From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C22D8138A87 for ; Mon, 23 Feb 2015 23:18:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3E34E0870; Mon, 23 Feb 2015 23:18:40 +0000 (UTC) Received: from mail0200.smtp25.com (mail0200.smtp25.com [174.37.170.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 809F9E085A for ; Mon, 23 Feb 2015 23:18:39 +0000 (UTC) Received: from ccs.covici.com (localhost [127.0.0.1]) by ccs.covici.com (8.14.9/8.14.8) with ESMTP id t1NNIaWX020525 for ; Mon, 23 Feb 2015 18:18:36 -0500 From: covici@ccs.covici.com To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] syslog-ng: how to read the log files In-reply-to: References: <87lhjws8ci.fsf@heimdali.yagibdah.de> <28267.1424201355@ccs.covici.com> <87d257q7en.fsf@heimdali.yagibdah.de> <20150218223115.7fb56f66@digimed.co.uk> <87vbitldj5.fsf@heimdali.yagibdah.de> <20150223091529.656c0008@marcec.fritz.box> <16447.1424680874@ccs.covici.com> <4133.1424713749@ccs.covici.com> <20150223201946.36e90fed@marcec.fritz.box> <18633.1424719880@ccs.covici.com> Comments: In-reply-to =?us-ascii?Q?=3D=3FUTF-8=3FB=3FQ2FuZWsgUGVsw6FleiBWY?= =?us-ascii?Q?Wxkw6lz=3F=3D?= message dated "Mon, 23 Feb 2015 13:35:50 -0600." X-Mailer: MH-E 8.5; nmh 1.6; GNU Emacs 23.4.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Mon, 23 Feb 2015 18:18:36 -0500 Message-ID: <20524.1424733516@ccs.covici.com> X-SpamH-OriginatingIP: 70.109.53.110 X-SpamH-Filter: s-out-001.smtp25.com-t1NNIagC006199 X-Archives-Salt: 766f9ab9-a269-4d0b-a19b-35d55498a2e8 X-Archives-Hash: 751f047f38ca59fb4aed2a13b4f59321 Canek Pel=C3=A1ez Vald=C3=A9s wrote: > On Mon, Feb 23, 2015 at 1:31 PM, wrote: > > > > Marc Joliet wrote: > > > > > Am Mon, 23 Feb 2015 12:10:18 -0600 > > > schrieb Canek Pel=C3=A1ez Vald=C3=A9s : > > > > > > > On Mon, Feb 23, 2015 at 11:49 AM, wrote: > > > > > > > > > > Canek Pel=C3=A1ez Vald=C3=A9s wrote: > > > > > > > > > > > On Mon, Feb 23, 2015 at 3:41 AM, wrote: > > > > > > > > > > > > > > Marc Joliet wrote: > > > > > > > > > > > > > > > Am Mon, 23 Feb 2015 00:41:50 +0100 > > > > > > > > schrieb lee : > > > > > > > > > > > > > > > > > Neil Bothwick writes: > > > > > > > > > > > > > > > > > > > On Wed, 18 Feb 2015 21:49:54 +0100, lee wrote: > > > > > > > > > > > > > > > > > > > >> > I wonder if the OP is using systemd and trying to re= ad > the > > > > > > journal > > > > > > > > > >> > files? > > > > > > > > > >> > > > > > > > > > >> Nooo, I hate systemd ... > > > > > > > > > >> > > > > > > > > > >> What good are log files you can't read? > > > > > > > > > > > > > > > > > > > > You can't read syslog-ng log files without some reading > > > > software, > > > > > > usually > > > > > > > > > > a combination of cat, grep and less. systemd does it all > with > > > > > > journalctl. > > > > > > > > > > > > > > > > > > > > There are good reasons to not use systemd, this isn't o= ne > of > > > > them. > > > > > > > > > > > > > > > > > > To me it is one of the good reasons, and an important one. > Plain > > > > text > > > > > > > > > can usually always be read without further ado, be it from > rescue > > > > > > > > > systems you booted or with software available on different > > > > operating > > > > > > > > > systems. It can be also be processed with scripts and se= nt > as > > > > email. > > > > > > > > > You can probably even read it on your cell phone. You can > still > > > > read > > > > > > > > > log files that were created 20 years ago when they are > plain text. > > > > > > > > > > > > > > > > > > Can you do all that with the binary files created by > systemd? I > > > > can't > > > > > > > > > even read them on a working system. > > > > > > > > > > > > > > > > What Canek and Rich already said is good, but I'll just add > this: > > > > it's > > > > > > not like > > > > > > > > you can't run a classic syslog implementation alongside the > systemd > > > > > > journal. > > > > > > > > On my systems, by *default*, syslog-ng kept working as usua= l, > > > > getting > > > > > > the logs > > > > > > > > from the systemd journal. If you want to go further, you c= an > even > > > > > > configure > > > > > > > > the journal to not store logs permanently, so that you *onl= y* > end up > > > > > > with > > > > > > > > plain-text logs on your system (Duncan on gentoo-amd64 went > this > > > > way). > > > > > > > > > > > > > > > > So no, the format that the systemd journal uses is most > decidedly > > > > *not* > > > > > > a reason > > > > > > > > against using systemd. > > > > > > > > > > > > > > > > Personally, I'm probably going to uninstall syslog-ng, beca= use > > > > > > journalctl is > > > > > > > > *such* a nice way to read logs, so why run something whose > output > > > > I'll > > > > > > never > > > > > > > > read again? I recommend reading > > > > > > > > http://0pointer.net/blog/projects/journalctl.html for > examples of > > > > the > > > > > > kind of > > > > > > > > stuff you can do that would be cumbersome, if not > *impossible* with > > > > > > regular > > > > > > > > syslog. > > > > > > > > > > > > > > Except that I get lots of messages about the system journal > missing > > > > > > > messages when forwarding to syslog, so how can I make sure th= is > does > > > > not > > > > > > > happening? > > > > > > > > > > > > Could you please show those messages? systemd sends *everything* > to the > > > > > > journal, and then the journal (optionally) can send it too to a > regular > > > > > > syslog. In that sense, it's impossible for the journal to miss = any > > > > message. > > > > > > > > > > > > The only way in which the journal could miss messages is at very > early > > > > boot > > > > > > stages; but with a proper initramfs (like the ones generated wi= th > > > > dracut), > > > > > > even those get caught. You get to put an instance of systemd and > the > > > > > > journal inside the initramfs, and so it's available almost from > the > > > > > > beginning. > > > > > > > > > > > > And if you use gummiboot, then you can even log from the moment > the UEFI > > > > > > firmware comes to life. > > > > > > > > > > So, I get lots of messages in my regular syslog-ng /var/log/messa= ges > > > > > like the following: > > > > > Feb 23 12:47:52 ccs.covici.com systemd-journal[715]: Forwarding to > > > > > syslog missed 15 messages. > > > > > > > > > > So, I saw a post on Google to up the queue length, and I uped it = to > 200, > > > > > but no joy, still get the messages like the one above. > > > > > > > > Are you using the unit file provided by syslog-ng (systemd-delta > doesn't > > > > mention syslog)? Also, is /etc/systemd/system/syslog.service is a l= ink > > > > to /usr/lib/systemd/system/syslog-ng.service? > > > > > > > > I do, and I don't get any of those messages. I use the default jour= nal > > > > configuration. According to [1], this should be fixed. > > > > > > I remember getting a small number of messages like that, too, on my > laptop. > > > However, it's at the university, so I can't check now to see what typ= es > of > > > messages were missed (if any; if I understand [1] correctly, those > messages are > > > most likely bogus?). > > > > > > But yeah, that's any idea, Covici: see what's in /var/log/messages, > compare that > > > to the journalctl output, and check if any messages were actually > missed ("diff > > > -U" might be of help here). And if/once you did that, what kinds of > messages > > > were missed, if any? If those messages really are bogus, you shouldn= 't > see any > > > differences between the two. > > > > > > > Regards. > > > > > > > > https://github.com/balabit/syslog-ng/issues/314 > > > > > > Note that that fix would only be in the ~arch version of syslog-ng, t= he > current > > > stable version (3.4.8) is a few months too old. > > > > I am up to 3.6 something, so the fix should be there. But my unit file > > is different, so that remains to check. >=20 > I would try the provided unit file. It seems that the only difference with > yours is that it doesn't comment the Restart=3Don-failure line, and that = it > has StandardOutput=3Dnull. >=20 > I think the general idea is always to use upstream's unit files. They wri= te > the software, supposedly they should know better. I did change the unit file, but no joy, I still get messages like this: Feb 23 18:16:05 ccs.covici.com systemd-journal[715]: Forwarding to syslog missed 13 messages. --=20 Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici covici@ccs.covici.com