[arch-general] Replacing journal completely with syslog-ng
I have to say that I really hate journalctl. But apart from that, I need syslog. Journalctl requires too much resources (I have a 512MB KVM) and some times it kicks the server out of memory. Also, there is nearly no way to parse its logs with any log analyzers, you have to do it the hackish way with "journalctl -o export" which is very heavyweight and requires a whole shell process to do so. I just want to completely disable journalctl and use syslog-ng like the good old days. Any help on how to do that? I did my h/w (googled it) but I got no helpful results... Any help appreciated! :)
[2013-10-27 18:41:36 +0200] Dimitris Zervas:
Journalctl requires too much resources (I have a 512MB KVM) and some times it kicks the server out of memory.
Unless you can refine your description of the problem, we can do nothing to help than give suggestions blindly at random. Here's one: add the sysctl parameter kernel.core_pattern=/dev/null Doesn't work? Tough luck; it worked for me...
there is nearly no way to parse its logs with any log analyzers
What "log analyzers" are you referring to? -- Gaetan
On Sun, 27 Oct 2013 18:41:36 +0200 Dimitris Zervas <dzervas@dzervas.gr> wrote:
I have to say that I really hate journalctl. But apart from that, I need syslog. Journalctl requires too much resources (I have a 512MB KVM) and some times it kicks the server out of memory.
I'm not sure what you mean. Does the systemd-journald process take too much memory, or you store logs in RAM and they become too large?
Also, there is nearly no way to parse its logs with any log analyzers, you have to do it the hackish way with "journalctl -o export" which is very heavyweight and requires a whole shell process to do so. I just want to completely disable journalctl and use syslog-ng like the good old days. Any help on how to do that? I did my h/w (googled it) but I got no helpful results... Any help appreciated! :)
You can't disable journald because it is a required module of systemd. However, you can tell journald to not log anything in /etc/systemd/journald.conf (Storage=none). Notice though that syslog-ng under systemd may have an incomplete log. In addition, I'm not sure what happens to timestamps. Both journald and syslog-ng do support high-precision timestamping with journald using them by default. However, I don't know what time will syslog-ng record... -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Op 27 okt. 2013 19:42 schreef "Dimitris Zervas" <dzervas@dzervas.gr> het volgende:
I have to say that I really hate journalctl. But apart from that, I need syslog.
[...] According to [1] journald has an option sendtosyslog. It might also be wise to keep a (small) journal available for those corner cases that will come up. See the runtime* and systemmax on that same page. [1] http://www.freedesktop.org/software/systemd/man/journald.conf.html mvg, Guus
On Sun, Oct 27, 2013 at 5:41 PM, Dimitris Zervas <dzervas@dzervas.gr> wrote:
I have to say that I really hate journalctl. But apart from that, I need syslog. Journalctl requires too much resources (I have a 512MB KVM) and some times it kicks the server out of memory. Also, there is nearly no way to parse its logs with any log analyzers, you have to do it the hackish way with "journalctl -o export" which is very heavyweight and requires a whole shell process to do so. I just want to completely disable journalctl and use syslog-ng like the good old days. Any help on how to do that? I did my h/w (googled it) but I got no helpful results... Any help appreciated! :)
Simply install and enable syslog-ng. Then set Storage=none in /etc/systemd/journald.conf. Reboot afterwards. Journald will forward messages to syslog, without storing anything itself anymore.
participants (5)
-
Dimitris Zervas
-
Gaetan Bisson
-
Guus Snijders
-
Jan Alexander Steffens
-
Leonid Isaev