Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Development (http://www.linux-archive.org/fedora-development/)
-   -   replacing rsyslogd in minimal with journald (http://www.linux-archive.org/fedora-development/710859-replacing-rsyslogd-minimal-journald.html)

Lennart Poettering 10-09-2012 02:04 PM

replacing rsyslogd in minimal with journald
 
On Tue, 09.10.12 07:53, Matthew Miller (mattdm@fedoraproject.org) wrote:

(Not that I actually already wanted this discussion now, but heck...)

> On Tue, Oct 09, 2012 at 10:58:45AM +0000, "Jhann B. Gumundsson" wrote:
> > Like to me rsyslog since the journal is an integrated part of systemd.
>
> Because a huge change like replacing traditional logging with journald needs
> to happen as part of a process, not just because another core program adds
> similar-but-different functionality.

Note that right now we have the journal as a requirement, and syslog
optional already. All I am asking for for F19 is not to install syslog
anymore at all, so that it becomes something which people can easily
install via yum, if they actually want it.

I am of the strong opinion that the journal can do everything we'd want
from a default logging solution. And for the ground the journal does not
cover people can install rsyslog or syslog-ng. If there's something
people are still lacking, then I am all ears.

Note that I am not saying that the journal can do everything syslog can
do, because it can't. But we left the missing bits out because we
explicitly wanted to do that, since we believe that that should be the
job for an optionally instakled syslog daemon, that runs alongside
it.

> Eventually, systemd will probably have some time-based scheduling
> functionality -- it's part of the original plan. We'll need to have the same
> discussion around cron.

We have time-based scheduling, but not calendar-based, only ba
monotonic time. Replacing cron by systemd right now makes little sense
right now, and the discussion is moot.

> Lennart, systemd developers: journalctl already has a mode which will output
> traditional-looking text log dumps. Would it be possible to offer a
> journald-compat service which writes the traditional /var/log/messages and
> /var/log/secure? Or is it better to continue shipping rsyslog for that
> purpose? This wouldn't be a "forever" solution, just a migration path, and
> eventually something which could default to off. (I can't be the first
> person to ask this, but I can't find anything with the googles....)

We have no intention to write out classic /var/log/messages files. And
also no plans in generating the UDP syslog protocol. For those things,
install classic syslog.

If people want some pixel-perfect copy of the traditional
/var/log/messages, then they should just run "journalctl" without any
args. It's much better than /var/log/messages:

a) it gets the timezone right, and translates dates to your local timezone

b) it adds PID fields to all lines, not just those where the sender
happened to have passed LOG_PID to openlog().

c) it auto-pages if run on a tty

d) it colors errors/alerts in red, and warnings/notices in white if run on
a tty

e) it shows you much more data, since its backend database is not
rotated prematurely by date, but only by disk space

f) following the logs is not interrupted by rotation

g) it includes output from early boot/initrd as well, and is already
available when you are stuck in an early boot/initrd shell

h) It's much shorter to type: "journalctl" than "less
/var/log/messages". "journalctl -n" is shorter than "tail
/var/log/messages". And "journalctl -f" is shorter than "tail -f
/var/log/messages".

i) You always see the full set of logs you have access to. No need
anymore to to look through /var/log/messages, /var/log/secure and so
on one individually. And you get all of this nicely interleaved.

And heck, this all is just the little bits and pieces you get for free
if you just use the 1:1 equivalents to the classic commands to access
the logs. If you start to make use of filtering, of -p, of -b
(especially this one, it's soooo useful!), of -o and so on, then things
are just so much nicer for any admin to use.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Chris Adams 10-09-2012 02:09 PM

replacing rsyslogd in minimal with journald
 
Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
> If people want some pixel-perfect copy of the traditional
> /var/log/messages, then they should just run "journalctl" without any
> args. It's much better than /var/log/messages:

How do you read this log when the system is not running (e.g. mounting
filesystems of a drive on another system, running from a rescue image,
etc.)?

--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Lennart Poettering 10-09-2012 02:16 PM

replacing rsyslogd in minimal with journald
 
On Tue, 09.10.12 09:09, Chris Adams (cmadams@hiwaay.net) wrote:

> Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
> > If people want some pixel-perfect copy of the traditional
> > /var/log/messages, then they should just run "journalctl" without any
> > args. It's much better than /var/log/messages:
>
> How do you read this log when the system is not running (e.g. mounting
> filesystems of a drive on another system, running from a rescue image,
> etc.)?

journalctl -D <pathtothejournalfiles>

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Tom Hughes 10-09-2012 02:19 PM

replacing rsyslogd in minimal with journald
 
On 09/10/12 15:04, Lennart Poettering wrote:


h) It's much shorter to type: "journalctl" than "less
/var/log/messages". "journalctl -n" is shorter than "tail
/var/log/messages". And "journalctl -f" is shorter than "tail -f
/var/log/messages".


While "less" helpfully wraps your log lines at the edge of your terminal
journalctl unhelpfully truncates them or, if -a is used, makes you use
left/right cursor to scroll back and forth in an attempt to read the
lines. Especially since it fully qualifies the host name so the actual
message has barely got started by column 80.


More importantly though, what is the equivalent of "fgrep xxx
/var/log/messages" which is certainly pretty much the most common thing
I do on my logs... I can't see any sort of searching in journalctl?


The next most common thing I probably do is to load the log into vi so I
can search back and forth to see matches in context, but obviously that
is not something journalctl is every really going to be able to do.


I love the idea of the journal, just don't think the tools are quite
there yet.


Tom

--
Tom Hughes (tom@compton.nu)
http://compton.nu/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

"Bryn M. Reeves" 10-09-2012 02:35 PM

replacing rsyslogd in minimal with journald
 
On 10/09/2012 03:19 PM, Tom Hughes wrote:
> While "less" helpfully wraps your log lines at the edge of your terminal
> journalctl unhelpfully truncates them or, if -a is used, makes you use
> left/right cursor to scroll back and forth in an attempt to read the
> lines. Especially since it fully qualifies the host name so the actual
> message has barely got started by column 80.

Agreed: I find this irritating too (and the default SYSTEMD_PAGER _is_
less so I'm not sure how it's being run).

Setting PIPE or piping to a pager is even worse - the lines are
truncated at 77 chars regardless of the term width so for now I'm
running journalctl --no-pager -a | less to get wrapped lines in a pager.

> More importantly though, what is the equivalent of "fgrep xxx
> /var/log/messages" which is certainly pretty much the most common thing
> I do on my logs... I can't see any sort of searching in journalctl?

journalctl | fgrep?

This one is pretty fine by me tbh.

> The next most common thing I probably do is to load the log into vi so I
> can search back and forth to see matches in context, but obviously that
> is not something journalctl is every really going to be able to do.

Your favourite pager probably can though. Less has the same mark and
navigation keystrokes as vi. Although if you really do want to open in
an editor you'll probably need to redirect to a file.

Regards,
Bryn.


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Chris Adams 10-09-2012 02:38 PM

replacing rsyslogd in minimal with journald
 
Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
> On Tue, 09.10.12 09:09, Chris Adams (cmadams@hiwaay.net) wrote:
> > Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
> > > If people want some pixel-perfect copy of the traditional
> > > /var/log/messages, then they should just run "journalctl" without any
> > > args. It's much better than /var/log/messages:
> >
> > How do you read this log when the system is not running (e.g. mounting
> > filesystems of a drive on another system, running from a rescue image,
> > etc.)?
>
> journalctl -D <pathtothejournalfiles>

And just what is the <pathtothejournalfiles> (relative to system /)?
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Chris Adams 10-09-2012 02:41 PM

replacing rsyslogd in minimal with journald
 
Once upon a time, Bryn M. Reeves <bmr@redhat.com> said:
> Agreed: I find this irritating too (and the default SYSTEMD_PAGER _is_
> less so I'm not sure how it's being run).
>
> Setting PIPE or piping to a pager is even worse - the lines are
> truncated at 77 chars regardless of the term width so for now I'm
> running journalctl --no-pager -a | less to get wrapped lines in a pager.

Yeah, systemd's behavior of "magically" doing things based on tty or
pipe is highly annoying. If I want paging, line wraps, or truncation, I
have tools to do that. Having to constantly go back and add options
(after stopping to look up said options) to get unfiltered output is
frustrating.

--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Chris 10-09-2012 02:42 PM

replacing rsyslogd in minimal with journald
 
2012/10/9 Lennart Poettering <mzerqung@0pointer.de>:
> On Tue, 09.10.12 09:09, Chris Adams (cmadams@hiwaay.net) wrote:
>
>> Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
>> > If people want some pixel-perfect copy of the traditional
>> > /var/log/messages, then they should just run "journalctl" without any
>> > args. It's much better than /var/log/messages:
>>
>> How do you read this log when the system is not running (e.g. mounting
>> filesystems of a drive on another system, running from a rescue image,
>> etc.)?
>
> journalctl -D <pathtothejournalfiles>

April Fool's joke?

No /var/log/messages in Fedora 19??? :(

--
Chris
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Matthew Miller 10-09-2012 02:45 PM

replacing rsyslogd in minimal with journald
 
On Tue, Oct 09, 2012 at 04:04:05PM +0200, Lennart Poettering wrote:
> args. It's much better than /var/log/messages:
[many nice things snipped; only responding to ones I have real concerns
about.]

> c) it auto-pages if run on a tty

Hmmm. That's not necessarily what people are expecting, but okay.

However, I notice that if I piped to less, lines are truncated. This is not
good. Worse, if I pipe to _grep_, lines are truncated. That's _really bad_.

I see there's an open bug for that:

https://bugzilla.redhat.com/show_bug.cgi?id=831665

> e) it shows you much more data, since its backend database is not
> rotated prematurely by date, but only by disk space

Big-environment people are going to want flexible control over this, as I'm
sure you know. In my former job, log rotation time was set by a
university-wide data retention policy, which was based on time, not an
arbitrary space-free measure. (Note this covers both keeping data long
enough, and making sure that it isn't retained for too long.)

I can file an RFE bug if that's helpful.

> i) You always see the full set of logs you have access to. No need
> anymore to to look through /var/log/messages, /var/log/secure and so
> on one individually. And you get all of this nicely interleaved.

As noted in an earlier message, that distinction is there for a reason. We
need a way to provide the same in the new system.


--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@fedoraproject.org>
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Tom Hughes 10-09-2012 02:45 PM

replacing rsyslogd in minimal with journald
 
On 09/10/12 15:35, Bryn M. Reeves wrote:

On 10/09/2012 03:19 PM, Tom Hughes wrote:


More importantly though, what is the equivalent of "fgrep xxx
/var/log/messages" which is certainly pretty much the most common thing
I do on my logs... I can't see any sort of searching in journalctl?


journalctl | fgrep?

This one is pretty fine by me tbh.


Sure, though having just tried that is took 33s to search about a months
worth of logs instead of the 0.05s that greping the last months messages
took ;-)



The next most common thing I probably do is to load the log into vi so I
can search back and forth to see matches in context, but obviously that
is not something journalctl is every really going to be able to do.


Your favourite pager probably can though. Less has the same mark and
navigation keystrokes as vi. Although if you really do want to open in
an editor you'll probably need to redirect to a file.


Oh I know that - not sure why I tend to use vi really. Possibly because
it's quite easy to quit less by hitting the wrong key but you have to
make an effort to exit vi.


Tom

--
Tom Hughes (tom@compton.nu)
http://compton.nu/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel


All times are GMT. The time now is 03:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.