| 1 |
Am Mon, 23 Feb 2015 12:10:18 -0600 |
| 2 |
schrieb Canek Peláez Valdés <caneko@×××××.com>: |
| 3 |
|
| 4 |
> On Mon, Feb 23, 2015 at 11:49 AM, <covici@××××××××××.com> wrote: |
| 5 |
> > |
| 6 |
> > Canek Peláez Valdés <caneko@×××××.com> wrote: |
| 7 |
> > |
| 8 |
> > > On Mon, Feb 23, 2015 at 3:41 AM, <covici@××××××××××.com> wrote: |
| 9 |
> > > > |
| 10 |
> > > > Marc Joliet <marcec@×××.de> wrote: |
| 11 |
> > > > |
| 12 |
> > > > > Am Mon, 23 Feb 2015 00:41:50 +0100 |
| 13 |
> > > > > schrieb lee <lee@××××××××.de>: |
| 14 |
> > > > > |
| 15 |
> > > > > > Neil Bothwick <neil@××××××××××.uk> writes: |
| 16 |
> > > > > > |
| 17 |
> > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote: |
| 18 |
> > > > > > > |
| 19 |
> > > > > > >> > I wonder if the OP is using systemd and trying to read the |
| 20 |
> > > journal |
| 21 |
> > > > > > >> > files? |
| 22 |
> > > > > > >> |
| 23 |
> > > > > > >> Nooo, I hate systemd ... |
| 24 |
> > > > > > >> |
| 25 |
> > > > > > >> What good are log files you can't read? |
| 26 |
> > > > > > > |
| 27 |
> > > > > > > You can't read syslog-ng log files without some reading |
| 28 |
> software, |
| 29 |
> > > usually |
| 30 |
> > > > > > > a combination of cat, grep and less. systemd does it all with |
| 31 |
> > > journalctl. |
| 32 |
> > > > > > > |
| 33 |
> > > > > > > There are good reasons to not use systemd, this isn't one of |
| 34 |
> them. |
| 35 |
> > > > > > |
| 36 |
> > > > > > To me it is one of the good reasons, and an important one. Plain |
| 37 |
> text |
| 38 |
> > > > > > can usually always be read without further ado, be it from rescue |
| 39 |
> > > > > > systems you booted or with software available on different |
| 40 |
> operating |
| 41 |
> > > > > > systems. It can be also be processed with scripts and sent as |
| 42 |
> email. |
| 43 |
> > > > > > You can probably even read it on your cell phone. You can still |
| 44 |
> read |
| 45 |
> > > > > > log files that were created 20 years ago when they are plain text. |
| 46 |
> > > > > > |
| 47 |
> > > > > > Can you do all that with the binary files created by systemd? I |
| 48 |
> can't |
| 49 |
> > > > > > even read them on a working system. |
| 50 |
> > > > > |
| 51 |
> > > > > What Canek and Rich already said is good, but I'll just add this: |
| 52 |
> it's |
| 53 |
> > > not like |
| 54 |
> > > > > you can't run a classic syslog implementation alongside the systemd |
| 55 |
> > > journal. |
| 56 |
> > > > > On my systems, by *default*, syslog-ng kept working as usual, |
| 57 |
> getting |
| 58 |
> > > the logs |
| 59 |
> > > > > from the systemd journal. If you want to go further, you can even |
| 60 |
> > > configure |
| 61 |
> > > > > the journal to not store logs permanently, so that you *only* end up |
| 62 |
> > > with |
| 63 |
> > > > > plain-text logs on your system (Duncan on gentoo-amd64 went this |
| 64 |
> way). |
| 65 |
> > > > > |
| 66 |
> > > > > So no, the format that the systemd journal uses is most decidedly |
| 67 |
> *not* |
| 68 |
> > > a reason |
| 69 |
> > > > > against using systemd. |
| 70 |
> > > > > |
| 71 |
> > > > > Personally, I'm probably going to uninstall syslog-ng, because |
| 72 |
> > > journalctl is |
| 73 |
> > > > > *such* a nice way to read logs, so why run something whose output |
| 74 |
> I'll |
| 75 |
> > > never |
| 76 |
> > > > > read again? I recommend reading |
| 77 |
> > > > > http://0pointer.net/blog/projects/journalctl.html for examples of |
| 78 |
> the |
| 79 |
> > > kind of |
| 80 |
> > > > > stuff you can do that would be cumbersome, if not *impossible* with |
| 81 |
> > > regular |
| 82 |
> > > > > syslog. |
| 83 |
> > > > |
| 84 |
> > > > Except that I get lots of messages about the system journal missing |
| 85 |
> > > > messages when forwarding to syslog, so how can I make sure this does |
| 86 |
> not |
| 87 |
> > > > happening? |
| 88 |
> > > |
| 89 |
> > > Could you please show those messages? systemd sends *everything* to the |
| 90 |
> > > journal, and then the journal (optionally) can send it too to a regular |
| 91 |
> > > syslog. In that sense, it's impossible for the journal to miss any |
| 92 |
> message. |
| 93 |
> > > |
| 94 |
> > > The only way in which the journal could miss messages is at very early |
| 95 |
> boot |
| 96 |
> > > stages; but with a proper initramfs (like the ones generated with |
| 97 |
> dracut), |
| 98 |
> > > even those get caught. You get to put an instance of systemd and the |
| 99 |
> > > journal inside the initramfs, and so it's available almost from the |
| 100 |
> > > beginning. |
| 101 |
> > > |
| 102 |
> > > And if you use gummiboot, then you can even log from the moment the UEFI |
| 103 |
> > > firmware comes to life. |
| 104 |
> > |
| 105 |
> > So, I get lots of messages in my regular syslog-ng /var/log/messages |
| 106 |
> > like the following: |
| 107 |
> > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to |
| 108 |
> > syslog missed 15 messages. |
| 109 |
> > |
| 110 |
> > So, I saw a post on Google to up the queue length, and I uped it to 200, |
| 111 |
> > but no joy, still get the messages like the one above. |
| 112 |
> |
| 113 |
> Are you using the unit file provided by syslog-ng (systemd-delta doesn't |
| 114 |
> mention syslog)? Also, is /etc/systemd/system/syslog.service is a link |
| 115 |
> to /usr/lib/systemd/system/syslog-ng.service? |
| 116 |
> |
| 117 |
> I do, and I don't get any of those messages. I use the default journal |
| 118 |
> configuration. According to [1], this should be fixed. |
| 119 |
|
| 120 |
I remember getting a small number of messages like that, too, on my laptop. |
| 121 |
However, it's at the university, so I can't check now to see what types of |
| 122 |
messages were missed (if any; if I understand [1] correctly, those messages are |
| 123 |
most likely bogus?). |
| 124 |
|
| 125 |
But yeah, that's any idea, Covici: see what's in /var/log/messages, compare that |
| 126 |
to the journalctl output, and check if any messages were actually missed ("diff |
| 127 |
-U" might be of help here). And if/once you did that, what kinds of messages |
| 128 |
were missed, if any? If those messages really are bogus, you shouldn't see any |
| 129 |
differences between the two. |
| 130 |
|
| 131 |
> Regards. |
| 132 |
> |
| 133 |
> https://github.com/balabit/syslog-ng/issues/314 |
| 134 |
|
| 135 |
Note that that fix would only be in the ~arch version of syslog-ng, the current |
| 136 |
stable version (3.4.8) is a few months too old. |
| 137 |
|
| 138 |
-- |
| 139 |
Marc Joliet |
| 140 |
-- |
| 141 |
"People who think they know everything really annoy those of us who know we |
| 142 |
don't" - Bjarne Stroustrup |
Archives