1 |
Canek Peláez Valdés <caneko@×××××.com> wrote: |
2 |
|
3 |
> On Mon, Feb 23, 2015 at 1:31 PM, <covici@××××××××××.com> wrote: |
4 |
> > |
5 |
> > Marc Joliet <marcec@×××.de> wrote: |
6 |
> > |
7 |
> > > Am Mon, 23 Feb 2015 12:10:18 -0600 |
8 |
> > > schrieb Canek Peláez Valdés <caneko@×××××.com>: |
9 |
> > > |
10 |
> > > > On Mon, Feb 23, 2015 at 11:49 AM, <covici@××××××××××.com> wrote: |
11 |
> > > > > |
12 |
> > > > > Canek Peláez Valdés <caneko@×××××.com> wrote: |
13 |
> > > > > |
14 |
> > > > > > On Mon, Feb 23, 2015 at 3:41 AM, <covici@××××××××××.com> wrote: |
15 |
> > > > > > > |
16 |
> > > > > > > Marc Joliet <marcec@×××.de> wrote: |
17 |
> > > > > > > |
18 |
> > > > > > > > Am Mon, 23 Feb 2015 00:41:50 +0100 |
19 |
> > > > > > > > schrieb lee <lee@××××××××.de>: |
20 |
> > > > > > > > |
21 |
> > > > > > > > > Neil Bothwick <neil@××××××××××.uk> writes: |
22 |
> > > > > > > > > |
23 |
> > > > > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote: |
24 |
> > > > > > > > > > |
25 |
> > > > > > > > > >> > I wonder if the OP is using systemd and trying to read |
26 |
> the |
27 |
> > > > > > journal |
28 |
> > > > > > > > > >> > files? |
29 |
> > > > > > > > > >> |
30 |
> > > > > > > > > >> Nooo, I hate systemd ... |
31 |
> > > > > > > > > >> |
32 |
> > > > > > > > > >> What good are log files you can't read? |
33 |
> > > > > > > > > > |
34 |
> > > > > > > > > > You can't read syslog-ng log files without some reading |
35 |
> > > > software, |
36 |
> > > > > > usually |
37 |
> > > > > > > > > > a combination of cat, grep and less. systemd does it all |
38 |
> with |
39 |
> > > > > > journalctl. |
40 |
> > > > > > > > > > |
41 |
> > > > > > > > > > There are good reasons to not use systemd, this isn't one |
42 |
> of |
43 |
> > > > them. |
44 |
> > > > > > > > > |
45 |
> > > > > > > > > To me it is one of the good reasons, and an important one. |
46 |
> Plain |
47 |
> > > > text |
48 |
> > > > > > > > > can usually always be read without further ado, be it from |
49 |
> rescue |
50 |
> > > > > > > > > systems you booted or with software available on different |
51 |
> > > > operating |
52 |
> > > > > > > > > systems. It can be also be processed with scripts and sent |
53 |
> as |
54 |
> > > > email. |
55 |
> > > > > > > > > You can probably even read it on your cell phone. You can |
56 |
> still |
57 |
> > > > read |
58 |
> > > > > > > > > log files that were created 20 years ago when they are |
59 |
> plain text. |
60 |
> > > > > > > > > |
61 |
> > > > > > > > > Can you do all that with the binary files created by |
62 |
> systemd? I |
63 |
> > > > can't |
64 |
> > > > > > > > > even read them on a working system. |
65 |
> > > > > > > > |
66 |
> > > > > > > > What Canek and Rich already said is good, but I'll just add |
67 |
> this: |
68 |
> > > > it's |
69 |
> > > > > > not like |
70 |
> > > > > > > > you can't run a classic syslog implementation alongside the |
71 |
> systemd |
72 |
> > > > > > journal. |
73 |
> > > > > > > > On my systems, by *default*, syslog-ng kept working as usual, |
74 |
> > > > getting |
75 |
> > > > > > the logs |
76 |
> > > > > > > > from the systemd journal. If you want to go further, you can |
77 |
> even |
78 |
> > > > > > configure |
79 |
> > > > > > > > the journal to not store logs permanently, so that you *only* |
80 |
> end up |
81 |
> > > > > > with |
82 |
> > > > > > > > plain-text logs on your system (Duncan on gentoo-amd64 went |
83 |
> this |
84 |
> > > > way). |
85 |
> > > > > > > > |
86 |
> > > > > > > > So no, the format that the systemd journal uses is most |
87 |
> decidedly |
88 |
> > > > *not* |
89 |
> > > > > > a reason |
90 |
> > > > > > > > against using systemd. |
91 |
> > > > > > > > |
92 |
> > > > > > > > Personally, I'm probably going to uninstall syslog-ng, because |
93 |
> > > > > > journalctl is |
94 |
> > > > > > > > *such* a nice way to read logs, so why run something whose |
95 |
> output |
96 |
> > > > I'll |
97 |
> > > > > > never |
98 |
> > > > > > > > read again? I recommend reading |
99 |
> > > > > > > > http://0pointer.net/blog/projects/journalctl.html for |
100 |
> examples of |
101 |
> > > > the |
102 |
> > > > > > kind of |
103 |
> > > > > > > > stuff you can do that would be cumbersome, if not |
104 |
> *impossible* with |
105 |
> > > > > > regular |
106 |
> > > > > > > > syslog. |
107 |
> > > > > > > |
108 |
> > > > > > > Except that I get lots of messages about the system journal |
109 |
> missing |
110 |
> > > > > > > messages when forwarding to syslog, so how can I make sure this |
111 |
> does |
112 |
> > > > not |
113 |
> > > > > > > happening? |
114 |
> > > > > > |
115 |
> > > > > > Could you please show those messages? systemd sends *everything* |
116 |
> to the |
117 |
> > > > > > journal, and then the journal (optionally) can send it too to a |
118 |
> regular |
119 |
> > > > > > syslog. In that sense, it's impossible for the journal to miss any |
120 |
> > > > message. |
121 |
> > > > > > |
122 |
> > > > > > The only way in which the journal could miss messages is at very |
123 |
> early |
124 |
> > > > boot |
125 |
> > > > > > stages; but with a proper initramfs (like the ones generated with |
126 |
> > > > dracut), |
127 |
> > > > > > even those get caught. You get to put an instance of systemd and |
128 |
> the |
129 |
> > > > > > journal inside the initramfs, and so it's available almost from |
130 |
> the |
131 |
> > > > > > beginning. |
132 |
> > > > > > |
133 |
> > > > > > And if you use gummiboot, then you can even log from the moment |
134 |
> the UEFI |
135 |
> > > > > > firmware comes to life. |
136 |
> > > > > |
137 |
> > > > > So, I get lots of messages in my regular syslog-ng /var/log/messages |
138 |
> > > > > like the following: |
139 |
> > > > > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to |
140 |
> > > > > syslog missed 15 messages. |
141 |
> > > > > |
142 |
> > > > > So, I saw a post on Google to up the queue length, and I uped it to |
143 |
> 200, |
144 |
> > > > > but no joy, still get the messages like the one above. |
145 |
> > > > |
146 |
> > > > Are you using the unit file provided by syslog-ng (systemd-delta |
147 |
> doesn't |
148 |
> > > > mention syslog)? Also, is /etc/systemd/system/syslog.service is a link |
149 |
> > > > to /usr/lib/systemd/system/syslog-ng.service? |
150 |
> > > > |
151 |
> > > > I do, and I don't get any of those messages. I use the default journal |
152 |
> > > > configuration. According to [1], this should be fixed. |
153 |
> > > |
154 |
> > > I remember getting a small number of messages like that, too, on my |
155 |
> laptop. |
156 |
> > > However, it's at the university, so I can't check now to see what types |
157 |
> of |
158 |
> > > messages were missed (if any; if I understand [1] correctly, those |
159 |
> messages are |
160 |
> > > most likely bogus?). |
161 |
> > > |
162 |
> > > But yeah, that's any idea, Covici: see what's in /var/log/messages, |
163 |
> compare that |
164 |
> > > to the journalctl output, and check if any messages were actually |
165 |
> missed ("diff |
166 |
> > > -U" might be of help here). And if/once you did that, what kinds of |
167 |
> messages |
168 |
> > > were missed, if any? If those messages really are bogus, you shouldn't |
169 |
> see any |
170 |
> > > differences between the two. |
171 |
> > > |
172 |
> > > > Regards. |
173 |
> > > > |
174 |
> > > > https://github.com/balabit/syslog-ng/issues/314 |
175 |
> > > |
176 |
> > > Note that that fix would only be in the ~arch version of syslog-ng, the |
177 |
> current |
178 |
> > > stable version (3.4.8) is a few months too old. |
179 |
> > |
180 |
> > I am up to 3.6 something, so the fix should be there. But my unit file |
181 |
> > is different, so that remains to check. |
182 |
> |
183 |
> I would try the provided unit file. It seems that the only difference with |
184 |
> yours is that it doesn't comment the Restart=on-failure line, and that it |
185 |
> has StandardOutput=null. |
186 |
> |
187 |
> I think the general idea is always to use upstream's unit files. They write |
188 |
> the software, supposedly they should know better. |
189 |
|
190 |
I agree, but at the time, there was none, so I had to find something on |
191 |
the internet, maybe from arch or somewhere. I can certainly try the one |
192 |
provided. |
193 |
|
194 |
|
195 |
-- |
196 |
Your life is like a penny. You're going to lose it. The question is: |
197 |
How do |
198 |
you spend it? |
199 |
|
200 |
John Covici |
201 |
covici@××××××××××.com |