On 12/19/2016 10:56 AM, Carlos E. R. wrote:
On 2016-12-19 16:29, Anton Aylward wrote:
On 12/18/2016 02:21 PM, Greg Freemyer wrote:
4) Syslog is only one of many log systems on local machines. Separate logs are kept for utmp/wtmp, lastlog, audit, kernel logs, firmware logs, and a multitude of application-specific log formats. This is not only unnecessarily complex, but also hides the relation between the log entries in the various subsystems.
Hmm. So if I run journald can I get rid of all those other log files?
What other log files? You mean non-syslog log files? Those other log files are not handled by journald, either. They are handled by the specific applications that create them.
In that any program can, yes, but that's not my point. My point is that that journald logs so many of these things, or can. journalctl _COMM=sshd journalctl _COMM=login journalctl _COMM=su journalctl _COMM=systemd-logind Of course most access involves PAM one way or another so just make sure you make use of pam_logind !!! if you really want to be paranoid, you can forget about the indexoing that journalctl can do and simple grep journalctl |grep login | more Oh My! Well that soaks up quite a few of those log files: utmp/wtmp, lastlog
More and more, logs are are getting to be a means of detection intrusions, hacks. But that means correlating logs, which used to be a tedious and error-prone process. We have in journald the opportunity to see all the activity in one log file, making correlation of events much easier.
No correlation unless you have a database viewer and analysis tool.
Ah, tools! Well, for a start, journalctl does index. Then we have a;; the regular tools, from 'cut'/'join' of V7 UNIX vintage, on though 'awk' (see the appropriate White Book for how to convert text to database and do correlations and produce nicely formatted output) on though Perl, which was designed for doing that kind of thing. You've been around long enough, Carlos, to know and have done this sort of thing. What's this, some anti-systemd feeling?
But then, logs may be as difficult to analyze as they currently are in Windows.
This isn't Windows. <obscentity> Windows. part of the nature of Windows is to make you buy some third party tool to do things that with UNIX/Linux can be done with a few lies of scripting. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org