Frank Murphy wrote: > On Sun, 17 Nov 2013 12:37:03 +0100 > Patrick Lists <fedora-list(a)puzzled.xs4all.nl&gt; wrote: >> >> I meant the transmission of the log to another log server. Not the >> log itself. Anyway, here is Lennart Poettering's rationale behind >> journald: > > One of the things you will see after a hard reset is: > Journal corrupted, journal deleted and being restarted. > ie.. no useful info. This is perhaps most significant shortcoming. And beside it I see in log messages as: systemd-journald[295]: Failed to set ACL on /var/log/journal/70ed4dbe694041d484165719514f195e/user-1045.journal, ignoring: Invalid argument systemd-journald[2948]: Failed to write entry, ignoring: Cannot allocate memory systemd-journal[388]: Suppressed 966 messages from /system/dbus.service systemd-journal[299]: Forwarding to syslog missed 92 messages. which induce sense of journald logging futility.

2013/11/18 Suvayu Ali <fatkasuvayu+linux(a)gmail.com&gt;: > Hi Jonas, > > I have a comment, and a question. > > On Sun, Nov 17, 2013 at 03:46:55PM +0200, Joonas Sarajärvi wrote: >> The journald log format is documented at least to some extent [1], and >> there exists free software for reading the log. To me, it sounds like >> way more accessible than if it was a binary data format of a typical >> proprietary tool. For example, booting any Fedora live image should >> suffice if you need to read the journal of a system that uses journald >> and happens to become unbootable. > > I am sure you (and everyone else on the list) will agree, tools for > viewing plain text (cat, more, less, <favourite editor>) outnumber and > are available on every platform compared to any specialised tool. Even > if a format is open, it still needs tools that support it. I would not > count on having a gui when my system crashes. Sometimes the only access > you have to a crashed system is the recovery prompt. I wonder where this notion that you'd need a GUI to access the journal content came from. You do need a working journalctl, but it is not a GUI tool. Normally it outputs syslog-like output that you could feed to your favourite syslog-output-expecting log analysis tool.

> I have been very frustrated with journalctl. The manual page is very > unhelpful in that regard. For example the other day, I wanted to > investigate why my laptop shutdown suddenly (I think it was > overheating), but there was no reasonable way for me to filter the cpu > specific messages. Could you give some pointers how I can do that? I > would be very grateful. I am not sure where that message in particular would show up. My first instinct in such a situation would be to just run journalctl without arguments. If the output is not piped anywhere, journalctl opens less and puts the syslog-like output there. Now it is pretty same as if I had run less /var/log/messages in a system that uses a traditional syslog. I can for example press / to access the search function of less and search for the "cpu" string. Since a hardware related error would likely be logged by the kernel, I might invoke journalctl like this: journalctl _TRANSPORT=kernel

This would limit the things I get so that only kernel debug messages are shown. Different filter criteria you could use are described in the systemd.journal-fields man page.

Another useful parameter would be the --since parameter, e.g. like this: journalctl --since 2013-11-15 _TRANSPORT=kernel

On Mon, Nov 18, 2013 at 4:41 PM, Suvayu Ali <fatkasuvayu+linux(a)gmail.com&gt; wrote: > On Mon, Nov 18, 2013 at 03:43:57PM +0000, Tom H wrote: >> On Mon, Nov 18, 2013 at 3:14 PM, Suvayu Ali <fatkasuvayu+linux(a)gmail.com&gt; wrote: >>> >>> I have been very frustrated with journalctl. The manual page is very >>> unhelpful in that regard. For example the other day, I wanted to >>> investigate why my laptop shutdown suddenly (I think it was >>> overheating), but there was no reasonable way for me to filter the cpu >>> specific messages. Could you give some pointers how I can do that? I >>> would be very grateful. >> >> Perhaps "journalctl _KERNEL_SUBSYSTEM=<subsystem>" >> >> acpi for power? > > That does filter the output, but not the messages I was looking for. > Looking at /var/log/messages tells me the lines should be something like > this: > > kernel: [381990.959785] CPU3: Core temperature above threshold, cpu clock throttled (total events = 38) > > But I still can't find where it says shutting down. Anyway, what > subsystem is the above? Also how can I limit it to kernel messages from > all subsystems? > > Thanks for your response, You're welcome. "acpi" had been a guess! I scratched my head, read the journalctl man page, and found "-F": # journalctl -F _KERNEL_SUBSYSTEM platform scsi pnp pci pci_bus acpi

For one thing I'm in the conviction that binary logs are hazardous bullshit, for another on my two F19 machines systemd-journald occupy significant part of resources (after several days it is often 1.5 to 2.5 GB RAM and several GB on /var/log/journal/*/* filesystem). Then, how I can avoid this crap and log only to standard rsyslogd? I tried set "LogTarget=syslog-or-kmsg" in "[Manager]" section of /etc/systemd/{system.conf,user.conf}, but this not helped; setting "Storage=none" in "[Journal]" section of /etc/systemd/journald.conf is better, but I want ideally completely cut out systemd-journald from my systems. TIA, Franta Hanzlik -- users mailing list users(a)lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org

On Mon, Nov 18, 2013 at 03:43:57PM +0000, Tom H wrote: > On Mon, Nov 18, 2013 at 3:14 PM, Suvayu Ali <fatkasuvayu+linux(a)gmail.com&gt; wrote: >> >> I have been very frustrated with journalctl. The manual page is very >> unhelpful in that regard. For example the other day, I wanted to >> investigate why my laptop shutdown suddenly (I think it was >> overheating), but there was no reasonable way for me to filter the cpu >> specific messages. Could you give some pointers how I can do that? I >> would be very grateful. > > Perhaps "journalctl _KERNEL_SUBSYSTEM=<subsystem>" > > acpi for power? That does filter the output, but not the messages I was looking for. Looking at /var/log/messages tells me the lines should be something like this: kernel: [381990.959785] CPU3: Core temperature above threshold, cpu clock throttled (total events = 38) But I still can't find where it says shutting down. Anyway, what subsystem is the above? Also how can I limit it to kernel messages from all subsystems? Thanks for your response,

I have been very frustrated with journalctl. The manual page is very unhelpful in that regard. For example the other day, I wanted to investigate why my laptop shutdown suddenly (I think it was overheating), but there was no reasonable way for me to filter the cpu specific messages. Could you give some pointers how I can do that? I would be very grateful.

I agree, all systemd stuff seems very crude for me. And 'enough time' to debug or help to fix systemd monster I really not have, I even don't have time to report all bugs which happens to me. Thus I must only wish to systemd developers to finish their work to some usable state earlier than these 10 years.

On 11/17/2013 11:21 AM, Tim wrote: > Allegedly, on or about 17 November 2013, Frantisek Hanzlik sent: >> Binary logs, by contrast, may be useless when log file is damaged or I >> haven't this one unique utility for reading them. And my experiences >> with systems where binary logs are implemented says clearly that >> binary logs is bad idea. > > And if logs are in a format that you cannot read, you cannot safely > submit them to an outside server. You don't know what they contain. > Logon credentials, confidential data that you're working on, etc. IIRC that's the reason why journald supports encryption. I don't recall the link but there's a blog post somewhere (on redhat.com?) where the reasons for moving to journald were outlined. Might be worth a search if you want to know more.

On Sun, 17 Nov 2013 12:12:08 +0100 Patrick Lists <fedora-list(a)puzzled.xs4all.nl&gt; wrote: > IIRC that's the reason why journald supports encryption. It's not encrypted it's binary, similar to any compiled app or virus.

On 11/15/2013 04:46 AM, Frantisek Hanzlik wrote: > For one thing I'm in the conviction that binary logs are hazardous > bullshit, In what way might the logs be hazardous?

For one thing I'm in the conviction that binary logs are hazardous bullshit,

On 11/15/2013 02:46 AM, Frantisek Hanzlik issued this missive: > For one thing I'm in the conviction that binary logs are hazardous > bullshit, for another on my two F19 machines systemd-journald occupy > significant part of resources (after several days it is often 1.5 to > 2.5 GB RAM and several GB on /var/log/journal/*/* filesystem). > > Then, how I can avoid this crap and log only to standard rsyslogd? > > I tried set "LogTarget=syslog-or-kmsg" in "[Manager]" section of > /etc/systemd/{system.conf,user.conf}, but this not helped; setting > "Storage=none" in "[Journal]" section of /etc/systemd/journald.conf > is better, but I want ideally completely cut out systemd-journald > from my systems. Uhm, # systemctl stop systemd-journald.service # systemctl disable systemd-journald.service

For one thing I'm in the conviction that binary logs are hazardous bullshit, for another on my two F19 machines systemd-journald occupy significant part of resources (after several days it is often 1.5 to 2.5 GB RAM and several GB on /var/log/journal/*/* filesystem). Then, how I can avoid this crap and log only to standard rsyslogd? I tried set "LogTarget=syslog-or-kmsg" in "[Manager]" section of /etc/systemd/{system.conf,user.conf}, but this not helped; setting "Storage=none" in "[Journal]" section of /etc/systemd/journald.conf is better, but I want ideally completely cut out systemd-journald from my systems.

A GUI for the journal is already being developed. https://wiki.gnome.org/Apps/Logs

> And if logs are in a format that you cannot read, you cannot safely > submit them to an outside server. You don't know what they contain. > Logon credentials, confidential data that you're working on, etc.

IIRC that's the reason why journald supports encryption. I don't recall the link but there's a blog post somewhere (on redhat.com?) where the reasons for moving to journald were outlined. Might be worth a search if you want to know more.

2013/11/17 Frantisek Hanzlik <franta(a)hanzlici.cz&gt;: > Steven Stern wrote: >> On 11/15/2013 04:46 AM, Frantisek Hanzlik wrote: >>> For one thing I'm in the conviction that binary logs are hazardous >>> bullshit, >> >> In what way might the logs be hazardous? > > It was mean mainly from administrator view. When things go bad, > machine HW/SW fail or any other disasters occurs, logs are very > valuable. And I'm confident that binary logs are too weak in this > situation. Text logs are useful even if log file is damaged or ends > with fragments and can be easy readable with lot of tools. Binary > logs, by contrast, may be useless when log file is damaged or I > haven't this one unique utility for reading them. And my experiences > with systems where binary logs are implemented says clearly that > binary logs is bad idea. > Second, it is question when tight integration of systemd and logging > services has any benefits - there is number of situation (logging > over network, for example) which speaks for separate logging service. The journald log format is documented at least to some extent [1], and there exists free software for reading the log. To me, it sounds like way more accessible than if it was a binary data format of a typical proprietary tool. For example, booting any Fedora live image should suffice if you need to read the journal of a system that uses journald and happens to become unbootable. Typically journalctl will generate you a representation of the data in syslog log file format. This loses some infromation that the journal stores, because there is no way to represent it all while keeping the output syslog-like and easily human-readable. This output can be easily fed to traditional unix tools like grep, if that is your preferred way of extracting information from logs. Finally, since you can also run a normal syslog daemon which maintains a text-format logs for you, I do not really see why having some log data in journald format under /run/log/journal/ should be considered hazardous. You can pretty much just ignore it if you feel like using other kinds of tools for storing and managing logs. > And possibilities with e.g. rsyslogd are better than with journald > - why Fedora must again replace verified, reliable, Unix standard > things with some crappy solutions? For nightmares of its users? At least for my needs, the journal has been way more convenient to use than rsyslog. It is much nicer to read logs when journalctl e.g. combines the older rotated logs with the latest ones. Also, it easily allows me to easily specify that I want just the logs of this month or of just this one boot, or of just some specific service. If I was writing tools that'd automatically handle the logs, I think I would also benefit from the additional data that journal stores that is usually not available in a syslog formatted log. Having to use e.g. the journal API would of course be some burden, but I can imagine it being nicer than having to e.g. parse all the different date formats that a text-formatted log could have. Or having to handle all of the other things that may or may not be in the syslog lines, in various formats. Of course there are still bugs and the other issues in the new tools, but they certainly aren't there in order to cause nightmares. I am hopeful that the issues can be and are fixed. For my (relatively simple) setups, there aren't any major showshoppers, though. [1] http://www.freedesktop.org/wiki/Software/systemd/journal-files/ -Joonas

2013/11/17 Frantisek Hanzlik <franta(a)hanzlici.cz&gt;: > > It was mean mainly from administrator view. When things go bad, > machine HW/SW fail or any other disasters occurs, logs are very > valuable. And I'm confident that binary logs are too weak in this > situation. Text logs are useful even if log file is damaged or ends > with fragments and can be easy readable with lot of tools. Binary > logs, by contrast, may be useless when log file is damaged or I > haven't this one unique utility for reading them. And my experiences > with systems where binary logs are implemented says clearly that > binary logs is bad idea. > Second, it is question when tight integration of systemd and logging > services has any benefits - there is number of situation (logging > over network, for example) which speaks for separate logging service. The journald log format is documented at least to some extent [1], and there exists free software for reading the log. To me, it sounds like way more accessible than if it was a binary data format of a typical proprietary tool. For example, booting any Fedora live image should suffice if you need to read the journal of a system that uses journald and happens to become unbootable.

At least for my needs, the journal has been way more convenient to use than rsyslog. It is much nicer to read logs when journalctl e.g. combines the older rotated logs with the latest ones. Also, it easily allows me to easily specify that I want just the logs of this month or of just this one boot, or of just some specific service.