Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Thu, 07.08.14 14:06, Frantisek Hanzlik (fra...@hanzlici.cz) wrote: Hi, I just install Fedora 20 (with systemd 208) and want log, if possible, without journald, only to rsyslog. Why if I may ask? Trying to do that is usually more a sign of misconceptions about systemd or the journal than really technically valid. journald is not an optional component of systemd, among other things it is responsible for collecting logs during early boot/initrd and from stdout/stderr from all running services, regardless when they run. It then forwards those logs to disk (optional, but on by default), to another syslog daemon (optional, but on by default), kmsg, the console (both off by default) or wall (on for high-importance messages). syslog OTOH only runs in late boot, and thus traditionally got a much more limited view on what is happening on the systemd. By running syslog and journald in tandem you will actually get substantially more data into syslog than you got before: all the stuff from stdout/stderr plus all the early-boot stuff. The journal is hence a good thing, even if you do not intend to ever query it directly. What you can do is turn off journald's local storage. Use the Storage= setting in journald.conf for that. I have this configuration: 'systemd.log_target=syslog-or-kmsg' at kernel command line This doesn't do what you think it does. Regardless if you use syslog-or-kmsg or journal-or-kmsg, in both cases PID 1 sends it data to journald, just the transport is different, and if you use syslog you simply lose a lot of context such as line numebrs and sources files log messages are generated from. I have now removed syslog-or-kmsg from the documentation, to make this less confusing. Also, internally PID 1 will now change syslog-or-kmsg to journal-or-kmsg, thus making them entirely identical. Also note that this setting only influences PID 1, but systemd has a lot more processes. '/etc/systemd/system.conf': [Manager] LogTarget=syslog-or-kmsg This is exactly the same setting as the kernel cmdline option above, and hence redundant. DefaultStandardOutput=syslog This has not the effect you might assume. It just tells journald to forward data it receives from the daemons to syslog, but it does that anyway by default. It's hence fully equivalent to the default of journal, unless you globally turned off forwarding to syslog in journald. I have extended the man page now to explain this in more detail '/etc/systemd/user.conf': [Manager] LogTarget=syslog-or-kmsg This makes little sense, as unpriviliged processes cannot lot to kmsg. '/etc/systemd/journald.conf': [Journal] Storage=none This is the only relevant setting really. It's good that I have no /var/log/journal/* files, but - journald is still runnig (this isn't too imporatant, but when it is possible work without it, it will be better) it think you have weird definitions of goodand better - fundamental problem seems be, that some daemons logs not appear in rsyslog files, for unknown reason. Note that nowadays rsyslog doesn't even care about systemd forwarding things to syslog, but instead pulls everything out of the journal on its own. If you turn off local storage of the journal entirely, then rsyslog cannot pull anything out of the journal anymore, since that's empty. You can set Storage=volatile in which case journald will use a limited ring buffer in /run, which rsyslog then can pull the data out of. systemd/journald man pages are not clear how solve this, please can someone touch me to right direction? Yeah, we usually document how to use software, not to how to not use it... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Thu, 07.08.14 14:34, Jon Stanley (jonstan...@gmail.com) wrote: On Thu, Aug 7, 2014 at 2:06 PM, Frantisek Hanzlik fra...@hanzlici.cz wrote: It's good that I have no /var/log/journal/* files, but - journald is still runnig (this isn't too imporatant, but when it is possible work without it, it will be better) Why do you want this? As Johann very tersely replied, it's not possible for a systemd-based system not to use the journal. There is nothing that says that the journal needs to be persistent as you found (however you'll be eating up RAM with the journal if it's not backed by disk - I'm not 100% sure what happens if there is a backing store, i.e. does it still store in memory?) tmpfs is swappable memory, hence gets swapped out when not used. Note that the journal enforces size limits based on the nominal size of the tmpfs though. See man page for details. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Thu, 07.08.14 18:11, Jóhann B. Guðmundsson (johan...@gmail.com) wrote: Arguably one of journals major/only shortcoming compared to what's out there is it's lack the ability to send syslog messages over the syslog network protocol but I think it's just a matter of time until it does, since it's arguably unavoidable ( think for example containers here and I would be amazed if submitted patches would be rejected that would add that ) Networking is a worthy goal and we (especially Zbigniew) are working towards it, but I am not sure this implies using the BSD syslog protocol. BSD syslog is lossy and very weakly defined. The problems of normalization are problems I have no intention to ever deal with. If people want to forward the journal over BSD syslog/UDP, then that's totally OK, but there's rsyslog for that, that can do that just fine, so I am not sure why the journal would need that. Note that containers already have pretty nice journal integration. For example journalctl -M foobar gives you the logs of container foobar, and so on. No networking involved with that, just direct disk access. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Thu, 07.08.14 15:44, Leonid Isaev (lis...@umail.iu.edu) wrote: Hi, On Thu, Aug 07, 2014 at 06:11:39PM +, Jóhann B. Guðmundsson wrote: On 08/07/2014 04:12 PM, Leonid Isaev wrote: Perhaps understanding why you're allergic to the journal would help in figuring out solutions to the actual underlying problem. There is nothing wrong with the journald per se, but it's not a replacement for the classic syslog Yes it is. Hmm, reading my message above, I can see that it wasn't clear enough -- sorry. Perhaps an example can clarify things. Take dnsmasq which under normal operation logs _lots_ of DHCP-related messages, even on a tiny network of ~20 (crappy Android) devices. These messages fall into 2 categories: routine (log_level info -- DHCPREQUEST, DHCPACK, etc.) and security-related (log_level warn -- DNS rebind attacks e.g.). I want the former to be volatile (stored in /run/log), while the latter on-disk (in /var/log). While there are many ways to accomplish this with rsyslog/syslog-ng filters, I'd very much like to know how to do this with journald. Splitting things up based on the log level sounds like a good idea, and is in fact already on the TODO list. Happy to take patches. However, note that I really don't want a generic regexp-or-something based engine in journald. For that kind of stuff, please use rsyslog. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] right way to log to rsyslog/syslog only?
Hi, I just install Fedora 20 (with systemd 208) and want log, if possible, without journald, only to rsyslog. I have this configuration: 'systemd.log_target=syslog-or-kmsg' at kernel command line '/etc/systemd/system.conf': [Manager] LogTarget=syslog-or-kmsg DefaultStandardOutput=syslog '/etc/systemd/user.conf': [Manager] LogTarget=syslog-or-kmsg '/etc/systemd/journald.conf': [Journal] Storage=none It's good that I have no /var/log/journal/* files, but - journald is still runnig (this isn't too imporatant, but when it is possible work without it, it will be better) - fundamental problem seems be, that some daemons logs not appear in rsyslog files, for unknown reason. systemd/journald man pages are not clear how solve this, please can someone touch me to right direction? Thanks in advance, Franta Hanzlik ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On 08/07/2014 12:06 PM, Frantisek Hanzlik wrote: Hi, I just install Fedora 20 (with systemd 208) and want log, if possible, without journald, only to rsyslog. It's not possible. JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Thu, Aug 7, 2014 at 2:06 PM, Frantisek Hanzlik fra...@hanzlici.cz wrote: It's good that I have no /var/log/journal/* files, but - journald is still runnig (this isn't too imporatant, but when it is possible work without it, it will be better) Why do you want this? As Johann very tersely replied, it's not possible for a systemd-based system not to use the journal. There is nothing that says that the journal needs to be persistent as you found (however you'll be eating up RAM with the journal if it's not backed by disk - I'm not 100% sure what happens if there is a backing store, i.e. does it still store in memory?) Perhaps understanding why you're allergic to the journal would help in figuring out solutions to the actual underlying problem. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
Hi, On Thu, Aug 07, 2014 at 02:06:07PM +0200, Frantisek Hanzlik wrote: '/etc/systemd/system.conf': [Manager] LogTarget=syslog-or-kmsg DefaultStandardOutput=syslog Leave 'LogTarget=' to its default value (journal-or-kmsg). It's good that I have no /var/log/journal/* files, but - journald is still runnig (this isn't too imporatant, but when it is possible work without it, it will be better) - fundamental problem seems be, that some daemons logs not appear in rsyslog files, for unknown reason. Could you be more specific about which daemons are affected? Many daemons that are started by systemd service run in foreground (don't ask me about the logic behind this). This means that all output is sent to stdout, not syslog. Journald collects this output and forwards it to syslog -- hence my recommendation above. For example, sshd(8) now runs with '-D'. Of course, some daemons might send their messages syslog even if run in foreground, but not all. A hard way to fix this is to modify service files for daemons you use to run in background and set 'Type=forking'. HTH, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D pgpW64ANKNKmh.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Thu, Aug 07, 2014 at 02:34:20PM +0200, Jon Stanley wrote: I'm not 100% sure what happens if there is a backing store, i.e. does it still store in memory? No. Perhaps understanding why you're allergic to the journal would help in figuring out solutions to the actual underlying problem. There is nothing wrong with the journald per se, but it's not a replacement for the classic syslog: journald offers only log storage, while syslog is a log processing tool. This distinction is dim on a desktop, but is very apparent even on a simple server machine. Cheers, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D pgpj26XVDgpUh.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On 08/07/2014 04:12 PM, Leonid Isaev wrote: Perhaps understanding why you're allergic to the journal would help in figuring out solutions to the actual underlying problem. There is nothing wrong with the journald per se, but it's not a replacement for the classic syslog Yes it is. And there is a very much difference in using one of the traditional message printing APIs like syslog for logging as in doing this #include syslog.h int main(int argc, char *argv[]) { syslog(LOG_NOTICE, Hello World); return 0; } Vs using the journal's native APIs as in this. #include systemd/sd-journal.h int main(int argc, char *argv[]) { sd_journal_print(LOG_NOTICE, Hello World); return 0; } Arguably one of journals major/only shortcoming compared to what's out there is it's lack the ability to send syslog messages over the syslog network protocol but I think it's just a matter of time until it does, since it's arguably unavoidable ( think for example containers here and I would be amazed if submitted patches would be rejected that would add that ) But I guess you can hack yourself around that shortcoming by turning off persistent storage ( that is if you dont want to store logs as well on the host ) and run something like journalctl -o short -f | nc ip -u 514 -w 1 that avoids the problem having two loggers running on the same host ( like using syslog-ng or rsyslog alongside journal ) to solve that particular problem. JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Aug 7, 2014 9:11 PM, Jóhann B. Guðmundsson johan...@gmail.com wrote: Arguably one of journals major/only shortcoming compared to what's out there is it's lack the ability to send syslog messages over the syslog network protocol but I think it's just a matter of time until it does, since it's arguably unavoidable ( think for example containers here and I would be amazed if submitted patches would be rejected that would add that ) Yes, it has been mentioned a couple of times that dealing with the various syslog protocols is the job of a syslogd, not the journal. (That said, there already are some tools to push raw journal messages over the network...) But I guess you can hack yourself around that shortcoming by turning off persistent storage ( that is if you dont want to store logs as well on the host ) and run something like journalctl -o short -f | nc ip -u 514 -w 1 that avoids the problem having two loggers running on the same host ( like using syslog-ng or rsyslog alongside journal ) to solve that particular problem. I don't understand why running two programs that provide distinct functions is called a problem. I also don't understand why running *three* programs (journald, journalctl, netcat) that only do a halfassed job compared to rsyslog *isn't* a problem anymore... -- Mantas Mikulėnas graw...@gmail.com // sent from phone ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
Hi, On Thu, Aug 07, 2014 at 06:11:39PM +, Jóhann B. Guðmundsson wrote: On 08/07/2014 04:12 PM, Leonid Isaev wrote: Perhaps understanding why you're allergic to the journal would help in figuring out solutions to the actual underlying problem. There is nothing wrong with the journald per se, but it's not a replacement for the classic syslog Yes it is. Hmm, reading my message above, I can see that it wasn't clear enough -- sorry. Perhaps an example can clarify things. Take dnsmasq which under normal operation logs _lots_ of DHCP-related messages, even on a tiny network of ~20 (crappy Android) devices. These messages fall into 2 categories: routine (log_level info -- DHCPREQUEST, DHCPACK, etc.) and security-related (log_level warn -- DNS rebind attacks e.g.). I want the former to be volatile (stored in /run/log), while the latter on-disk (in /var/log). While there are many ways to accomplish this with rsyslog/syslog-ng filters, I'd very much like to know how to do this with journald. Thanks, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D pgpYQhD4Lmcgr.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On 08/07/2014 07:44 PM, Leonid Isaev wrote: Hi, On Thu, Aug 07, 2014 at 06:11:39PM +, Jóhann B. Guðmundsson wrote: On 08/07/2014 04:12 PM, Leonid Isaev wrote: Perhaps understanding why you're allergic to the journal would help in figuring out solutions to the actual underlying problem. There is nothing wrong with the journald per se, but it's not a replacement for the classic syslog Yes it is. Hmm, reading my message above, I can see that it wasn't clear enough -- sorry. Perhaps an example can clarify things. Take dnsmasq which under normal operation logs _lots_ of DHCP-related messages, even on a tiny network of ~20 (crappy Android) devices. These messages fall into 2 categories: routine (log_level info -- DHCPREQUEST, DHCPACK, etc.) and security-related (log_level warn -- DNS rebind attacks e.g.). I want the former to be volatile (stored in /run/log), while the latter on-disk (in /var/log). While there are many ways to accomplish this with rsyslog/syslog-ng filters, Give me an actual working example how this is solved using rsyslog/syslog-ng filters JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On 08/07/2014 07:32 PM, Mantas Mikulėnas wrote: On Aug 7, 2014 9:11 PM, Jóhann B. Guðmundsson johan...@gmail.com mailto:johan...@gmail.com wrote: Arguably one of journals major/only shortcoming compared to what's out there is it's lack the ability to send syslog messages over the syslog network protocol but I think it's just a matter of time until it does, since it's arguably unavoidable ( think for example containers here and I would be amazed if submitted patches would be rejected that would add that ) Yes, it has been mentioned a couple of times that dealing with the various syslog protocols is the job of a syslogd, not the journal. (That said, there already are some tools to push raw journal messages over the network...) Raw journals or journal only solution is not acceptable in large environment using mixed OS and or even just mixed Linux distributions and their releases ( think debian stable and centos7 for example ) so it's necessary for journal to be able to forward the logs over the syslog network protocol But I guess you can hack yourself around that shortcoming by turning off persistent storage ( that is if you dont want to store logs as well on the host ) and run something like journalctl -o short -f | nc ip -u 514 -w 1 that avoids the problem having two loggers running on the same host ( like using syslog-ng or rsyslog alongside journal ) to solve that particular problem. I don't understand why running two programs that provide distinct functions is called a problem. Host resources I also don't understand why running *three* programs (journald, journalctl, netcat) that only do a halfassed job compared to rsyslog *isn't* a problem anymore... You do realize what I proposed was a workaround right? JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On Thu, Aug 07, 2014 at 08:01:31PM +, Jóhann B. Guðmundsson wrote: Give me an actual working example how this is solved using rsyslog/syslog-ng filters A quick (and probably dirty) way with syslog-ng: -- % grep dnsmasq /etc/syslog-ng/syslog-ng.conf destination d_dnsmasq { file(/run/log/dnsmasq.log); }; filter f_daemon { facility(daemon) and not level(debug) and not program(hostap) and not program(dnsmasq-dhcp); }; filter f_dnsmasq { program(dnsmasq-dhcp); }; log { source(src); filter(f_dnsmasq); destination(d_dnsmasq); }; -- So, dnsmasq-dhcp is the prefix (used by dnsmasq by default) for normal messages, while dnsmasq -- for everything else. Here is some statistics: -- % uptime 16:38:29 up 22 days, 22:05, 1 user, load average: 0.00, 0.01, 0.05 % wc -l /run/log/dnsmasq.log* 1212 /run/log/dnsmasq.log 972 /run/log/dnsmasq.log.1 2077 /run/log/dnsmasq.log.2 958 /run/log/dnsmasq.log.3 5219 total % head -n 2 /run/log/dnsmasq.log 2014-08-03T00:05:42.00-04:00 metal-0 dnsmasq-dhcp[460]: DHCPREQUEST(br0) 10.0.0.4 30:39:26:e3:ec:4e 2014-08-03T00:05:42.00-04:00 metal-0 dnsmasq-dhcp[460]: DHCPACK(br0) 10.0.0.4 30:39:26:e3:ec:4e android-2f74c9ab3fa43caa % for i in /var/log/daemon.log*; do echo $i; grep dnsmasq $i | wc -l; done /var/log/daemon.log 0 /var/log/daemon.log.1 1 /var/log/daemon.log.2 2 /var/log/daemon.log.3 11 /var/log/daemon.log.4 11 /var/log/daemon.log.5 0 /var/log/daemon.log.6 0 /var/log/daemon.log.7 23 /var/log/daemon.log.8 30 % grep dnsmasq /var/log/daemon.log.1 2014-08-02T15:46:05.00-04:00 metal-0 dnsmasq[460]: possible DNS-rebind attack detected: direct.stroyka.ru -- Sorry for a long reply... -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D pgpAhca1Wxzhm.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On 08/07/2014 08:41 PM, Leonid Isaev wrote: Sorry for a long reply... No problem I needed to see how you were thinking/doing this. So basically you want to log everything to /run ( volatile ) and filter out everything above a certain log-level and store that persistent in it's own journal ( basically store the output from this journalctl -p err persistently ) Or you want to log everything to /run ( volatile ) and filter out everything above a certain log-level for a specific user,unit,command whatever and store that persistent in it's own journal. ( using your example store the output from this journalctl -p err _SYSTEMD_UNIT=dnsmasq.service persistently ) One of the Samsung guys proposed something similar to the former a while back ( and I think he signed himself up to it ) but as far as I can tell his work has not landed yet. ( afaikt requires changes to journald-server.c|||introduce something like SplitMode=priority-err |etc ). I would not expect anything like this soon since Andy NAK their SCM_PROCINFO stuff and they are probably to busy re-writing/re-implementing it as SCM_IDENTY together with him but one of the Samsung guys can comment if they had started working on or had otherwise looked into this but as things stand now this cannot be done afaikt. JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
Hi, On Thu, Aug 07, 2014 at 09:44:47PM +, Jóhann B. Guðmundsson wrote: So basically you want to log everything to /run ( volatile ) and filter out everything above a certain log-level and store that persistent in it's own journal ( basically store the output from this journalctl -p err persistently ) Or you want to log everything to /run ( volatile ) and filter out everything above a certain log-level for a specific user,unit,command whatever and store that persistent in it's own journal. ( using your example store the output from this journalctl -p err _SYSTEMD_UNIT=dnsmasq.service persistently ) My original motivation was to reduce HDD spin-ups (academic, I know). So I had to identify sources of frequent logging activity and figure out which log messages are actually valuable and which can be discarded on reboot. The same rationality applies to remote logging, e.g. only auth-level events and critical hardware telemetry should be sent to a log-server. One of the Samsung guys proposed something similar to the former a while back ( and I think he signed himself up to it ) but as far as I can tell his work has not landed yet. ( afaikt requires changes to journald-server.c|||introduce something like SplitMode=priority-err |etc ). Thanks for letting me know aboout this work, but from the above description it seems rather limited. I brought up the log-levels only as an example. In practice one needs to be able to filter using _any_ message attribute. For instance, message body (iptables traffic, output of frequently-run systemd timers -- drop the useless Start/Stop-type messages, HostAp logs) and facility (kernel/daemon/...). I would not expect anything like this soon since Andy NAK their SCM_PROCINFO stuff and they are probably to busy re-writing/re-implementing it as SCM_IDENTY together with him but one of the Samsung guys can comment if they had started working on or had otherwise looked into this but as things stand now this cannot be done afaikt. IMHO, the central technical problem (I am not going to argue about design principles) of journald is that it is an all or nothing solution. Unfortunately, this inflexibility makes it only useful as a supplimentary logger... Cheers, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D pgpGkfWoCl5FC.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] right way to log to rsyslog/syslog only?
On 08/07/2014 10:42 PM, Leonid Isaev wrote: Thanks for letting me know aboout this work, but from the above description it seems rather limited. I brought up the log-levels only as an example. In practice one needs to be able to filter using_any_ message attribute. I just used the example to reply to your own so they are equally limited in that manner see systemd.journal-fields(7) For instance, message body (iptables traffic, output of frequently-run systemd timers -- drop the useless Start/Stop-type messages, HostAp logs) and facility (kernel/daemon/...). And you have configured syslog-ng and rsyslog to do that for you and how much time did it take? I can understand the need for very powerful filter capabilities which can be used when needed and the journalctl already possesses those. In the sample you showed me how you are doing things you did so in three steps 1 configure syslog-ng 2 parse through files with log level lower then error, parse through files with error But I myself am a lazy old fat admin that has been administrating server for what 10 years now and prefer to use this journalctl -p err _SYSTEMD_UNIT=dnsmasq.service which yields the same result in one step ( for each log level ) and I dont have to worry about installing or setting up anything basically I prefer I simply asking the journal to give me the information I need when I need it. But why do you need to log all of this into their own persistent journal files, what practical problem are you hoping to solve,achieve or gain by that? JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel