From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 00422138A87 for ; Mon, 23 Feb 2015 19:20:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9FB06E08B0; Mon, 23 Feb 2015 19:19:56 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 427E7E0898 for ; Mon, 23 Feb 2015 19:19:55 +0000 (UTC) Received: from marcec.fritz.box ([93.181.44.4]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LwaQZ-1XSrNm2kHv-018Lc1 for ; Mon, 23 Feb 2015 20:19:53 +0100 Date: Mon, 23 Feb 2015 20:19:46 +0100 From: Marc Joliet To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] syslog-ng: how to read the log files Message-ID: <20150223201946.36e90fed@marcec.fritz.box> In-Reply-To: References: <87lhjws8ci.fsf@heimdali.yagibdah.de> <28267.1424201355@ccs.covici.com> <87d257q7en.fsf@heimdali.yagibdah.de> <20150218223115.7fb56f66@digimed.co.uk> <87vbitldj5.fsf@heimdali.yagibdah.de> <20150223091529.656c0008@marcec.fritz.box> <16447.1424680874@ccs.covici.com> <4133.1424713749@ccs.covici.com> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/EatGHO8L_xYXcW1YN5hyaer"; protocol="application/pgp-signature" X-Provags-ID: V03:K0:33zH7tfT3WAZteClUeI1Gci0b04QL26sG7AMq/mlgCgn9df3QVX EkbODtAVYRlhXDB3vRxfE6ZbryGcloEnjvKbFfXWakpbxn6Zv6FT9KWImiOYdRc9XDq3ow4 o2AV6Q4S4lEHsoelCjwJeumAPZUxZ0J6KjAhkBo71XfSAS6c3mbmtgDhhKEqYDB7ap3d3gx zlJgq6pTCCHOEm8yLXYpA== X-UI-Out-Filterresults: notjunk:1; X-Archives-Salt: 62911c33-c140-48ae-8833-a1c70f7fa918 X-Archives-Hash: 7c09937d6e6411e13fa03b0e0e64e29c --Sig_/EatGHO8L_xYXcW1YN5hyaer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am Mon, 23 Feb 2015 12:10:18 -0600 schrieb Canek Pel=C3=A1ez Vald=C3=A9s : > On Mon, Feb 23, 2015 at 11:49 AM, wrote: > > > > Canek Pel=C3=A1ez Vald=C3=A9s wrote: > > > > > On Mon, Feb 23, 2015 at 3:41 AM, wrote: > > > > > > > > Marc Joliet wrote: > > > > > > > > > Am Mon, 23 Feb 2015 00:41:50 +0100 > > > > > schrieb lee : > > > > > > > > > > > Neil Bothwick writes: > > > > > > > > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote: > > > > > > > > > > > > > >> > I wonder if the OP is using systemd and trying to read the > > > journal > > > > > > >> > files? > > > > > > >> > > > > > > >> Nooo, I hate systemd ... > > > > > > >> > > > > > > >> What good are log files you can't read? > > > > > > > > > > > > > > You can't read syslog-ng log files without some reading > software, > > > usually > > > > > > > a combination of cat, grep and less. systemd does it all with > > > journalctl. > > > > > > > > > > > > > > There are good reasons to not use systemd, this isn't one of > them. > > > > > > > > > > > > To me it is one of the good reasons, and an important one. Pla= in > text > > > > > > can usually always be read without further ado, be it from resc= ue > > > > > > systems you booted or with software available on different > operating > > > > > > systems. It can be also be processed with scripts and sent as > email. > > > > > > You can probably even read it on your cell phone. You can still > read > > > > > > log files that were created 20 years ago when they are plain te= xt. > > > > > > > > > > > > Can you do all that with the binary files created by systemd? I > can't > > > > > > even read them on a working system. > > > > > > > > > > What Canek and Rich already said is good, but I'll just add this: > it's > > > not like > > > > > you can't run a classic syslog implementation alongside the syste= md > > > journal. > > > > > On my systems, by *default*, syslog-ng kept working as usual, > getting > > > the logs > > > > > from the systemd journal. If you want to go further, you can even > > > configure > > > > > the journal to not store logs permanently, so that you *only* end= up > > > with > > > > > plain-text logs on your system (Duncan on gentoo-amd64 went this > way). > > > > > > > > > > So no, the format that the systemd journal uses is most decidedly > *not* > > > a reason > > > > > against using systemd. > > > > > > > > > > Personally, I'm probably going to uninstall syslog-ng, because > > > journalctl is > > > > > *such* a nice way to read logs, so why run something whose output > I'll > > > never > > > > > read again? I recommend reading > > > > > http://0pointer.net/blog/projects/journalctl.html for examples of > the > > > kind of > > > > > stuff you can do that would be cumbersome, if not *impossible* wi= th > > > regular > > > > > syslog. > > > > > > > > Except that I get lots of messages about the system journal missing > > > > messages when forwarding to syslog, so how can I make sure this does > not > > > > happening? > > > > > > Could you please show those messages? systemd sends *everything* to t= he > > > journal, and then the journal (optionally) can send it too to a regul= ar > > > syslog. In that sense, it's impossible for the journal to miss any > message. > > > > > > The only way in which the journal could miss messages is at very early > boot > > > stages; but with a proper initramfs (like the ones generated with > dracut), > > > even those get caught. You get to put an instance of systemd and the > > > journal inside the initramfs, and so it's available almost from the > > > beginning. > > > > > > And if you use gummiboot, then you can even log from the moment the U= EFI > > > firmware comes to life. > > > > So, I get lots of messages in my regular syslog-ng /var/log/messages > > like the following: > > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to > > syslog missed 15 messages. > > > > So, I saw a post on Google to up the queue length, and I uped it to 200, > > but no joy, still get the messages like the one above. >=20 > Are you using the unit file provided by syslog-ng (systemd-delta doesn't > mention syslog)? Also, is /etc/systemd/system/syslog.service is a link > to /usr/lib/systemd/system/syslog-ng.service? >=20 > I do, and I don't get any of those messages. I use the default journal > configuration. According to [1], this should be fixed. I remember getting a small number of messages like that, too, on my laptop. However, it's at the university, so I can't check now to see what types of messages were missed (if any; if I understand [1] correctly, those messages= are most likely bogus?). But yeah, that's any idea, Covici: see what's in /var/log/messages, compare= that to the journalctl output, and check if any messages were actually missed ("= diff -U" might be of help here). And if/once you did that, what kinds of messag= es were missed, if any? If those messages really are bogus, you shouldn't see= any differences between the two. > Regards. >=20 > https://github.com/balabit/syslog-ng/issues/314 Note that that fix would only be in the ~arch version of syslog-ng, the cur= rent stable version (3.4.8) is a few months too old. --=20 Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup --Sig_/EatGHO8L_xYXcW1YN5hyaer Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU631XAAoJEL/Q5oYsiHj07SAP/1WeuxXjOtTSfbqaXC3/yVKe Iw2ZlOF7awzO5ezAMabs2PU8zVpIk84jz8rISckxDoaG1HGloO0ArpgwtAYIVKnL bjVXPcbbMPe1ntzSe4X07ELYO6gHYkKwf6koLsNgCGAYUSYjRLUPuPoXfzg71oel O8xpQkvbFeRDy40Q/sMW6zN4UsY4WGsUSuC6Hl9QWUHSTyJPPQkueh62KS8H9s2J 7C+5QufP29+VLpCetBGaZhuAToWNX5BNHX+VMyACjPhzOdd/LO3h0wCoLXdG1x7M ci9M+WrZX/aya9KebSt/QVdoxHn4SdK1HmqYjFBAOVkpi+BxJ52F0zpxAyiNP5df evVz+cG5UrmC7LctW0IuC8VW+FTvyWkWqNNmzGQZ1aA4NFMliDpGXx9SGKvZY+kb 9wuJHLDHSNvfCXDFnCFjxpxgppafHwsQMYnLYjMve9aH/pKUDgpLPU4M11PH0bI3 78KK9oOClGfmBiMOx4OmFoXknvmz9VZ//c15ocCxNCTziw20ibQPtp/2Bs6PCswT t/K2S3b1CDpZUPpzw5gVDNN6935l4SlY6rz/uYXUvLdGAvRG2TWWf4eJRl9Ztpyj 43A4R5Z6msxOyrQ5bkh6h7b25igyGqoz6/GgfGZRW6B2bcyCvgikn+TN0zqEsGEj 0DqVGappaLWNkCRYBz9G =HIIM -----END PGP SIGNATURE----- --Sig_/EatGHO8L_xYXcW1YN5hyaer--