[arch-general] systemd's journal and syslog-ng
On 02/09/2012 03:29 PM, Dave Reisner wrote:
- With the journal enabled (and it is enabled by default), you no longer need to run a syslog daemon (i.e. syslog-ng or rsyslog). The journal, by default, writes to /run/systemd/journal (meaning logs will poof on reboot). If you want to keep your logs, simply create /var/log/journal. If you really want to keep using a syslog daemon, you must tell it to read from /run/systemd/journal/socket, NOT /dev/log.
I know I do not longer need to run a syslog daemon, but I like my logs in human readable form. So, being a obedient ml reader, I configured my syslog-ng to read from said new socket unix-dgram("/run/systemd/journal/socket"); instead of the old /dev/log. But since then my logs are incomplete at best. So here are my questions: - Why are the logs read from /run/systemd/journal/socket incomplete and how do I fix this? - Why do I even have to change the socket? /dev/log is still there and still works like a charm.
Tobias Frilling <tobias@frilling-online.de> on Wed, 15 Feb 2012 12:35:56 +0100:
On 02/09/2012 03:29 PM, Dave Reisner wrote:
- With the journal enabled (and it is enabled by default), you no longer need to run a syslog daemon (i.e. syslog-ng or rsyslog). The journal, by default, writes to /run/systemd/journal (meaning logs will poof on reboot). If you want to keep your logs, simply create /var/log/journal. If you really want to keep using a syslog daemon, you must tell it to read from /run/systemd/journal/socket, NOT /dev/log.
I know I do not longer need to run a syslog daemon, but I like my logs in human readable form. So, being a obedient ml reader, I configured my syslog-ng to read from said new socket unix-dgram("/run/systemd/journal/socket"); instead of the old /dev/log. But since then my logs are incomplete at best. So here are my questions:
- Why are the logs read from /run/systemd/journal/socket incomplete and how do I fix this? - Why do I even have to change the socket? /dev/log is still there and still works like a charm.
/dev/log gives the messages only once. If two processes read from there it's just random which gets which messages. Probably that is why your logs are incomplete. Changing syslog to read from systemd journal's socket should fix this. -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
On Wed 15/02/12, 13:28, Christian Hesse wrote:
- Why are the logs read from /run/systemd/journal/socket incomplete and how do I fix this?
/dev/log gives the messages only once. If two processes read from there it's just random which gets which messages. Probably that is why your logs are incomplete. Changing syslog to read from systemd journal's socket should fix this.
It seems to me that he is saying that they are incomplete JUST when reading from systemd journal Giorgio
On 02/15/2012 02:30 PM, Giorgio Lando wrote:
On Wed 15/02/12, 13:28, Christian Hesse wrote:
- Why are the logs read from /run/systemd/journal/socket incomplete and how do I fix this?
/dev/log gives the messages only once. If two processes read from there it's just random which gets which messages. Probably that is why your logs are incomplete. Changing syslog to read from systemd journal's socket should fix this.
It seems to me that he is saying that they are incomplete JUST when reading from systemd journal Giorgio
exactly
To give a few more examples: With syslog-ng reading journal/socket: - No logging for cron daemon (fcron) - No logging at all in log/auth.log - Only some few kernel messages in log/everything.log - No logging with logger(1) The list goes on ...
If somebody still is interested in this, here is my follow-up: After some digging (it is amazing how little information exist for this, not even a man page for anything journal related) I came to the conclusion that journal/socket is not meant for a logging daemon to read from. Instead journal/syslog should be used (see [1]). So your service file should look something like this: [Unit] Description=System Logger Daemon [Service] Sockets=syslog.socket ExecStartPre=-/bin/systemctl stop systemd-kmsg-syslogd.service ExecStart=/usr/sbin/syslog-ng -F ExecReload=/bin/kill -HUP $MAINPID Sockets=syslog.socket StandardOutput=null [Install] WantedBy=multi-user.target Alias=syslog.service And syslog should read from /run/systemd/journal/syslog [1] http://lwn.net/Articles/474968/
Oh, and syslog should probably not read from /proc/kmsg (see http://lists.freedesktop.org/archives/systemd-devel/2012-January/004310.html)
Le 15/02/12, Tobias Frilling <tobias@frilling-online.de> a écrit :
If somebody still is interested in this, here is my follow-up:
After some digging (it is amazing how little information exist for this, not even a man page for anything journal related) I came to the conclusion that journal/socket is not meant for a logging daemon to read from. Instead journal/syslog should be used (see [1]). So your service file should look something like this:
[Unit] Description=System Logger Daemon
[Service] Sockets=syslog.socket ExecStartPre=-/bin/systemctl stop systemd-kmsg-syslogd.service ExecStart=/usr/sbin/syslog-ng -F ExecReload=/bin/kill -HUP $MAINPID Sockets=syslog.socket StandardOutput=null
[Install] WantedBy=multi-user.target Alias=syslog.service
And syslog should read from /run/systemd/journal/syslog
What's the difference between this syslog-ng.service file and the one from syslog-ng ? Beside the Alias line, you only duplicate the Sockets line which already exists. -- radio ianux - http://ianux.fr/
On 02/16/2012 07:13 PM, ianux wrote:
What's the difference between this syslog-ng.service file and the one from syslog-ng ? Beside the Alias line, you only duplicate the Sockets line which already exists.
Yeah, the duplication was an accident (might have happened out of frustration). My prior setup lacked the journal/syslog socket, so I thought that the service file was missing a Sockets= entry (reading the file might have helped ;-) ). The service file shipped with syslog-ng does the trick, as long as you point the config to journal/syslog. As for the Alias line, consider this comment from syslog.socket: # The default syslog implementation should make syslog.service a # symlink to itself, so that this socket activates the right actual # syslog service. # # Examples: # # /etc/systemd/system/syslog.service -> /lib/systemd/system/rsyslog.service # /etc/systemd/system/syslog.service -> /lib/systemd/system/syslog-ng.service # # Best way to achieve that is by adding this to your unit file # (i.e. to rsyslog.service or syslog-ng.service): # # [Install] # Alias=syslog.service
Le 16/02/12, Tobias Frilling <tobias@frilling-online.de> a écrit :
On 02/16/2012 07:13 PM, ianux wrote:
What's the difference between this syslog-ng.service file and the one from syslog-ng ? Beside the Alias line, you only duplicate the Sockets line which already exists.
Yeah, the duplication was an accident (might have happened out of frustration). My prior setup lacked the journal/syslog socket, so I thought that the service file was missing a Sockets= entry (reading the file might have helped ;-) ). The service file shipped with syslog-ng does the trick, as long as you point the config to journal/syslog. As for the Alias line, consider this comment from syslog.socket:
# The default syslog implementation should make syslog.service a # symlink to itself, so that this socket activates the right actual # syslog service. # # Examples: # # /etc/systemd/system/syslog.service -> /lib/systemd/system/rsyslog.service # /etc/systemd/system/syslog.service -> /lib/systemd/system/syslog-ng.service # # Best way to achieve that is by adding this to your unit file # (i.e. to rsyslog.service or syslog-ng.service): # # [Install] # Alias=syslog.service
The Alias line now makes sense to me. It links syslog-ng.service to syslog.socket which create /run/systemd/journal/syslog. Thanks for the tip (logging through /run/systemd/journal/socket indeed looks like garbage). -- radio ianux - http://ianux.fr/
participants (4)
-
Christian Hesse
-
Giorgio Lando
-
ianux
-
Tobias Frilling