[opensuse] What syslog daemon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, In this machine (13.1) I use rsyslog. Some years ago I used syslog-ng. I find rsyslog problematic when finding errors in the config file, it fails to point at the exact error. what do you think is currently better, rsyslog or syslog-ng? (No, I do not like systemd journal. I disable it) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlfIaJ4ACgkQtTMYHG2NR9U1BACfeQWeHoMJxq/uzXwb5rlBlnIo /ngAoIepb1IiWi9sTjOKXkGMNFOuRjy6 =9tYc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
rsyslog, if for no other reason then RELP support (but there are many others;-))
--
Later,
Darin
On Thu, Sep 1, 2016 at 1:42 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
In this machine (13.1) I use rsyslog. Some years ago I used syslog-ng.
I find rsyslog problematic when finding errors in the config file, it fails to point at the exact error.
what do you think is currently better, rsyslog or syslog-ng?
(No, I do not like systemd journal. I disable it)
- -- Cheers
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlfIaJ4ACgkQtTMYHG2NR9U1BACfeQWeHoMJxq/uzXwb5rlBlnIo /ngAoIepb1IiWi9sTjOKXkGMNFOuRjy6 =9tYc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
In this machine (13.1) I use rsyslog. Some years ago I used syslog-ng.
I find rsyslog problematic when finding errors in the config file, it fails to point at the exact error.
what do you think is currently better, rsyslog or syslog-ng?
syslog-ng, without a doubt. -- Per Jessen, Zürich (16.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2 September 2016 at 07:18, Per Jessen
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
In this machine (13.1) I use rsyslog. Some years ago I used syslog-ng.
I find rsyslog problematic when finding errors in the config file, it fails to point at the exact error.
what do you think is currently better, rsyslog or syslog-ng?
syslog-ng, without a doubt.
agreed, syslog-ng all the way. It's better documented, it's used elsewhere besides just linux, it can better ID message types and categorise them into classes, you can do realtime correlation, it's log files are easier to read, and last but no means least our very own contributor Peter Czanik is the upstream syslog-ng Community Manager so the support in openSUSE is top notch ;) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 02.09.2016 um 09:56 schrieb Richard Brown:
On 2 September 2016 at 07:18, Per Jessen
wrote: Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
In this machine (13.1) I use rsyslog. Some years ago I used syslog-ng.
I find rsyslog problematic when finding errors in the config file, it fails to point at the exact error.
what do you think is currently better, rsyslog or syslog-ng?
syslog-ng, without a doubt.
agreed, syslog-ng all the way. It's better documented, it's used elsewhere besides just linux, it can better ID message types and categorise them into classes, you can do realtime correlation, it's log files are easier to read, and last but no means least our very own contributor Peter Czanik is the upstream syslog-ng Community Manager so the support in openSUSE is top notch ;)
would syslog-ng give me a textfile like /var/log/messages that I can just look at from time to time? can I just install it with Yast, or do I have to do special settings (for example for compressing old logs etc.)? -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Am 02.09.2016 um 09:56 schrieb Richard Brown:
On 2 September 2016 at 07:18, Per Jessen
wrote: Carlos E. R. wrote:
In this machine (13.1) I use rsyslog. Some years ago I used syslog-ng.
I find rsyslog problematic when finding errors in the config file, it fails to point at the exact error.
what do you think is currently better, rsyslog or syslog-ng?
syslog-ng, without a doubt.
agreed, syslog-ng all the way. It's better documented, it's used elsewhere besides just linux, it can better ID message types and categorise them into classes, you can do realtime correlation, it's log files are easier to read, and last but no means least our very own contributor Peter Czanik is the upstream syslog-ng Community Manager so the support in openSUSE is top notch ;)
would syslog-ng give me a textfile like /var/log/messages that I can just look at from time to time?
That is in the default config, so yes.
can I just install it with Yast, or do I have to do special settings (for example for compressing old logs etc.)?
You just install it with YaST or zypper. If you want old logfiles compressed and archived, you need logrotate. -- Per Jessen, Zürich (20.5°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/2016 04:21 AM, Daniel Bauer wrote:
would syslog-ng give me a textfile like /var/log/messages that I can just look at from time to time?
The short answer is yes. The longer answer is that (a) it depends what you mean by "like", and (b) how willing you are to spend time learning, RTFM, reading how-to articles, to get syslog-ng to sing and dance the way you want. Maybe, just maybe, your expectations are low. In which case you want care that it can do things that you've never considered before and what may be of great benefit to you, automation your work and so forth in ways you never dreamt of. Who knows? In the dim mists of times long past one of the most useful programs to me as a pupal sysadmin was a tool called 'swatch'. This was long before the Swiss watch company of that name with the colourful bands. It was a Perl script that watched the output of the old, vanilla, under-equipped syslog. It could be configured to watch for any event or series of events occurring in a time period or sequence and notify you by email, writing to your console or even LO! by sending a message to your pager. This was in the days before cell phones and SMS. When they came along there was an upgrade for SMS :-) It even had what Marcus Ranum termed 'artificial ignorance' - it could ignore the stuff you deemed 'noise'. And lets face it, if you knew Perl you knew that its scanners and RE matching was so much better than the shell and grep! And faster and ... well, just Better! But now its irrelevant. There's syslog and there's syslog-ng. If you aren't interested in what syslog-ng can do that makes things like swatch irrelevant because syslog-ng can be configured to do it all, then stick with the vanilla 'syslog'. Why am I saying this? Regular readers will recall that I'm into amateur (that is, I don't get paid for it, no matter the quality) photography. I have been since my mid teens. I've owned many cameras; I've followed their technological evolution. I've been using SLRs for longer than I've been using *NIX. Sometimes I'm out and about and I meet professionals and discuss technique; yes they have good, often leading edge equipment, but that's incidental - being professionals they (a) need it and (b) can pay for it as a business expense. But we talk technique not technology. Then I meet the people with more money than sense. They buy expensive, complicated cameras and clearly don't know how to configure them - heck that might involve reading the manual and that's not !FUN! If you do talk to them they speak of the cost of their equipment and how great it is and how its so much better than my ("antiquated") stuff, how many meagpixels they have, how many lenses they have. I try not to deal with these people. All they have is very very expensive, very overpowered point-and-shoot. If all you need is the basic "point and sheet' level of technology then don't get something more complicated, more complex, more configurable than you need unless you are willing to invest in learning about it and making use of its capability. It will be a frustration for you. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
On 09/02/2016 04:21 AM, Daniel Bauer wrote:
would syslog-ng give me a textfile like /var/log/messages that I can just look at from time to time?
The short answer is yes. The longer answer is that (a) it depends what you mean by "like", and (b) how willing you are to spend time learning, RTFM, reading how-to articles, to get syslog-ng to sing and dance the way you want.
Anton, that is just not true. What Daniel wants, he'll get with the default config. There is no need to suggest it is any more difficult.
In the dim mists of times long past one of the most useful programs to me as a pupal sysadmin was a tool called 'swatch'. This was long before the Swiss watch company of that name with the colourful bands. It was a Perl script that ... [snip]
So that means it was after 1987, by which time Swatch had been operating for five years I think :-)
watched the output of the old, vanilla, under-equipped syslog. It could be configured to watch for any event or series of events occurring in a time period or sequence and notify you by email, writing to your console or even LO! by sending a message to your pager. This was in the days before cell phones and SMS.
Okay, now we've got it narrowed down to somewhere between 1987 and 1995.
There's syslog and there's syslog-ng.
If you aren't interested in what syslog-ng can do that makes things like swatch irrelevant because syslog-ng can be configured to do it all, then stick with the vanilla 'syslog'.
openSUSE defaults to installing no syslog, but to suggest "syslogd" today instead of rsyslog or syslog-ng is really poor advice, IMHO.
Why am I saying this?
Yes, I do wonder.
If all you need is the basic "point and sheet' level of technology then don't get something more complicated, more complex, more configurable than you need unless you are willing to invest in learning about it and making use of its capability. It will be a frustration for you.
Assuming we are talking about syslog-ng, I disagree. Completely. For anyone with a desire to have /var/log/messages and /var/log/mail written to disk as we used to have, simply install rsyslog or syslog-ng, and that's it. They'll both do all kinds of singing and dancing, but unless you want them to, you don't need to do any further studies. -- Per Jessen, Zürich (26.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-02 09:56, Richard Brown wrote:
On 2 September 2016 at 07:18, Per Jessen
wrote: Carlos E. R. wrote:
Hi,
In this machine (13.1) I use rsyslog. Some years ago I used syslog-ng.
I find rsyslog problematic when finding errors in the config file, it fails to point at the exact error.
what do you think is currently better, rsyslog or syslog-ng?
syslog-ng, without a doubt.
agreed, syslog-ng all the way. It's better documented, it's used elsewhere besides just linux, it can better ID message types and categorise them into classes, you can do realtime correlation, it's log files are easier to read, and last but no means least our very own contributor Peter Czanik is the upstream syslog-ng Community Manager so the support in openSUSE is top notch ;)
Then I'll try it again in 42.2, and probably switch back to it. For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2016-09-02 15:05, Carlos E. R. wrote:
Then I'll try it again in 42.2, and probably switch back to it.
I just did. I was very surprised that when I started it, it logged all messages since boot. It must have queried the systemd journal, instead of starting logging messages since the instant it starts to run. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Friday, 2 September 2016 15:29:51 BST Carlos E. R. wrote:
On 2016-09-02 15:05, Carlos E. R. wrote:
Then I'll try it again in 42.2, and probably switch back to it.
I just did. I was very surprised that when I started it, it logged all messages since boot. It must have queried the systemd journal, instead of starting logging messages since the instant it starts to run. I think both syslog and rsyslog have been updated to query the journal database. I think the config option in systemd to forward logs to syslog is not longer set to do it automatically, i think they are going to drop the option
-- Qt: 5.6.1 KDE Frameworks: 5.25.0 kf5-config: 1.0 KDE Plasma: 5.7.4 Kernel: 4.7.2-1-default opensuse:tumbleweed:20160831 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 02.09.2016 um 15:29 schrieb Carlos E. R.:
On 2016-09-02 15:05, Carlos E. R. wrote:
Then I'll try it again in 42.2, and probably switch back to it.
I just did. I was very surprised that when I started it, it logged all messages since boot. It must have queried the systemd journal, instead of starting logging messages since the instant it starts to run.
hm. I did it, too, but probably I did something wrong: my /var/log/messages (and the other files there that were created after the install) are all 0 bytes. I remember that when installing syslog-ng Yast told me something about a conflict with some system-logging program that it wanted to remove, and I accepted. Maybe I shouldn't... (I don't remember exactly what it removed, but my /var/log/zypp/history files says: remove |systemd-logger|210-95.1|x86_64|... ) What did I do wrong? How can I repair it? Daniel (For the other messages here: I am not at systems analyzer and most things in those logs are chinese to me. But sometimes - in very rare cases - I took a look what is going on, and sometimes I found some anomalities. As much as I know, in the current binary version of the logs I first must know what I am looking for and make a query, but I never know: I just scroll thru the list and see if there's something "suspicious". A /very/ amateur approach, I know. ) -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
After a restart /var/log/messages was created and filled with actual and even very old data. So everything ok. Sorry. Am 02.09.2016 um 20:37 schrieb Daniel Bauer:
Am 02.09.2016 um 15:29 schrieb Carlos E. R.:
On 2016-09-02 15:05, Carlos E. R. wrote:
Then I'll try it again in 42.2, and probably switch back to it.
I just did. I was very surprised that when I started it, it logged all messages since boot. It must have queried the systemd journal, instead of starting logging messages since the instant it starts to run.
hm. I did it, too, but probably I did something wrong: my /var/log/messages (and the other files there that were created after the install) are all 0 bytes.
I remember that when installing syslog-ng Yast told me something about a conflict with some system-logging program that it wanted to remove, and I accepted. Maybe I shouldn't... (I don't remember exactly what it removed, but my /var/log/zypp/history files says: remove |systemd-logger|210-95.1|x86_64|... )
What did I do wrong? How can I repair it?
Daniel
(For the other messages here: I am not at systems analyzer and most things in those logs are chinese to me. But sometimes - in very rare cases - I took a look what is going on, and sometimes I found some anomalities. As much as I know, in the current binary version of the logs I first must know what I am looking for and make a query, but I never know: I just scroll thru the list and see if there's something "suspicious". A /very/ amateur approach, I know. )
-- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-09-02 20:47, Daniel Bauer wrote:
After a restart /var/log/messages was created and filled with actual and even very old data. So everything ok. Sorry.
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfKG00ACgkQja8UbcUWM1wJYgD/ewps/fcv7ZqcujHlORnJDZj9 8IzTGlqM1HJNFBsXebIA/iAFxQKvLwXeDOdzuE8BP3rAUkWR84R94JIiTGCPRFs1 =sv69 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-09-02 20:47, Daniel Bauer wrote:
After a restart /var/log/messages was created and filled with actual and even very old data. So everything ok. Sorry.
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again.
It used to be just "rm -Rf /var/log/journal", but that is now (Leap421) living in /run/log which is a tmpfs. The size is limited, so there's probably no need to do anything. -- Per Jessen, Zürich (19.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-03 09:09, Per Jessen wrote:
Carlos E. R. wrote:
On 2016-09-02 20:47, Daniel Bauer wrote:
After a restart /var/log/messages was created and filled with actual and even very old data. So everything ok. Sorry.
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again.
It used to be just "rm -Rf /var/log/journal", but that is now (Leap421) living in /run/log which is a tmpfs. The size is limited, so there's probably no need to do anything.
No, there are also settings to limit what is stored temporarily. /etc/systemd/journald.conf [Journal] #CER #Storage=none SystemMaxUse=100M RuntimeMaxUse=50M MaxLevelStore=info # "emerg", "alert", "crit", "err", "warning", "notice", "info", "debug" MaxRetentionSec=1 week Before that, my tmpfs was very large. Hundreds of megabytes. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Sat, Sep 03, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-09-02 20:47, Daniel Bauer wrote:
After a restart /var/log/messages was created and filled with actual and even very old data. So everything ok. Sorry.
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again.
Arrggghhh. syslog-ng may "conflict" with systemd-journald, but that seems..odd. Insofar as I've just discovered syslog-ng rather depends on a running systemd-journald in order to get any messages. I had enabled & started syslog-ng, and disabled & stopped systemd-journal. Today I notice that I have nothing except stats() in /var/log/messages. Everything else stopped at the same point where I turned off systemd-journald... So it seems not so much either/or as "would you like us to scribble the messages in the old-fashioned way to /var/log AS WELL?" If someone from SuSE knows definitively if this is How It Works, clarification would be welcome. TIA, Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
On Sat, Sep 03, Carlos E. R. wrote:
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again.
Arrggghhh.
syslog-ng may "conflict" with systemd-journald, but that seems..odd.
Insofar as I've just discovered syslog-ng rather depends on a running systemd-journald in order to get any messages. I had enabled & started syslog-ng, and disabled & stopped systemd-journal. Today I notice that I have nothing except stats() in /var/log/messages. Everything else stopped at the same point where I turned off systemd-journald...
Oh :-((
So it seems not so much either/or as "would you like us to scribble the messages in the old-fashioned way to /var/log AS WELL?"
If someone from SuSE knows definitively if this is How It Works, clarification would be welcome.
Have you tried to leave systemd-journal running, but with the Storage=none setting? (in /etc/systemd/journald.conf) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfPCfUACgkQja8UbcUWM1xfxwD+N6GzSL7aTs0kAXRLcuxzhRps M3XSqeB7QEPsflpeqboA/RYPyLIPPdwlTu78xO7+TaRDiH/iUsga5wJpvUcYuyy3 =+8XT -----END PGP SIGNATURE-----
On Tue, Sep 06, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID:
El 2016-09-06 a las 14:12 -0400, Michael Fischer escribió:
On Sat, Sep 03, Carlos E. R. wrote:
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again.
Arrggghhh.
syslog-ng may "conflict" with systemd-journald, but that seems..odd.
Insofar as I've just discovered syslog-ng rather depends on a running systemd-journald in order to get any messages. I had enabled & started syslog-ng, and disabled & stopped systemd-journal. Today I notice that I have nothing except stats() in /var/log/messages. Everything else stopped at the same point where I turned off systemd-journald...
Oh :-((
So it seems not so much either/or as "would you like us to scribble the messages in the old-fashioned way to /var/log AS WELL?"
If someone from SuSE knows definitively if this is How It Works, clarification would be welcome.
Have you tried to leave systemd-journal running, but with the
Storage=none
setting? (in /etc/systemd/journald.conf)
Hmm. No, but that's a thought. $ du -sh /var/log/journal 41M /var/log/journal/69c54807c3cb473b82a49c7b7e022c37 Is not all that bad, actually. But.... Ok, just tried it, making sure that ForwardToSyslog=yes Storage=none And after the ritual `systemctl daemon-reload; systemctl restart systemd-journald.service` .... `logger -p LOCAL4.INFO "test message"` goes nowhere. So I'm either misunderstanding journald.conf(5), or the line in there which says """ "none" turns off all storage, all log data received will be dropped. Forwarding to other targets, such as the console, the kernel log buffer or a syslog daemon will still work however. """ is lying. Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Отправлено с iPhone
6 сент. 2016 г., в 22:42, Michael Fischer
написал(а): Have you tried to leave systemd-journal running, but with the
Storage=none
setting? (in /etc/systemd/journald.conf)
Hmm. No, but that's a thought.
$ du -sh /var/log/journal 41M /var/log/journal/69c54807c3cb473b82a49c7b7e022c37
Is not all that bad, actually. But....
Ok, just tried it, making sure that
ForwardToSyslog=yes Storage=none
And after the ritual `systemctl daemon-reload; systemctl restart systemd-journald.service` .... `logger -p LOCAL4.INFO "test message"` goes nowhere.
So I'm either misunderstanding journald.conf(5), or the line in there which says
""" "none" turns off all storage, all log data received will be dropped. Forwarding to other targets, such as the console, the kernel log buffer or a syslog daemon will still work however. """
is lying.
Not really. It depends on how syslog-ng gets messages from journald. If it is configured as journald client (as opposed to listening on socket) then it can only get messages that had been stored. Please read https://www.freedesktop.org/software/systemd/man/journald.conf.html for details.-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
Not really. It depends on how syslog-ng gets messages from journald. If it is configured as journald client (as opposed to listening on socket) then it can only get messages that had been stored.
The default config uses "system()" which almost certainly means /dev/log. -- Per Jessen, Zürich (12.7°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Отправлено с iPhone
7 сент. 2016 г., в 9:08, Per Jessen
написал(а): Andrei Borzenkov wrote:
Not really. It depends on how syslog-ng gets messages from journald. If it is configured as journald client (as opposed to listening on socket) then it can only get messages that had been stored.
The default config uses "system()" which almost certainly means /dev/log.
When journald is active, it takes over /dev/log and forwards messages over alternate socket; syslog daemon must be explicitly configured to listen to this alternate socket. From syslog-ng system() documentation: If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-07 a las 16:07 +0300, Andrei Borzenkov escribió:
Отправлено с iPhone
When journald is active, it takes over /dev/log and forwards messages over alternate socket; syslog daemon must be explicitly configured to listen to this alternate socket.
From syslog-ng system() documentation:
If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.--
Just what I thought and I do not like. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfQHNEACgkQja8UbcUWM1x4yQD5AVrRtsvVa+sWg0YqFDP0sLIc nO8qxc+qWHkY4BtHdToA+wf1bX3VqT6PZYkRzR8wGyJHtkQblqdyHBHMZPW2kij0 =nZFk -----END PGP SIGNATURE-----
On Wed, Sep 07, Andrei Borzenkov wrote:
Отправлено с iPhone
7 сент. 2016 г., в 9:08, Per Jessen
написал(а): Andrei Borzenkov wrote:
Not really. It depends on how syslog-ng gets messages from journald. If it is configured as journald client (as opposed to listening on socket) then it can only get messages that had been stored.
The default config uses "system()" which almost certainly means /dev/log.
When journald is active, it takes over /dev/log and forwards messages over alternate socket; syslog daemon must be explicitly configured to listen to this alternate socket.
From syslog-ng system() documentation:
If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.--
Aha. That was the pointer I was looking for. Interestingly, this seems to happen "under the hood": the strings "systemd" and "journal" appear nowhere under /etc/syslog-ng nor in /etc/sysconfig/syslog. At this point I'm going to make a note not to disable systemd-journald, nor to set its Storage=none, and leave it like Per said: "just works". Thanks folks. Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Michael Fischer wrote:
On Wed, Sep 07, Andrei Borzenkov wrote:
Отправлено с iPhone
7 сент. 2016 г., в 9:08, Per Jessen
написал(а): Andrei Borzenkov wrote:
Not really. It depends on how syslog-ng gets messages from journald. If it is configured as journald client (as opposed to listening on socket) then it can only get messages that had been stored.
The default config uses "system()" which almost certainly means /dev/log.
When journald is active, it takes over /dev/log and forwards messages over alternate socket; syslog daemon must be explicitly configured to listen to this alternate socket.
From syslog-ng system() documentation:
If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.--
Aha. That was the pointer I was looking for. Interestingly, this seems to happen "under the hood": the strings "systemd" and "journal" appear nowhere under /etc/syslog-ng nor in /etc/sysconfig/syslog.
In syslog-ng, I think the system() source does it all for you. There is some documentation though: https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... -- Per Jessen, Zürich (22.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-07 a las 10:38 -0400, Michael Fischer escribió:
On Wed, Sep 07, Andrei Borzenkov wrote:
If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.--
Aha. That was the pointer I was looking for. Interestingly, this seems to happen "under the hood": the strings "systemd" and "journal" appear nowhere under /etc/syslog-ng nor in /etc/sysconfig/syslog.
At this point I'm going to make a note not to disable systemd-journald, nor to set its Storage=none, and leave it like Per said: "just works".
I think you should limit the size, because it uses tmpfs to store the temporary journal. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfQTHkACgkQja8UbcUWM1yWCAD/drwGVXA6rOlPujlah6HXe791 zzl+4d1OPJ0HKOz4Oe0A/ixvsbjK+CZ2MKxLZUAMYm8+VKo7JFesnxnwzFtKQDDG =TJtX -----END PGP SIGNATURE-----
On September 7, 2016 10:20:57 AM PDT, "Carlos E. R."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-07 a las 10:38 -0400, Michael Fischer escribió:
On Wed, Sep 07, Andrei Borzenkov wrote:
If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.--
Aha. That was the pointer I was looking for. Interestingly, this seems to happen "under the hood": the strings "systemd" and "journal" appear nowhere under /etc/syslog-ng nor in /etc/sysconfig/syslog.
At this point I'm going to make a note not to disable systemd-journald, nor to set its Storage=none, and leave it like Per said: "just works".
I think you should limit the size, because it uses tmpfs to store the temporary journal.
That's true, and tmpfs is backed by disk if I'm not mistaken. But also people should look at setting the various MaxLevel logging levels down in journals.conf. This might make more sense than tight limits. KDE is especially egregious at logging every little thing at the warning level. Almost none of that chatter is useful to anyone, and could go out at debug level, or even info. But the defaults are set such that all this chatter accumulates on disk.
- -- Cheers Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith))
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlfQTHkACgkQja8UbcUWM1yWCAD/drwGVXA6rOlPujlah6HXe791 zzl+4d1OPJ0HKOz4Oe0A/ixvsbjK+CZ2MKxLZUAMYm8+VKo7JFesnxnwzFtKQDDG =TJtX -----END PGP SIGNATURE-----
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-07 a las 12:53 -0700, John Andersen escribió:
On September 7, 2016 10:20:57 AM PDT, "Carlos E. R." <> wrote:
I think you should limit the size, because it uses tmpfs to store the temporary journal.
That's true, and tmpfs is backed by disk if I'm not mistaken.
On swap. /IF/ the /var/log/journal/ directory exists, then the systemd journal is stored permanently there.
But also people should look at setting the various MaxLevel logging levels down in journals.conf.
This might make more sense than tight limits.
Not if you intend to use syslog-ng, I'm afraid. It works fine with rsyslog.
KDE is especially egregious at logging every little thing at the warning level.
Not the only one. I see a lot of entries froom gtk or others. I had to write filters to remove the chatter.
Almost none of that chatter is useful to anyone, and could go out at debug level, or even info. But the defaults are set such that all this chatter accumulates on disk.
Indeed. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfQdUkACgkQja8UbcUWM1xcHAD/Xxu69ZWkBuzoxyBZ0Sv+eM09 8NvbzRaZkzCZYR4Q9/oBAI4unXFD44tLJ2IW4VdoFkVlzCvIZ/NHw04wifw8G1n3 =5/OQ -----END PGP SIGNATURE-----
Carlos E. R. wrote:
El 2016-09-07 a las 10:38 -0400, Michael Fischer escribió:
On Wed, Sep 07, Andrei Borzenkov wrote:
If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.--
Aha. That was the pointer I was looking for. Interestingly, this seems to happen "under the hood": the strings "systemd" and "journal" appear nowhere under /etc/syslog-ng nor in /etc/sysconfig/syslog.
At this point I'm going to make a note not to disable systemd-journald, nor to set its Storage=none, and leave it like Per said: "just works".
I think you should limit the size, because it uses tmpfs to store the temporary journal.
I have never had a need to do that, in fact I've never even considered it :-). According to the stats: Leap422 on a 1Gb xen guest: Sep 04 18:08:44 linux systemd-journald[281]: Runtime journal (/run/log/journal/) is currently using 6.1M. Maximum allowed usage is set to 49.4M. Leaving at least 74.1M free (of currently available 487.8M of space).... Leap422 on a 4Gb desktop: Sep 07 09:08:29 linux systemd-journald[385]: Runtime journal (/run/log/journal/) is currently using 8.0M. Maximum allowed usage is set to 182.8M. Leaving at least 274.2M free (of currently available 1.7G of space).... I assume the "Maximum allowed usage" is correct. -- Per Jessen, Zürich (15.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-08 a las 08:23 +0200, Per Jessen escribió:
Carlos E. R. wrote:
I think you should limit the size, because it uses tmpfs to store the temporary journal.
I have never had a need to do that, in fact I've never even considered it :-). According to the stats:
Leap422 on a 1Gb xen guest: Sep 04 18:08:44 linux systemd-journald[281]: Runtime journal (/run/log/journal/) is currently using 6.1M. Maximum allowed usage is set to 49.4M. Leaving at least 74.1M free (of currently available 487.8M of space)....
What was the command to find out...? Before I defined limits, it was about half a gigabyte, because of the nntp and mail logs. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfRW5UACgkQja8UbcUWM1zKNgD+M8+5EtFiP2w45L8KlBMQlPF2 LOypQ9FxRmCX+AvfssYA/0tuoVMxajCXQTNK8MPk1f0KcLwksFBxA9jEGYEFw1zD =Bfp2 -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-08 a las 08:23 +0200, Per Jessen escribió:
Carlos E. R. wrote:
I think you should limit the size, because it uses tmpfs to store the temporary journal.
I have never had a need to do that, in fact I've never even considered it :-). According to the stats:
Leap422 on a 1Gb xen guest: Sep 04 18:08:44 linux systemd-journald[281]: Runtime journal (/run/log/journal/) is currently using 6.1M. Maximum allowed usage is set to 49.4M. Leaving at least 74.1M free (of currently available 487.8M of space)....
What was the command to find out...?
Sorry, should have mentioned it: systemctl status systemd-journald
Before I defined limits, it was about half a gigabyte, because of the nntp and mail logs.
On one of our typical production system, I have mail logs of 400Mb per day. -- Per Jessen, Zürich (24.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-06 a las 15:42 -0400, Michael Fischer escribió:
On Tue, Sep 06, Carlos E. R. wrote:
Have you tried to leave systemd-journal running, but with the
Storage=none
setting? (in /etc/systemd/journald.conf)
Hmm. No, but that's a thought.
$ du -sh /var/log/journal 41M /var/log/journal/69c54807c3cb473b82a49c7b7e022c37
Is not all that bad, actually. But....
Ok, just tried it, making sure that
ForwardToSyslog=yes Storage=none
And after the ritual `systemctl daemon-reload; systemctl restart systemd-journald.service` .... `logger -p LOCAL4.INFO "test message"` goes nowhere.
So I'm either misunderstanding journald.conf(5), or the line in there which says
""" "none" turns off all storage, all log data received will be dropped. Forwarding to other targets, such as the console, the kernel log buffer or a syslog daemon will still work however. """
is lying.
No, I don't think so. It depends how syslog-ng takes the messages. If it does something similar to read the log file (and I think it does) it will see nothing. I think it reads the files because I started syslog-ng hours after booting, and still got boot messages. This is a pity... I don't like it. I may stay with rsyslog instead. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfPL9oACgkQja8UbcUWM1xkHgD/fYz9jpaYGOQzW5/n1gGSMtuH JMGwknerF6zY5wLQM8kA/iNC9ZRsHDOJNmjjm1y4tYcejRCFtqObw9J9MlqFu1o2 =NDhR -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-06 a las 15:42 -0400, Michael Fischer escribió:
On Tue, Sep 06, Carlos E. R. wrote:
Have you tried to leave systemd-journal running, but with the
Storage=none
setting? (in /etc/systemd/journald.conf)
Hmm. No, but that's a thought.
$ du -sh /var/log/journal 41M /var/log/journal/69c54807c3cb473b82a49c7b7e022c37
Is not all that bad, actually. But....
Ok, just tried it, making sure that
ForwardToSyslog=yes Storage=none
And after the ritual `systemctl daemon-reload; systemctl restart systemd-journald.service` .... `logger -p LOCAL4.INFO "test message"` goes nowhere.
So I'm either misunderstanding journald.conf(5), or the line in there which says
""" "none" turns off all storage, all log data received will be dropped. Forwarding to other targets, such as the console, the kernel log buffer or a syslog daemon will still work however. """
is lying.
No, I don't think so. It depends how syslog-ng takes the messages. If it does something similar to read the log file (and I think it does) it will see nothing.
I think it reads the files because I started syslog-ng hours after booting, and still got boot messages.
This is a pity... I don't like it. I may stay with rsyslog instead.
They both get their messages from the same places - /dev/log and /proc/kmsg. (that's where your kernewl messages came from). -- Per Jessen, Zürich (12.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Michael Fischer wrote:
On Sat, Sep 03, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-09-02 20:47, Daniel Bauer wrote:
After a restart /var/log/messages was created and filled with actual and even very old data. So everything ok. Sorry.
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again.
Arrggghhh.
syslog-ng may "conflict" with systemd-journald, but that seems..odd.
Insofar as I've just discovered syslog-ng rather depends on a running systemd-journald in order to get any messages. I had enabled & started syslog-ng, and disabled & stopped systemd-journal. Today I notice that I have nothing except stats() in /var/log/messages. Everything else stopped at the same point where I turned off systemd-journald...
So it seems not so much either/or as "would you like us to scribble the messages in the old-fashioned way to /var/log AS WELL?"
If someone from SuSE knows definitively if this is How It Works, clarification would be welcome.
To my knowledge, you need both. I've certainly never stopped systemd-journald. -- Per Jessen, Zürich (12.7°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Sep 03, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-09-02 20:47, Daniel Bauer wrote:
After a restart /var/log/messages was created and filled with actual and even very old data. So everything ok. Sorry.
Next step is stopping systemd keeping the journal. There are settings for this which I'll have to find out again.
Arrggghhh.
syslog-ng may "conflict" with systemd-journald, but that seems..odd.
Insofar as I've just discovered syslog-ng rather depends on a running systemd-journald in order to get any messages. I had enabled & started syslog-ng, and disabled & stopped systemd-journal. Today I notice that I have nothing except stats() in /var/log/messages. Everything else stopped at the same point where I turned off systemd-journald...
So it seems not so much either/or as "would you like us to scribble the messages in the old-fashioned way to /var/log AS WELL?"
If someone from SuSE knows definitively if this is How It Works, clarification would be welcome. There used to be a config option in systemd to forward all logs to syslog/ rsyslog. You can try find that setting but they were going to deprecate the
On Tuesday, 6 September 2016 14:12:31 BST Michael Fischer wrote: option because rsyslog/syslog extract the data from the jounral themselves now.
TIA,
Michael
-- Qt: 5.6.1 KDE Frameworks: 5.25.0 kf5-config: 1.0 KDE Plasma: 5.7.4 Kwin5: 5.7.4-152.2 Kernel: 4.7.2-1-default opensuse:tumbleweed:20160901 Nouveau: 1.0.12-1.4 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
ianseeks wrote:
There used to be a config option in systemd to forward all logs to syslog/ rsyslog. You can try find that setting but they were going to deprecate the option because rsyslog/syslog extract the data from the jounral themselves now.
Yep - that option is either gone, on by default or as you say, not needed. When you install either log-daemon, it just works. -- Per Jessen, Zürich (15.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
ianseeks wrote:
There used to be a config option in systemd to forward all logs to syslog/ rsyslog. You can try find that setting but they were going to deprecate the option because rsyslog/syslog extract the data from the jounral themselves now.
Yep - that option is either gone, on by default or as you say, not needed. When you install either log-daemon, it just works.
But the way it "just works" by default is by reading the log files, which means that there is a delay. First systemd processes the entries, writes them to file, them syslog gets them, processes them, and writes them. Not simultaneously. If systemd has problems, syslog will also have them. Another test will be culling the messages that systemd gets, and then checking if syslog gets them all or only the culled messages. /etc/systemd/journald.conf MaxLevelStore=info - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfP93oACgkQja8UbcUWM1zPCgD+MSxVJsGhx5Ny6gZ/alY5rvMw 7ZvCUQxnkxHvG8wIeqUBAJGqf+tbLJtFJZ6o59WA7NHdqQ+9/l4fnw9pZDMTr8/c =DlCl -----END PGP SIGNATURE-----
Carlos E. R. wrote:
El 2016-09-07 a las 09:42 +0200, Per Jessen escribió:
ianseeks wrote:
There used to be a config option in systemd to forward all logs to syslog/ rsyslog. You can try find that setting but they were going to deprecate the option because rsyslog/syslog extract the data from the jounral themselves now.
Yep - that option is either gone, on by default or as you say, not needed. When you install either log-daemon, it just works.
But the way it "just works" by default is by reading the log files, which means that there is a delay.
I meant it just works as in "you don't need to do anything extra, it just works". Anyway, which log files Carlos? Neither syslog daemon reads any logfiles. (does systemd even write any files meant for interfacing with?) As for a delay - even if there is measurable delay, who cares? It's a log file, not an interactive tracing or debugging facility.
First systemd processes the entries, writes them to file, them syslog gets them, processes them, and writes them. Not simultaneously.
I think I am missing your point. AFAIK, by default, syslog-ng and rsyslog both communicate directly with systemd-journald. Alternatively, they can use the socket provided by systemd. (/run/systemd/journal/syslog).
If systemd has problems, syslog will also have them.
If systemd has problems, you've got bigger problems to worry about. :-) I don't know where this thread is going - both rsyslog and syslog-ng are well-functioning syslog daemons. I personally favour syslog-ng as I find it much easier to work with. -- Per Jessen, Zürich (19.5°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-09-02 20:37, Daniel Bauer wrote:
Am 02.09.2016 um 15:29 schrieb Carlos E. R.:
On 2016-09-02 15:05, Carlos E. R. wrote:
Then I'll try it again in 42.2, and probably switch back to it.
I just did. I was very surprised that when I started it, it logged all messages since boot. It must have queried the systemd journal, instead of starting logging messages since the instant it starts to run.
hm. I did it, too, but probably I did something wrong: my /var/log/messages (and the other files there that were created after the install) are all 0 bytes.
Because the syslog service gets enabled, not started. Perhaps a bug? Dunno. So either reboot, or start it manually.
(For the other messages here: I am not at systems analyzer and most things in those logs are chinese to me. But sometimes - in very rare cases - I took a look what is going on, and sometimes I found some anomalities. As much as I know, in the current binary version of the logs I first must know what I am looking for and make a query, but I never know: I just scroll thru the list and see if there's something "suspicious". A /very/ amateur approach, I know. )
You can simply do "journalctl | less -S" and you get the entire log in text form. The problem is that if the log is persistent and you use rotating disks, the operation is slow. Like half an hour. Another problem, for me, is that even without permanent systemd journal the space used in ram and disk is very large, because some services I use are very, very talkative, filling gigabytes of text. It is not possible, AFAIK, to tell the journal to purge certain classes of messages to devnull and keep the rest. With any syslog daemon that is trivial. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfKGvoACgkQja8UbcUWM1xOHwEAoKgJNPbpA3fhu3WM6ArBKtTS tHg/cfP9mxZL9VU/O24A+QH6AUZSaak3+bWo/aWw1dIJFJpzIiO83x4UuCqT2jAj =tbK4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Sep 02, Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont?
Speaking personally, the config syntax for -ng is *far* nicer to work with, irrespective of whether I'm shooting for something "complex" or simple. Oh, Carlos, as I just went through this exercise this morning... be prepared for huge amounts of systemd spam in /var/log/messages. See http://www.linuxquestions.org/questions/fedora-35/systemd-log-flood-session-... as just one example I found out there. Lots of bad "just filter it" answers out there, on that and other threads, but page two of the above seems to have figured out the appropriate workaround: `sudo loginctl enable-linger root`. Quoting the hypothesis from the above, and trying it now: "Systemd is running a per-user systemd for root whenever a session is started, e.g. to run a cron job. Then when root’s last session is closed, the per-user systemd is killed. The spew of log messages has to do with the the spawning and killing of that per-user systemd." Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Sep 02, Michael Fischer wrote:
Oh, Carlos, as I just went through this exercise this morning... be prepared for huge amounts of systemd spam in /var/log/messages.
See http://www.linuxquestions.org/questions/fedora-35/systemd-log-flood-session-... as just one example I found out there. Lots of bad "just filter it" answers out there, on that and other threads, but page two of the above seems to have figured out the appropriate workaround: `sudo loginctl enable-linger root`.
Quoting the hypothesis from the above, and trying it now:
"Systemd is running a per-user systemd for root whenever a session is started, e.g. to run a cron job. Then when root’s last session is closed, the per-user systemd is killed. The spew of log messages has to do with the the spawning and killing of that per-user systemd."
FWIW, this trick works... much less spammy /var/log/messages. HTH. Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Michael Fischer wrote:
On Fri, Sep 02, Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont?
Speaking personally, the config syntax for -ng is *far* nicer to work with,
I second that. That is probably my top reason for using syslog-ng. -- Per Jessen, Zürich (26.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/2016 10:53 AM, Michael Fischer wrote:
On Fri, Sep 02, Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont?
Speaking personally, the config syntax for -ng is *far* nicer to work with, irrespective of whether I'm shooting for something "complex" or simple.
Speaking as someone who is very CLI oriented and tends to edit config files by hand rather than use YAST or some other configuration management tool specific to such things, ... well, that's a consideration. But if you're a more normal, regular user who doesn't have this obsession that Thee and Mee seem to have, the kind of people that play with awkward configuration settings just because, who does use YAST or whatever tool, then in all probability there are more KISS approaches. Not everyone wants to operate 'close to the edge'. What? https://www.youtube.com/watch?v=51oPKLSuyQY -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
On 09/02/2016 10:53 AM, Michael Fischer wrote:
On Fri, Sep 02, Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont?
Speaking personally, the config syntax for -ng is *far* nicer to work with, irrespective of whether I'm shooting for something "complex" or simple.
Speaking as someone who is very CLI oriented and tends to edit config files by hand rather than use YAST or some other configuration management tool specific to such things, ... well, that's a consideration.
But if you're a more normal, regular user who doesn't have this obsession that Thee and Mee seem to have,
A "more normal, regular user" is hopefully quite happy with the current openSUSE default (of having no syslog daemon). -- Per Jessen, Zürich (26.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/2016 09:35 AM, Per Jessen wrote:
A "more normal, regular user" is hopefully quite happy with the current openSUSE default (of having no syslog daemon).
Was going to chime in with this, but didn't want to get in the middle of a flame fest. Daniel can have it any way he wants it. But for me, the time it would take to get it running the old way exceed the time (and the disk space) it would take me to learn how to use journalctl. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/2016 12:35 PM, Per Jessen wrote:
A "more normal, regular user" is hopefully quite happy with the current openSUSE default (of having no syslog daemon).
I can't argue with that! :-) -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-09-02 16:53, Michael Fischer wrote:
On Fri, Sep 02, Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
Oh, Carlos, as I just went through this exercise this morning... be prepared for huge amounts of systemd spam in /var/log/messages.
Yes, I see that in my 13.1. I have been writing filters for lots of them for months.
See http://www.linuxquestions.org/questions/fedora-35/systemd-log-flood-session-...
as just one example I found out there. Lots of bad "just filter it" answers
out there, on that and other threads, but page two of the above seems to have figured out the appropriate workaround: `sudo loginctl enable-linger root`.
Quoting the hypothesis from the above, and trying it now:
"Systemd is running a per-user systemd for root whenever a session is started, e.g. to run a cron job. Then when root’s last session is closed, the per-user systemd is killed. The spew of log messages has to do with the the spawning and killing of that per-user systemd."
So the idea is to keep it "lingering"? Interesting trick. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfKG/MACgkQja8UbcUWM1yc5AD/dZccBK99RwbuqahaWPPTc50v 0VG/e/PUuRCbH1CPH5gBAIYfxtqYLFZlI0PlJnmDxWJsP8/8RM94kTa9YVUlTy90 =euBq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-02 16:36, Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont?
That's what I'm going to try :-) The main problem is that rsyslog, when it finds a syntax error, does not point to the token in error, not says the exact type of error. It just says the line, and with line continuation (\) this can be anywhere in thirty lines in my setup. I have to remove all of them and re-add one by one till I find the bad one. Remember I said I used syslog-ng years ago. I still have backups of my files. At least this one. :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont?
What makes you think syslog-ng is more complex, Anton? I distinctly remember a few years back when openSUSE switched to rsyslog. I tried to get rsyslog to write timestamps in the ISO8601 format. In syslog-ng it was just add "ts_format(iso)" to the main options, I don't remember if I ever worked it out in rsyslog :-) -- Per Jessen, Zürich (26.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/2016 11:37 AM, Per Jessen wrote:
Anton Aylward wrote:
On 09/02/2016 09:05 AM, Carlos E. R. wrote:
For some reason, rsyslog was the default on openSUSE some years back, that's the reason I have it. And it's given me problems.
If rsyslog gave you problems, what makes you think the more complex, more advanced syslog-ng wont?
What makes you think syslog-ng is more complex, Anton? I distinctly remember a few years back when openSUSE switched to rsyslog. I tried to get rsyslog to write timestamps in the ISO8601 format. In syslog-ng it was just add "ts_format(iso)" to the main options, I don't remember if I ever worked it out in rsyslog :-)
You've just answered the question. Other posts to this thread answer it. The -ng can do more, is more capable * it has better 'human oriented functions' * it handles a more readable, understandable, less machine oriented config * it has better error handling, for example of errors in the config * it can do things that rsyslog couldn't I'm not saying that a batter architectural model, one more understandable and perhaps more easily maintained because of that is always less complex, but my expeince is that more code and more maintenance and more time/entropy doesn't help. I've seen some applications, for example, that were large enough in C and when recoded in C++ the number of lines dropped dramatically, but that didn't mean it was more understandable to someone meeting it for the first time. FORTH and APL have been termed 'write only languages' because they are understandable only by the author; yes anyone can write code like that but some languages lend themselves to it more so - in my opinion C++ is one. But that's beside the point when the re-architecting adds complexity. And the simplicity of the UI is no measure of the simplicity of the code. Some of the nicest, most user-oriented GUI applications are a horrible mess of event handling spaghetti. Yes I prefer -ng. Yes I prefer something I can manage, so long as I'm not expected to code it or maintain the code. Long gone are the days when the UNIX Guru knew all the code on the system, the kernel, the shell, ed and more. So much of Linux is one person or one team dealing with one application or subsystem. The time for generalist code-jockeys is long gone; they'd be drowned in the sheer volume. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-09-02 17:37, Per Jessen wrote:
Anton Aylward wrote:
What makes you think syslog-ng is more complex, Anton? I distinctly remember a few years back when openSUSE switched to rsyslog. I tried to get rsyslog to write timestamps in the ISO8601 format.
$template My_SyslogProtocol23Format,"<%SYSLOGFACILITY%.%SYSLOGPRIORITY%> %TIMESTAMP:::date-pgsql% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" $ActionFileDefaultTemplate My_SyslogProtocol23Format which produces: <2.7> 2016-09-03 02:40:48 minas-tirith dovecot - - - imap(cer): Debug: Effective uid=1000, gid=100, home=/home/cer
In syslog-ng it was just add "ts_format(iso)" to the main options, I don't remember if I ever worked it out in rsyslog :-)
You can not define a custom time format in rsyslog. It's recommended format is this one, IIRC: <46>1 2015-01-09T17:43:48.505330+01:00 minas-tirith rsyslogd - - - [origin software="rsyslogd" swVersion="7.4.7" x-pid="21971" x-info="http://www.rsyslog.com"] exiting on signal 15. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfKHT4ACgkQja8UbcUWM1zGGwD/aOfE7V6GatWkD1+RcJA8XhK3 6KNE5j9X9YmcN4nW0yAA/3Wwh0CjOZTqeTG0selq/a0+unreRRkueh2y2zu9C2Mm =tw+E -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (10)
-
Andrei Borzenkov
-
Anton Aylward
-
Carlos E. R.
-
Daniel Bauer
-
Darin Perusich
-
ianseeks
-
John Andersen
-
Michael Fischer
-
Per Jessen
-
Richard Brown