-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 2025-02-26 a las 21:29 +0300, Andrei Borzenkov escribió:
26.02.2025 17:17, Carlos E. R. wrote:
On 2025-02-26 14:34, Andrei Borzenkov wrote:
On Wed, Feb 26, 2025 at 3:43 PM Carlos E. R. <...> wrote:
I use "meld" to find out the differences. Lines like this are missing:
Feb 18 12:17:58 Telcontar sddm[2599]: Initializing...
That's fac 1. kern?
Why? Just use
journalctl -o verbose ...
to show all fields including SYSLOG_FACILITY
Thanks. There is no facility. That's why the filter fails:
Yes, journal does not support negative or "has (not)" style of matches.
A sad omission. When submitting to bugzilla I do not want to include my mail log, for privacy; nor do I want to include news because they are several megabytes of useless entries. And news entries are multiline, at least in my system. The amount of missing entries is substantial: cer@Telcontar:~/Bugzilla/nuevo_20250226> journalctl --boot=-2 --facility=kern,user,mail,daemon,auth,syslog,lpr,news,uucp,cron,authpriv,ftp,12,13,14,15,local0,local1,local2,local3,local4,local5,local6,local7 | tee journal_fac | wc -l 178781 cer@Telcontar:~/Bugzilla/nuevo_20250226> journalctl --boot=-2 | tee journal_all | wc -l 221479 cer@Telcontar:~/Bugzilla/nuevo_20250226> l total 41080 drwxr-xr-x 2 cer users 4096 Feb 26 19:36 ./ drwxrwxr-x 93 cer root 8192 Feb 26 19:32 ../ - -rw-r--r-- 1 cer users 23299642 Feb 26 19:36 journal_all - -rw-r--r-- 1 cer users 18743605 Feb 26 19:36 journal_fac cer@Telcontar:~/Bugzilla/nuevo_20250226>
Tue 2025-02-18 12:17:58.798499 CET [s=918bfecad21d42deb9d5de39b387f803;i=2020bf;b=509c9ed60df74c27a8db34cbd742e899;m=3d08fc1;t=62e68cb1394a8;x=eaecf4382c2d69a3] _BOOT_ID=509c9ed60df74c27a8db34cbd742e899 _MACHINE_ID=2ce1d54548517a7307c1c2bc38206d00 _HOSTNAME=Telcontar PRIORITY=7 _UID=0 _GID=0 _SELINUX_CONTEXT=unconfined _SYSTEMD_SLICE=system.slice _TRANSPORT=journal
Transport is journal which means SDDM is using native journal API and is responsible for providing any metadata.
bor@bor-Latitude-E5450:~$ journalctl -b --system -o json | jq -r ._TRANSPORT | sort -u driver journal kernel stdout syslog bor@bor-Latitude-E5450:~$
And if we look where SYSLOG_FACILITY is missing
bor@bor-Latitude-E5450:~$ journalctl -b --system -o json | jq -r 'select(has("SYSLOG_FACILITY")|not)| ._TRANSPORT' | sort -u journal bor@bor-Latitude-E5450:~$
and
bor@bor-Latitude-E5450:~$ journalctl -b --system -o json | jq -r 'select(has("SYSLOG_FACILITY")|not)| ._CMDLINE' /usr/libexec/udisks2/udisksd /usr/libexec/gnome-remote-desktop-daemon --system /usr/libexec/udisks2/udisksd /usr/libexec/geoclue /usr/libexec/udisks2/udisksd /usr/libexec/udisks2/udisksd /usr/libexec/udisks2/udisksd bor@bor-Latitude-E5450:~$
In principle, you can use JSON output format together with any JSON processing tool to filter out anything you (do not) want and cobble together log lines in any form.
Hum. Sigh. JSON is totally out of my experience. In <https://unix.stackexchange.com/questions/272662/how-do-i-clear-journalctl-entries-for-a-specific-unit-only> they suggest using a script to remove entries: +++····················· Use my Python 3 program copy_journal.py on the journal files in /var/log/journal from which you want to remove entries. For instance, to make a copy of system.journal without log entries for NetworkManager.service: $ journalctl --file=system.journal | wc 167 1934 18825 $ journalctl --file=system.journal | grep -v NetworkManager | wc 77 881 8421 $ python3 copy_journal.py --remove-unit=NetworkManager.service system.journal system-without-nm.journal $ journalctl --file=system-without-nm.journal | wc 77 881 8421 ·····················++- Said script is here: https://github.com/Mortal/cournal/blob/master/copy_journal.py But it goes by units, not facilities. And it seems to operate on the entire journal, which is gigabytes. I need only one boot session. Normally I would use grep, but news fac has multiline entries, so no go. Anyway, I have submitted the bugzilla, attaching the journal minus mail and news, and minus the megabytes of entries without facility. I told Bugzilla of the issue, I hope the surviving log entries are enough (kernel mostly are the interest). Otherwise, maybe they can suggest another method of purging the journal. Surely, I am not the only one needing to purge the journal for privacy when submitting a bugzilla. I have the syslog, but strangely, it has many more lines than the journal; and the boot part is different. cer@Telcontar:~/Bugzilla/nuevo_20250226> wc -l syslog journal_all journal_fac 332772 syslog 221479 journal_all 178781 journal_fac 733032 total cer@Telcontar:~/Bugzilla/nuevo_20250226> The syslog should be basically the same as journal_fac. Ie, syslog is complete with mail and news filtered, and also local1..7 are not there (tradition). And journal_fac was obtained with all facilities except mail and news. - -- Cheers, Carlos E. R. (from openSUSE 15.6 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZ79wBhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVcKEAn33UhkueDXFkOtwY0A0h 9RcH4Wq4AJ42DyLzm8DXK9YEIViFj8IhZWj0Nw== =15wX -----END PGP SIGNATURE-----