > Are you using the unit file provided by syslog-ng (systemd-delta

147

> doesn't

148

> > > > mention syslog)? Also, is /etc/systemd/system/syslog.service is a link

149

> > > > to /usr/lib/systemd/system/syslog-ng.service?

150

> > > >

151

> > > > I do, and I don't get any of those messages. I use the default journal

152

> > > > configuration. According to [1], this should be fixed.

153

> > >

154

> > > I remember getting a small number of messages like that, too, on my

155

> laptop.

156

> > > However, it's at the university, so I can't check now to see what types

157

> of

158

> > > messages were missed (if any; if I understand [1] correctly, those

159

> messages are

160

> > > most likely bogus?).

161

> > >

162

> > > But yeah, that's any idea, Covici: see what's in /var/log/messages,

163

> compare that

164

> > > to the journalctl output, and check if any messages were actually

165

> missed ("diff

166

> > > -U" might be of help here).  And if/once you did that, what kinds of

167

> messages

168

> > > were missed, if any?  If those messages really are bogus, you shouldn't

169

> see any

170

> > > differences between the two.

171

> > >

172

> > > > Regards.

173

> > > >

174

> > > > https://github.com/balabit/syslog-ng/issues/314

175

> > >

176

> > > Note that that fix would only be in the ~arch version of syslog-ng, the

177

> current

178

> > > stable version (3.4.8) is a few months too old.

179

> >

180

> > I am up to 3.6 something, so the fix should be there.  But my unit file

181

> > is different, so that remains to check.

182

>

183

> I would try the provided unit file. It seems that the only difference with

184

> yours is that it doesn't comment the Restart=on-failure line, and that it

185

> has StandardOutput=null.

186

>

187

> I think the general idea is always to use upstream's unit files. They write

188

> the software, supposedly they should know better.

189

190

I did change the unit file, but no joy, I still get messages like this:

191

Feb 23 18:16:05 ccs.covici.com systemd-journal[715]: Forwarding to

192

syslog missed 13 messages.

193

194

195

--

196

Your life is like a penny.  You're going to lose it.  The question is:

197

How do

198

you spend it?

199

200

         John Covici

201

         covici@××××××××××.com

Gentoo Archives: gentoo-user

Replies

1	Canek Peláez Valdés <caneko@×××××.com> wrote:
2
3	> On Mon, Feb 23, 2015 at 1:31 PM, <covici@××××××××××.com> wrote:
4	> >
5	> > Marc Joliet <marcec@×××.de> wrote:
6	> >
7	> > > Am Mon, 23 Feb 2015 12:10:18 -0600
8	> > > schrieb Canek Peláez Valdés <caneko@×××××.com>:
9	> > >
10	> > > > On Mon, Feb 23, 2015 at 11:49 AM, <covici@××××××××××.com> wrote:
11	> > > > >
12	> > > > > Canek Peláez Valdés <caneko@×××××.com> wrote:
13	> > > > >
14	> > > > > > On Mon, Feb 23, 2015 at 3:41 AM, <covici@××××××××××.com> wrote:
15	> > > > > > >
16	> > > > > > > Marc Joliet <marcec@×××.de> wrote:
17	> > > > > > >
18	> > > > > > > > Am Mon, 23 Feb 2015 00:41:50 +0100
19	> > > > > > > > schrieb lee <lee@××××××××.de>:
20	> > > > > > > >
21	> > > > > > > > > Neil Bothwick <neil@××××××××××.uk> writes:
22	> > > > > > > > >
23	> > > > > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote:
24	> > > > > > > > > >
25	> > > > > > > > > >> > I wonder if the OP is using systemd and trying to read
26	> the
27	> > > > > > journal
28	> > > > > > > > > >> > files?
29	> > > > > > > > > >>
30	> > > > > > > > > >> Nooo, I hate systemd ...
31	> > > > > > > > > >>
32	> > > > > > > > > >> What good are log files you can't read?
33	> > > > > > > > > >
34	> > > > > > > > > > You can't read syslog-ng log files without some reading
35	> > > > software,
36	> > > > > > usually
37	> > > > > > > > > > a combination of cat, grep and less. systemd does it all
38	> with
39	> > > > > > journalctl.
40	> > > > > > > > > >
41	> > > > > > > > > > There are good reasons to not use systemd, this isn't one
42	> of
43	> > > > them.
44	> > > > > > > > >
45	> > > > > > > > > To me it is one of the good reasons, and an important one.
46	> Plain
47	> > > > text
48	> > > > > > > > > can usually always be read without further ado, be it from
49	> rescue
50	> > > > > > > > > systems you booted or with software available on different
51	> > > > operating
52	> > > > > > > > > systems. It can be also be processed with scripts and sent
53	> as
54	> > > > email.
55	> > > > > > > > > You can probably even read it on your cell phone. You can
56	> still
57	> > > > read
58	> > > > > > > > > log files that were created 20 years ago when they are
59	> plain text.
60	> > > > > > > > >
61	> > > > > > > > > Can you do all that with the binary files created by
62	> systemd? I
63	> > > > can't
64	> > > > > > > > > even read them on a working system.
65	> > > > > > > >
66	> > > > > > > > What Canek and Rich already said is good, but I'll just add
67	> this:
68	> > > > it's
69	> > > > > > not like
70	> > > > > > > > you can't run a classic syslog implementation alongside the
71	> systemd
72	> > > > > > journal.
73	> > > > > > > > On my systems, by default, syslog-ng kept working as usual,
74	> > > > getting
75	> > > > > > the logs
76	> > > > > > > > from the systemd journal. If you want to go further, you can
77	> even
78	> > > > > > configure
79	> > > > > > > > the journal to not store logs permanently, so that you only
80	> end up
81	> > > > > > with
82	> > > > > > > > plain-text logs on your system (Duncan on gentoo-amd64 went
83	> this
84	> > > > way).
85	> > > > > > > >
86	> > > > > > > > So no, the format that the systemd journal uses is most
87	> decidedly
88	> > > > not
89	> > > > > > a reason
90	> > > > > > > > against using systemd.
91	> > > > > > > >
92	> > > > > > > > Personally, I'm probably going to uninstall syslog-ng, because
93	> > > > > > journalctl is
94	> > > > > > > > such a nice way to read logs, so why run something whose
95	> output
96	> > > > I'll
97	> > > > > > never
98	> > > > > > > > read again? I recommend reading
99	> > > > > > > > http://0pointer.net/blog/projects/journalctl.html for
100	> examples of
101	> > > > the
102	> > > > > > kind of
103	> > > > > > > > stuff you can do that would be cumbersome, if not
104	> impossible with
105	> > > > > > regular
106	> > > > > > > > syslog.
107	> > > > > > >
108	> > > > > > > Except that I get lots of messages about the system journal
109	> missing
110	> > > > > > > messages when forwarding to syslog, so how can I make sure this
111	> does
112	> > > > not
113	> > > > > > > happening?
114	> > > > > >
115	> > > > > > Could you please show those messages? systemd sends everything
116	> to the
117	> > > > > > journal, and then the journal (optionally) can send it too to a
118	> regular
119	> > > > > > syslog. In that sense, it's impossible for the journal to miss any
120	> > > > message.
121	> > > > > >
122	> > > > > > The only way in which the journal could miss messages is at very
123	> early
124	> > > > boot
125	> > > > > > stages; but with a proper initramfs (like the ones generated with
126	> > > > dracut),
127	> > > > > > even those get caught. You get to put an instance of systemd and
128	> the
129	> > > > > > journal inside the initramfs, and so it's available almost from
130	> the
131	> > > > > > beginning.
132	> > > > > >
133	> > > > > > And if you use gummiboot, then you can even log from the moment
134	> the UEFI
135	> > > > > > firmware comes to life.
136	> > > > >
137	> > > > > So, I get lots of messages in my regular syslog-ng /var/log/messages
138	> > > > > like the following:
139	> > > > > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to
140	> > > > > syslog missed 15 messages.
141	> > > > >
142	> > > > > So, I saw a post on Google to up the queue length, and I uped it to
143	> 200,
144	> > > > > but no joy, still get the messages like the one above.
145	> > > >
146	> > > > Are you using the unit file provided by syslog-ng (systemd-delta
147	> doesn't
148	> > > > mention syslog)? Also, is /etc/systemd/system/syslog.service is a link
149	> > > > to /usr/lib/systemd/system/syslog-ng.service?
150	> > > >
151	> > > > I do, and I don't get any of those messages. I use the default journal
152	> > > > configuration. According to [1], this should be fixed.
153	> > >
154	> > > I remember getting a small number of messages like that, too, on my
155	> laptop.
156	> > > However, it's at the university, so I can't check now to see what types
157	> of
158	> > > messages were missed (if any; if I understand [1] correctly, those
159	> messages are
160	> > > most likely bogus?).
161	> > >
162	> > > But yeah, that's any idea, Covici: see what's in /var/log/messages,
163	> compare that
164	> > > to the journalctl output, and check if any messages were actually
165	> missed ("diff
166	> > > -U" might be of help here). And if/once you did that, what kinds of
167	> messages
168	> > > were missed, if any? If those messages really are bogus, you shouldn't
169	> see any
170	> > > differences between the two.
171	> > >
172	> > > > Regards.
173	> > > >
174	> > > > https://github.com/balabit/syslog-ng/issues/314
175	> > >
176	> > > Note that that fix would only be in the ~arch version of syslog-ng, the
177	> current
178	> > > stable version (3.4.8) is a few months too old.
179	> >
180	> > I am up to 3.6 something, so the fix should be there. But my unit file
181	> > is different, so that remains to check.
182	>
183	> I would try the provided unit file. It seems that the only difference with
184	> yours is that it doesn't comment the Restart=on-failure line, and that it
185	> has StandardOutput=null.
186	>
187	> I think the general idea is always to use upstream's unit files. They write
188	> the software, supposedly they should know better.
189
190	I did change the unit file, but no joy, I still get messages like this:
191	Feb 23 18:16:05 ccs.covici.com systemd-journal[715]: Forwarding to
192	syslog missed 13 messages.
193
194
195	--
196	Your life is like a penny. You're going to lose it. The question is:
197	How do
198	you spend it?
199
200	John Covici
201	covici@××××××××××.com