what just happened (time went backwards?)

Chris Murphy lists at colorremedies.com
Thu Feb 27 23:54:21 UTC 2014 

On Feb 27, 2014, at 12:28 PM, Lars E. Pettersson <lars at homer.se> wrote:

> On 02/26/14 19:23, lee wrote:
>> What is the purpose of this log duplication?  When systemd has its own
>> logs, it doesn´t seem necessary to duplicate them by sending their
>> contents to syslogd.
> 
> One could also ask why systemd duplicates the logging formerly only done by syslogd.

This has been answered many times already, it's an old argument.

> For me looking through my ASCII-based text-logs created by syslogd is far faster than using journalctl. Things that takes over 25 minutes with journalctl, only takes 66 seconds grepping the syslogd logs. (see bug 1047719, that no-one seems to care about)

Why are the logs so large? Each log file I have is either 8MB, 16MB, or maximum 24MB. So somehow yours are getting very large before they are turned over. Also do you normally search all logs for all time? Or are you searching in the most recent boot? You can use journalctl -b -1 to search the last boot, -2 the one before that. It can be done using --since with a date to encompass multiple boots yet not all boots. There is also -u to filter by unit. If you have journalctl do some filtering in advance then not so much stuff is dumped into grep to filter.


> ASCII-based logs can be read by anybody using any editor. To read the journal you need journalctl, or similar program, as the journal is binary and not readily readable.

It's fine to want plain logs but that is a subset of the amount of information the journal can only retain with binary including checksumming so the logs can be verified, and universal time/date stamping that causes journalctl to report the even in local time even if the server is not local, the list of things that can be done are unlimited. So the superset log is a necessity in any case and if the plain text rsyslog is meeting your needs then why would you bother with journalctl at all?

> 
> Another reason is that there still exist programs/daemons/etc. that rely on the logs in /var/log.
> 
> If you do not like syslogd, well F20 does not ship it anymore…

I think the repo has both rsyslog and syslog-ng.

Chris Murphy

More information about the users mailing list