[opensuse] where did /etc/sysconfig/syslog come from?
Tried to see what package owned it -- as it was changed a few months back to use rsyslog instead of my configured ng-syslog, which I sorta thought was odd -- thought they usually put configfiles aside and labeled them with a special suffix, but didn't see any of those around. Just a bit on the strange side... Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
L A Walsh wrote:
Tried to see what package owned it -- as it was changed a few months back to use rsyslog instead of my configured ng-syslog, which I sorta thought was odd -- thought they usually put configfiles aside and labeled them with a special suffix, but didn't see any of those around.
Just a bit on the strange side...
Mine had changed March 28, checking zypp history tells me # 2018-03-28 14:22:07 dhcp-server-4.3.5-5.1.x86_64.rpm installed ok # Additional rpm output: # Updating /etc/sysconfig/dhcpd ... # Updating /etc/sysconfig/syslog ... # In my case the file (except comments) only contains SYSLOGD_ADDITIONAL_SOCKET_DHCP="/var/lib/dhcp/dev/log" SYSLOGD_ADDITIONAL_SOCKET_DHCP6="/var/lib/dhcp6/dev/log" which likely is what the dhcp-server scriptlet added. If you have any syslog packet installed (I don't) check their scripts (rpm -q --scripts) or /var/log/zypp/history for additional rpm output lines... PS: My system runs TW. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-05-21 22:59, L A Walsh wrote:
Tried to see what package owned it -- as it was changed a few months back to use rsyslog instead of my configured ng-syslog, which I sorta thought was odd -- thought they usually put configfiles aside and labeled them with a special suffix, but didn't see any of those around.
Just a bit on the strange side...
What var are you looking at? Because I look at mine, and there is no default logger configured there. I see settings for both rsyslog and syslogd. By the way, I don't recommend using syslog-ng on an openSUSE system that has systemd and journal. The reason is that syslog-ng reads the journal files. If the journal is stopped or disabled, syslog does not work. On the other hand, rsyslog pulls the data earlier in the flow and is not affected. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
By the way, I don't recommend using syslog-ng on an openSUSE system that has systemd and journal. The reason is that syslog-ng reads the journal files. If the journal is stopped or disabled, syslog does not work.
In the default config comes with openSUSE, the same applies rsyslog, Carlos. FYI, syslog-ng &systemd-journald work fine here. On all of our systems. I can only recommend it :-) IMHO, syslog-ng is so much easier to configure, but ymmv. -- Per Jessen, Zürich (21.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-05-22 13:52, Per Jessen wrote:
Carlos E. R. wrote:
By the way, I don't recommend using syslog-ng on an openSUSE system that has systemd and journal. The reason is that syslog-ng reads the journal files. If the journal is stopped or disabled, syslog does not work.
Correction: not stopping the journal daemon, but disabling it writing log files, temporary or permanent.
In the default config comes with openSUSE, the same applies rsyslog, Carlos.
No, it doesn't. cer@minas-tirith:~> journalctl No journal files were found. -- No entries -- cer@minas-tirith:~> Permanent logs: cer@minas-tirith:~> l /var/log/jou* ls: cannot access '/var/log/jou*': No such file or directory cer@minas-tirith:~> This session logs: cer@minas-tirith:~> l /run/log/journal ls: cannot access '/run/log/journal': No such file or directory cer@minas-tirith:~> cer@minas-tirith:~> l /run/systemd/journal/ total 4 drwxr-xr-x 3 root root 180 May 19 04:15 ./ drwxr-xr-x 16 root root 400 May 19 04:15 ../ srw-rw-rw- 1 root root 0 May 19 04:15 dev-log= -rw-r--r-- 1 root root 0 May 19 04:15 flushed -rw-r--r-- 1 root root 8 May 19 04:15 kernel-seqnum srw-rw-rw- 1 root root 0 May 19 04:15 socket= srw-rw-rw- 1 root root 0 May 19 04:15 stdout= drwxr-xr-x 2 root root 1320 May 22 14:17 streams/ srw-rw-rw- 1 root root 0 May 19 04:15 syslog= cer@minas-tirith:~> But syslog is working: cer@minas-tirith:~> logger "Hello world" cer@minas-tirith:~> tail /var/log/messages <1.5> 2018-05-22 14:16:52 minas-tirith dns-resolver - - - ATTENTION: You have modified /etc/resolv.conf. Leaving it untouched... <1.5> 2018-05-22 14:16:52 minas-tirith dns-resolver - - - You can find my version in /etc/resolv.conf.netconfig <0.6> 2018-05-22 14:16:55 minas-tirith kernel - - - [41375.835583] [drm] HPD interrupt storm detected on connector DP-2: switching from hotplug detection to polling <4.6> 2018-05-22 14:17:50 minas-tirith sshd 24136 - - Accepted publickey for cer from 192.168.1.14 port 39692 ssh2: DSA SHA256:IL5fWYgcmeebsYvfWB41P1Z/+UrPHNRpaw77F/UWRf0 <10.6> 2018-05-22 14:17:50 minas-tirith sshd 24136 - - pam_unix(sshd:session): session opened for user cer by (uid=0) <4.6> 2018-05-22 14:17:50 minas-tirith systemd-logind 1737 - - New session 51 of user cer. <3.6> 2018-05-22 14:17:50 minas-tirith systemd 1 - - Started Session 51 of user cer. <3.6> 2018-05-22 14:19:04 minas-tirith smartd 1631 - - Device: /dev/sda [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 56 to 74 <1.5> 2018-05-22 14:20:56 minas-tirith cer - - - Hello world <================= cer@minas-tirith:~> What I did was this: in file "/etc/systemd/journald.conf" I set: [Journal] Storage=none Try this with syslog-ng: last time I tried it failed. Documentation explains it: journald.conf(5) FORWARDING TO TRADITIONAL SYSLOG DAEMONS Journal events can be transferred to a different logging daemon in two different ways. With the first method, messages are immediately forwarded to a socket (/run/systemd/journal/syslog), where the traditional syslog daemon can read them. This method is controlled by the ForwardToSyslog= option. With a second method, a syslog daemon behaves like a normal journal client, and reads messages from the journal files, similarly to journalctl(1). With this, messages do not have to be read immediately, which allows a logging daemon which is only started late in boot to access all messages since the start of the system. In addition, full structured meta-data is available to it. This method of course is available only if the messages are stored in a journal file at all. So it will not work if Storage=none is set. It should be noted that usually the second method is used by syslog daemons, so the Storage= option, and not the ForwardToSyslog= option, is relevant for them.
FYI, syslog-ng &systemd-journald work fine here. On all of our systems. I can only recommend it :-)
Because you keep both logs working. On my laptop, journal has no files, it is disabled, to avoid disk file duplication and load.
IMHO, syslog-ng is so much easier to configure, but ymmv.
Yes, I agree. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-05-22 13:52, Per Jessen wrote:
Carlos E. R. wrote:
By the way, I don't recommend using syslog-ng on an openSUSE system that has systemd and journal. The reason is that syslog-ng reads the journal files. If the journal is stopped or disabled, syslog does not work.
Correction: not stopping the journal daemon, but disabling it writing log files, temporary or permanent.
In the default config comes with openSUSE, the same applies rsyslog, Carlos.
No, it doesn't.
I did test it before I wrote my reply, if you stop journald, rsyslog and syslog-ng both stop logging. Anyway, if you don't want journald writing to disk, but you still want syslog working, use "storage=volatile" and "forwardtosyslog=yes" in /etc/systemd/journald.conf -- Per Jessen, Zürich (23.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-05-22 15:23, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-05-22 13:52, Per Jessen wrote:
Carlos E. R. wrote:
By the way, I don't recommend using syslog-ng on an openSUSE system that has systemd and journal. The reason is that syslog-ng reads the journal files. If the journal is stopped or disabled, syslog does not work.
Correction: not stopping the journal daemon, but disabling it writing log files, temporary or permanent.
In the default config comes with openSUSE, the same applies rsyslog, Carlos.
No, it doesn't.
I did test it before I wrote my reply, if you stop journald, rsyslog and syslog-ng both stop logging.
I said: Correction: not stopping the journal daemon, but disabling it writing log files, temporary or permanent.
Anyway, if you don't want journald writing to disk, but you still want syslog working, use "storage=volatile" and "forwardtosyslog=yes" in /etc/systemd/journald.conf
I use storage=none, so syslog-ng fails to work here, but rsyslog works fine. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
* Per Jessen <per@computer.org> [05-22-18 09:24]: [...]
I did test it before I wrote my reply, if you stop journald, rsyslog and syslog-ng both stop logging.
Anyway, if you don't want journald writing to disk, but you still want syslog working, use "storage=volatile" and "forwardtosyslog=yes" in /etc/systemd/journald.conf
I accomplish nearly the same by setting SystemMaxUse=5 and ForwardToSyslog=yes -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-05-22 16:14, Patrick Shanahan wrote:
* Per Jessen <> [05-22-18 09:24]:
[...]
I did test it before I wrote my reply, if you stop journald, rsyslog and syslog-ng both stop logging.
Anyway, if you don't want journald writing to disk, but you still want syslog working, use "storage=volatile" and "forwardtosyslog=yes" in /etc/systemd/journald.conf
I accomplish nearly the same by setting SystemMaxUse=5 and ForwardToSyslog=yes
Still, entries are written to both places, that's some i/o load. On my main machine I limit its disk space load, with the result that now the boot entries have been purged out (no permanent journal). On my server machine I left it on with ample space, for testing what would happen: cer@Isengard:~> journalctl --disk-usage Archived and active journals take up 2.0G on disk. cer@Isengard:~> The syslog files use 269 MB, much less and probably several months more of logs. Journal start: -- Logs begin at Sun 2017-08-20 17:50:07 CEST, end at Tue 2018-05-22 17:11:16 CEST. -- Aug 20 17:50:06 Isengard systemd-coredump[8943]: Process 17740 (Kodi_MovistarTV) of user 1000 dumped core. Syslog start: <5.6> 2017-01-22T21:29:18.565260+01:00 Isengard rsyslogd - - - message repeated 143 times: [-- MARK --] -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" (Minas Tirith))
* Carlos E. R. <robin.listas@telefonica.net> [05-22-18 11:15]:
On 2018-05-22 16:14, Patrick Shanahan wrote:
* Per Jessen <> [05-22-18 09:24]:
[...]
I did test it before I wrote my reply, if you stop journald, rsyslog and syslog-ng both stop logging.
Anyway, if you don't want journald writing to disk, but you still want syslog working, use "storage=volatile" and "forwardtosyslog=yes" in /etc/systemd/journald.conf
I accomplish nearly the same by setting SystemMaxUse=5 and ForwardToSyslog=yes
Still, entries are written to both places, that's some i/o load.
On my main machine I limit its disk space load, with the result that now the boot entries have been purged out (no permanent journal). On my server machine I left it on with ample space, for testing what would happen:
cer@Isengard:~> journalctl --disk-usage Archived and active journals take up 2.0G on disk. cer@Isengard:~>
The syslog files use 269 MB, much less and probably several months more of logs.
14:02 Crash:~ > journalctl --disk-usage Archived and active journals take up 2.5M in the file system. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Patrick Shanahan wrote:
* Carlos E. R. <robin.listas@telefonica.net> [05-22-18 11:15]:
On 2018-05-22 16:14, Patrick Shanahan wrote:
* Per Jessen <> [05-22-18 09:24]:
[...]
I did test it before I wrote my reply, if you stop journald, rsyslog and syslog-ng both stop logging.
Anyway, if you don't want journald writing to disk, but you still want syslog working, use "storage=volatile" and "forwardtosyslog=yes" in /etc/systemd/journald.conf
I accomplish nearly the same by setting SystemMaxUse=5 and ForwardToSyslog=yes
Still, entries are written to both places, that's some i/o load.
On my main machine I limit its disk space load, with the result that now the boot entries have been purged out (no permanent journal). On my server machine I left it on with ample space, for testing what would happen:
cer@Isengard:~> journalctl --disk-usage Archived and active journals take up 2.0G on disk. cer@Isengard:~>
The syslog files use 269 MB, much less and probably several months more of logs.
14:02 Crash:~ > journalctl --disk-usage Archived and active journals take up 2.5M in the file system.
It all depends on much activity the system has. A busy mailserver will be logging more etc. hardly any activity: test422:~ # journalctl --disk-usage Archived and active journals take up 49.4M on disk. test422:~ # uptime 20:12pm up 57 days 2:53, 1 user, load average: 0.13, 0.04, 0.01 much busier: jensen:~ # journalctl --disk-usage Archived and active journals take up 408.0M in the file system. jensen:~ # uptime 20:13:37 up 32 days 6:34, 2 users, load average: 0.30, 5.01, 30.89 -- Per Jessen, Zürich (18.6°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-05-22 20:14, Per Jessen wrote:
Patrick Shanahan wrote:
* Carlos E. R. <robin.listas@telefonica.net> [05-22-18 11:15]:
On 2018-05-22 16:14, Patrick Shanahan wrote:
* Per Jessen <> [05-22-18 09:24]:
[...]
I did test it before I wrote my reply, if you stop journald, rsyslog and syslog-ng both stop logging.
Anyway, if you don't want journald writing to disk, but you still want syslog working, use "storage=volatile" and "forwardtosyslog=yes" in /etc/systemd/journald.conf
I accomplish nearly the same by setting SystemMaxUse=5 and ForwardToSyslog=yes
Still, entries are written to both places, that's some i/o load.
On my main machine I limit its disk space load, with the result that now the boot entries have been purged out (no permanent journal). On my server machine I left it on with ample space, for testing what would happen:
cer@Isengard:~> journalctl --disk-usage Archived and active journals take up 2.0G on disk. cer@Isengard:~>
The syslog files use 269 MB, much less and probably several months more of logs.
14:02 Crash:~ > journalctl --disk-usage Archived and active journals take up 2.5M in the file system.
It all depends on much activity the system has. A busy mailserver will be logging more etc.
hardly any activity: test422:~ # journalctl --disk-usage Archived and active journals take up 49.4M on disk. test422:~ # uptime 20:12pm up 57 days 2:53, 1 user, load average: 0.13, 0.04, 0.01
much busier: jensen:~ # journalctl --disk-usage Archived and active journals take up 408.0M in the file system. jensen:~ # uptime 20:13:37 up 32 days 6:34, 2 users, load average: 0.30, 5.01, 30.89
The machine with the 2 GB journal (default settings) has a big disk usage because it is almost one year of logs. On my desktop machine I only have one boot, no permanent journal, but they get purged fast because leafnode (nntp proxy server) talks a lot. So now there are no entries from boot after just 10 days of use. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-05-21 22:59, L A Walsh wrote:
Tried to see what package owned it -- as it was changed a few months back to use rsyslog instead of my configured ng-syslog, which I sorta thought was odd -- thought they usually put configfiles aside and labeled them with a special suffix, but didn't see any of those around.
Just a bit on the strange side...
What var are you looking at?
What var? You mean in the file? one called 'SYSLOG_DAEMON' it had been switched from syslog-ng to rsyslog somewhere along the way. FWIW, I was wondering why it wasn't listed as being in some package -- like: rpm -qf /etc/sysconfog/syslog xxyz-package... thought that might give me a hint about what package overwrote it. But also thought it strange that the new one wasn't named syslog.rpm-old or such if it was auto-switched out, or syslog.rpm-new if it wanted me to do the switch.
By the way, I don't recommend using syslog-ng on an openSUSE system that has systemd and journal.
Good to know, but so far, not a problem. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
23.05.2018 04:55, L A Walsh пишет:
FWIW, I was wondering why it wasn't listed as being in some package -- like:
rpm -qf /etc/sysconfog/syslog xxyz-package...
thought that might give me a hint about what package overwrote it.
You are using openSUSE long enough to know that most files in /etc/sysconfig are not installed directly, but generated from templates. There may be multiple templates installed by multiple packages that are merged into single file in /etc/sysconfig. /var/adm/fillup-templates is the usual place where packages install them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
23.05.2018 04:55, L A Walsh пишет:
FWIW, I was wondering why it wasn't listed as being in some package -- like: rpm -qf /etc/sysconfog/syslog xxyz-package... thought that might give me a hint about what package overwrote it.
You are using openSUSE long enough to know that most files in /etc/sysconfig are not installed directly,
doesn't rpm have entries for config files and generated config files so ownership can go with 'some' package, like "base-xx.yy.rpm"? You can say I /should/ know, but I can also point out that I've also been around along enough to know there are a lot of exceptions to things 'rules' even within a given distro. Combine that with the number of distros that have touched my machine in upgrades... You run a machine through enough upgrades and you should know that virtually nothing is really _knowable_. ;-) (not to mention, it will likely change in the next version)... (ya know?) :-) I'm guessing that I installed rsyslog, looking for some replacement for my, getting crusty, but still working ng-syslogd and forgot that opensuse auto-enables all installed programs and services (sigh).. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-05-23 03:55, L A Walsh wrote:
Carlos E. R. wrote:
On 2018-05-21 22:59, L A Walsh wrote:
Tried to see what package owned it -- as it was changed a few months back to use rsyslog instead of my configured ng-syslog, which I sorta thought was odd -- thought they usually put configfiles aside and labeled them with a special suffix, but didn't see any of those around.
Just a bit on the strange side...
What var are you looking at?
What var?
You mean in the file? one called 'SYSLOG_DAEMON' it had been switched from syslog-ng to rsyslog somewhere along the way.
Yes, that one. I simply do not have that var anymore. Telcontar:~ # grep SYSLOG_DAEMON /etc/sysconfig/syslog Telcontar:~ # Isengard:~ # grep SYSLOG_DAEMON /etc/sysconfig/syslog Isengard:~ # It was removed, not by me. Which means that it is probably ignored.
FWIW, I was wondering why it wasn't listed as being in some package -- like:
Because somescript does it. I think long ago there was a default directory somewhere with default files. [...] Ah, I see that Andrei has posted the name of that directory :-)
rpm -qf /etc/sysconfog/syslog xxyz-package...
thought that might give me a hint about what package overwrote it.
But also thought it strange that the new one wasn't named syslog.rpm-old or such if it was auto-switched out, or syslog.rpm-new if it wanted me to do the switch.
Because those files are never replaced. Vars are added or changed (not removed). Scripts do the changes calling 'sed' or something.
By the way, I don't recommend using syslog-ng on an openSUSE system that has systemd and journal.
Good to know, but so far, not a problem.
Read the rest of the thread and you'll see why I said that :-) -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
participants (6)
-
Andrei Borzenkov -
Carlos E. R. -
L A Walsh -
Patrick Shanahan -
Per Jessen -
Peter Suetterlin