From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-162328-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 58521138A87
	for <garchives@archives.gentoo.org>; Mon, 23 Feb 2015 19:31:34 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D4BB5E08A8;
	Mon, 23 Feb 2015 19:31:23 +0000 (UTC)
Received: from mail0131.smtp25.com (mail0131.smtp25.com [75.126.84.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id AE060E0898
	for <gentoo-user@lists.gentoo.org>; Mon, 23 Feb 2015 19:31:22 +0000 (UTC)
Received: from ccs.covici.com (localhost [127.0.0.1])
	by ccs.covici.com (8.14.9/8.14.8) with ESMTP id t1NJVKVu018634
	for <gentoo-user@lists.gentoo.org>; Mon, 23 Feb 2015 14:31:20 -0500
From: covici@ccs.covici.com
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] syslog-ng: how to read the log files
In-reply-to: <20150223201946.36e90fed@marcec.fritz.box>
References: <87lhjws8ci.fsf@heimdali.yagibdah.de> <CAJ1xhMW7xLROrgcz+iuNUvSVSt6x7AZ6i_L8G6ab7Ux3hJg4wA@mail.gmail.com> <28267.1424201355@ccs.covici.com> <87d257q7en.fsf@heimdali.yagibdah.de> <20150218223115.7fb56f66@digimed.co.uk> <87vbitldj5.fsf@heimdali.yagibdah.de> <20150223091529.656c0008@marcec.fritz.box> <16447.1424680874@ccs.covici.com> <CADPrc827+YGe3WiSmv-NVe7=sBGTSvda9p4=32jssSmzUti_Xg@mail.gmail.com> <4133.1424713749@ccs.covici.com> <CADPrc82PvpXuLA62dna6+GvAcoD7WO8Nj_OQ+4MfdK5nXkHJ6w@mail.gmail.com> <20150223201946.36e90fed@marcec.fritz.box>
Comments: In-reply-to Marc Joliet <marcec@gmx.de>
   message dated "Mon, 23 Feb 2015 20:19:46 +0100."
X-Mailer: MH-E 8.5; nmh 1.6; GNU Emacs 23.4.1
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Date: Mon, 23 Feb 2015 14:31:20 -0500
Message-ID: <18633.1424719880@ccs.covici.com>
X-SpamH-OriginatingIP: 70.109.53.110
X-SpamH-Filter: d-out-001.smtp25.com-t1NJVKf8013370
X-Archives-Salt: 10c6603a-0f4c-4bf9-893e-61def8446cd2
X-Archives-Hash: 7b06afbe81e4e7c49911781d5d44024b

Marc Joliet <marcec@gmx.de> wrote:

> Am Mon, 23 Feb 2015 12:10:18 -0600
> schrieb Canek Pel=C3=A1ez Vald=C3=A9s <caneko@gmail.com>:
>=20
> > On Mon, Feb 23, 2015 at 11:49 AM, <covici@ccs.covici.com> wrote:
> > >
> > > Canek Pel=C3=A1ez Vald=C3=A9s <caneko@gmail.com> wrote:
> > >
> > > > On Mon, Feb 23, 2015 at 3:41 AM, <covici@ccs.covici.com> wrote:
> > > > >
> > > > > Marc Joliet <marcec@gmx.de> wrote:
> > > > >
> > > > > > Am Mon, 23 Feb 2015 00:41:50 +0100
> > > > > > schrieb lee <lee@yagibdah.de>:
> > > > > >
> > > > > > > Neil Bothwick <neil@digimed.co.uk> writes:
> > > > > > >
> > > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote:
> > > > > > > >
> > > > > > > >> > I wonder if the OP is using systemd and trying to read t=
he
> > > > journal
> > > > > > > >> > files?
> > > > > > > >>
> > > > > > > >> Nooo, I hate systemd ...
> > > > > > > >>
> > > > > > > >> What good are log files you can't read?
> > > > > > > >
> > > > > > > > You can't read syslog-ng log files without some reading
> > software,
> > > > usually
> > > > > > > > a combination of cat, grep and less. systemd does it all wi=
th
> > > > journalctl.
> > > > > > > >
> > > > > > > > There are good reasons to not use systemd, this isn't one of
> > them.
> > > > > > >
> > > > > > > To me it is one of the good reasons, and an important one.  P=
lain
> > text
> > > > > > > can usually always be read without further ado, be it from re=
scue
> > > > > > > systems you booted or with software available on different
> > operating
> > > > > > > systems.  It can be also be processed with scripts and sent as
> > email.
> > > > > > > You can probably even read it on your cell phone.  You can st=
ill
> > read
> > > > > > > log files that were created 20 years ago when they are plain =
text.
> > > > > > >
> > > > > > > Can you do all that with the binary files created by systemd?=
  I
> > can't
> > > > > > > even read them on a working system.
> > > > > >
> > > > > > What Canek and Rich already said is good, but I'll just add thi=
s:
> > it's
> > > > not like
> > > > > > you can't run a classic syslog implementation alongside the sys=
temd
> > > > journal.
> > > > > > On my systems, by *default*, syslog-ng kept working as usual,
> > getting
> > > > the logs
> > > > > > from the systemd journal.  If you want to go further, you can e=
ven
> > > > configure
> > > > > > the journal to not store logs permanently, so that you *only* e=
nd up
> > > > with
> > > > > > plain-text logs on your system (Duncan on gentoo-amd64 went this
> > way).
> > > > > >
> > > > > > So no, the format that the systemd journal uses is most decided=
ly
> > *not*
> > > > a reason
> > > > > > against using systemd.
> > > > > >
> > > > > > Personally, I'm probably going to uninstall syslog-ng, because
> > > > journalctl is
> > > > > > *such* a nice way to read logs, so why run something whose outp=
ut
> > I'll
> > > > never
> > > > > > read again?  I recommend reading
> > > > > > http://0pointer.net/blog/projects/journalctl.html for examples =
of
> > the
> > > > kind of
> > > > > > stuff you can do that would be cumbersome, if not *impossible* =
with
> > > > regular
> > > > > > syslog.
> > > > >
> > > > > Except that I get lots of messages about the system journal missi=
ng
> > > > > messages when forwarding to syslog, so how can I make sure this d=
oes
> > not
> > > > > happening?
> > > >
> > > > Could you please show those messages? systemd sends *everything* to=
 the
> > > > journal, and then the journal (optionally) can send it too to a reg=
ular
> > > > syslog. In that sense, it's impossible for the journal to miss any
> > message.
> > > >
> > > > The only way in which the journal could miss messages is at very ea=
rly
> > boot
> > > > stages; but with a proper initramfs (like the ones generated with
> > dracut),
> > > > even those get caught. You get to put an instance of systemd and the
> > > > journal inside the initramfs, and so it's available almost from the
> > > > beginning.
> > > >
> > > > And if you use gummiboot, then you can even log from the moment the=
 UEFI
> > > > firmware comes to life.
> > >
> > > So, I get lots of messages in my regular syslog-ng /var/log/messages
> > > like the following:
> > > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to
> > > syslog missed 15 messages.
> > >
> > > So, I saw a post on Google to up the queue length, and I uped it to 2=
00,
> > > but no joy, still get the messages like the one above.
> >=20
> > Are you using the unit file provided by syslog-ng (systemd-delta doesn't
> > mention syslog)? Also, is /etc/systemd/system/syslog.service is a link
> > to /usr/lib/systemd/system/syslog-ng.service?
> >=20
> > I do, and I don't get any of those messages. I use the default journal
> > configuration. According to [1], this should be fixed.
>=20
> I remember getting a small number of messages like that, too, on my lapto=
p.
> However, it's at the university, so I can't check now to see what types of
> messages were missed (if any; if I understand [1] correctly, those messag=
es are
> most likely bogus?).
>=20
> But yeah, that's any idea, Covici: see what's in /var/log/messages, compa=
re that
> to the journalctl output, and check if any messages were actually missed =
("diff
> -U" might be of help here).  And if/once you did that, what kinds of mess=
ages
> were missed, if any?  If those messages really are bogus, you shouldn't s=
ee any
> differences between the two.
>=20
> > Regards.
> >=20
> > https://github.com/balabit/syslog-ng/issues/314
>=20
> Note that that fix would only be in the ~arch version of syslog-ng, the c=
urrent
> stable version (3.4.8) is a few months too old.

I am up to 3.6 something, so the fix should be there.  But my unit file
is different, so that remains to check.

--=20
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com