* Peter Czanik <pczanik@fang.fa.gau.hu> [2012-09-27 09:06]:
The primary advantage of the journal is, that it's heavily integrated with the init system (systemd): - logging of early boot related messages is possible, while (r)syslog(-ng) can't be started early enough and only with ugly hacks to catch part of those. - much better logging of apps started by systemd
As you said, early boot logging can be made to work without completely reinventing the wheel.
A much hyped feature is "trusted properties", which can help debugging as long as that "rm -fr" did not happen. Just see what is recorded by syslog-ng, and what is recorded by the journal. I created an obviously falsified log message, but I could also spoof an ssh login, or dhcpd IP request into the logs. Using the verbose output of journalctl one can see, that this message is coming from a user and not from a daemon...
$ logger -t ooops -i I was where # tail -1 /var/log/messages Sep 27 08:09:00 linux-dbr3 ooops[3147]: I was where #
vs.
# systemd-journalctl -o verbose
Thu, 27 Sep 2012 08:09:00 +0200 [s=3df0698924264732814a4ffbbc73cb76;i=49a;b=80a aa318b95c42748481efeff8fd2150;m=a72e2270;t=4caa8c67f409c;x=a6873d5ab8006c50;p=s ystem.journal] _TRANSPORT=syslog PRIORITY=5 SYSLOG_FACILITY=1 SYSLOG_IDENTIFIER=ooops SYSLOG_PID=3147 MESSAGE=I was where _PID=3147 _UID=1000 _GID=100 _SOURCE_REALTIME_TIMESTAMP=1348726140387051 _BOOT_ID=80aaa318b95c42748481efeff8fd2150 _MACHINE_ID=42f6872bec8588115c31d8de0000095a _HOSTNAME=linux-dbr3.site
This may no be possible with syslog-ng, however rsyslogd which is the openSUSE default syslog has supported securely recording of pid, gid, uid for a long time, more recently it has become capable of recording the path of the executable, command name and full commandline obtained via /proc.
It has also a circular log file, so it never fills the HDD, but uses a given percentage of it (5% by default AFAIR). So log rotation is not any more a problem.
rsyslogd has fixed-length log rotation built in which can achieve exactly the same.
Right now there is double logging by default: the journal collects messages to /var/log/journal and syslog(-ng) to /var/log. One of this is just wasting disk space...
Yes, that sucks on oS 12.2.
And the major advantage from the syslog(-ng) point of view, that most of it can be disabled while the useful part continues to work. As it will still follow apps started by systemd, collect status messages, etc. which is not possible by any syslog implementation on that level.
As stated above, implementing this doesn't require to replace the whole logging infrastructure. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org