On 2017-08-27 14:27, Bengt Gördén wrote:
Den 2017-08-27 kl. 12:08, skrev Carlos E. R.:
But how would you extract everything from the "mail" "facility"? That is, everything that would go to /var/log/mail, irrelevant of what daemon or service produced it.
rfc3164
journalctl SYSLOG_FACILITY=2
Ouch. Ok, rfc5424. That's really trivial to use... (irony). :-) Yes, that works.
Check with journalctl -N to see what fields that currently is used in the journal-
Or checkout the last 10 entry's in verbose mode to see what you can filter out.
journalctl -o verbose -n
Argh!
As Carlos said you can install a syslog daemon and forward to that if you want. But I would also recommend start adapting to systemd and journald. Forgive my expressiveness, but bullshit! :-)
I might be. I'm really no black-belt in systemd/journal, just trying to walk the path of least resistance. :-D
Understood. For me, it is far easier to install syslog :-)
You simply can not rely on journal to keep long term or large mail logs. It simply can not cope on any mail server.
By long term I mean at least two years worth of logs, which amounts to many gigabytes even on a small mail server.
Yes. You probably right there although I haven't seen any research about it. Do you know of any? I'm truly interested. I haven't tried with more than 2G logs and that is quite small.
Well, it is based on my own experiments and comments from others. With a very small mail and nntp server the journal log grows very large and takes many minutes to peruse. Soon it starts to rotate out entries: the mail and nntp entries are so many compared to the rest of the system entries, that everything related to the system is purged out soon, and you can not investigate system events more than a few days back. This is due to the journal storing all types of messages in the same binary database, there is no sorting. You can not say "store mail entries for a month, the rest for two weeks", for example, or any other combination. A mail server would need to keep logs for two years. That's millions of lines. Requirements would also be to keep separate backups of the logs, and ensure you can read them on different machines even after destruction of the server. This has not been answered how to do. Being a binary log, you also need tools to reconstruct the logs if they get corrupted and extract the entries. And my experiments found that keeping many thousands of mail/nntp entries in the journal caused it to grow to unmanageable sizes (specially when compared with traditional logs of the same events). A search could take hours.
Further, it is impossible with journal to adjust logs of, say, mail, to be rotated and compressed differently than the rest.
I've not tried all things yet but gradually I get there and hopefully will be able to get back and share my findings.
No, this particular question was answered as impossible (intentionally) previously. The reasoning goes something as that you need to keep logs of every event of the system together. If something goes awry with email, perhaps there was a disk error at the same time that should be investigated. Well, there is some truth in it. Still, mail logs in a mail server can be very large and may force earlier rotation than though of the entire journal thing. And of course, thousands of lines of another stuff can block the sight of other types of events when looking (with eyes) at the logs. It can happen, though, that after a month you are no longer interested in keeping debug logs of, say, nntp, which may be huge. Well, no luck, you can not purge them out. You have to keep the entire thing or nothing.
If you really want syslog change ForwardToSyslog in /etc/systemd/journald.conf and install the daemon. No need to edit/change anything. Just install the openSUSE daemon package.
Ok. That's good.
I have to modify that slightly, just having tried on a test install. YaST will say to remove a systemd log service, I forgot the exact name. It is a place holder, so just accept. Also, the syslog daemon is not automatically enabled and started after install, has to be done manually. No big deal, but both are things to be aware of. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)