subject:"Re\: replacing rsyslogd in minimal with journald \[was Re\: systemd requires HTTP server and serves QR codes\]"

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-17 Thread Matthew Miller

On Wed, Oct 17, 2012 at 02:13:35PM +0200, Lennart Poettering wrote:
> This is implemented now, but I called it --since= and --until=. I'll
> push this into F18 as well, sicne it's actually a minor change only, and
> just too useful.

Thanks Lennart. This is great stuff.

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-17 Thread Lennart Poettering

On Tue, 09.10.12 23:24, Lennart Poettering (mzerq...@0pointer.de) wrote:

> I am not generally against adding time-based rotation, but really, this
> is much less of a "necessity" than other things the journal provides,
> which syslog does not: for example per-service rate limits, and
> unfakable meta-data for log messages. I mean, really, how can we ship
> a syslog where every random user can fake messages, say they are from a
> privileged process and offer no way how to detect that?

To settle this discussion as well I've now implemented time-based
rotation for the journal as well, and this will also hit F18 soonishly.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-17 Thread Lennart Poettering

On Thu, 11.10.12 01:48, Lennart Poettering (mzerq...@0pointer.de) wrote:

> On Wed, 10.10.12 16:50, Kevin Fenzi (ke...@scrye.com) wrote:
> 
> > "My laptop started acting up last tuesday, I should see whats in the
> > logs from then"
> > 
> > "I'd like to run a daily report on my logs"
> 
> These two are much better implemented via explicit time seeks. The
> journal APIs support that just fine, journalctl currently
> doesn't. However it's trivial to add that based on the lower level APIs,
> the only thing that stopped me from doing that so far is that for that
> we'd have to come up with a nice way to parse calendar timestamps, and I
> want to be careful about that. that said the idea is to have two command
> line args to journalctl where you can pass things such as:
> 
> $ journalctl --start-time=2012-10-01
> ...
> $ journalctl --start-time=-5d
> ...
> $ journalctl --start-time=2012-01-01 --end-time=2012-05-02
> ...

A quick update:

This is implemented now, but I called it --since= and --until=. I'll
push this into F18 as well, sicne it's actually a minor change only, and
just too useful.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-13 Thread Miloslav Trmač

On Sat, Oct 13, 2012 at 1:36 AM, Lennart Poettering
 wrote:
> On Fri, 12.10.12 15:29, Bill Nottingham (nott...@redhat.com) wrote:
>> And we've got a lot of technology going around. journald - that's
>> technology. rsyslog - that's technology. libumberlog & ceelog - that's
>> technology.
>
> THis really makes me wonder where CEE actually belongs in this. Is
> anybody using this currently? What area is this supposed to cover that
> is not already covered by the journal or rsyslog? Is there really room
> for another format besides BSD syslog and journal records?

Given that the (udp AND tcp) syslog is the primary multi-platform log
transfer protocol in the UNIX world, we need to be able to take Linux
log data, including data originally generated by applications using
the journal API, and transport it using the syslog protocol. To be
really useful, the syslog representation needs not to loose data (e.g.
only including the MESSAGE field is not good enough).

So, we need a structured representation compatible with the syslog
protocol in any case, and Lumberjack/CEE provide one.  (And as soon as
there is a structured representation compatible with syslog, it is
something non-systemd platforms, like Debian or other UNIXes, can use
as well.)

"old rsyslog" (pre-Lumberjack/CEE) doesn't cover the structured
representation requirement.
journal format and protocol don't cover the syslog protocol
compatibility requirement.

>> If people want CEE format logs, or plain text logs, maybe journald should
>> grow those as output formats.
>
> To me it appears that CEE isn't widely accepted so far (heck, not even
> properly defined as multiple different vocabularies for fields are
> floating around), and I am bit unsure where it really fits in the big
> picture. I am a bit conservative in adding output formatting for CEE if
> it isn't clear that there is a need for CEE, that it's going to stick
> around for long and we actually have people using this.

The larger vision of CEE is to have a multi-platform event dictionary
and using the same event format to represent the same kind of event
(so that e.g.  and 'user log" can be identified and parsed without
knowing what specific piece of code generated it).  I'm personally not
sure how much that is achievable, or how much of the problem space it
can cover.[1].  In any case, complying with this would require either
modification of applications, or writing a CEE-specific log message
translator; it's not something we can magically get by establishing a
representation or protocol, or by only converting the structure of the
data that currently arrives in the journal without looking at the
content.

Using the Lumberjack/CEE representation natively would probably make
the application modification/translator implementation simpler (e.g.
the current proposals rely on nesting in the structure and other
syntax that is prohibited in the journal).  But as you say, these
specifications are not finalized yet.
Mirek

[1] http://carolina.mff.cuni.cz/~trmac/blog/2011/structured-logging/
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-13 Thread Miloslav Trmač

On Fri, Oct 12, 2012 at 9:29 PM, Bill Nottingham  wrote:
> Konstantin Ryabitsev (i...@fedoraproject.org) said:
>> So, in other words, all our existing log analysis tools have to be
>> modified if they are to be of any use in Fedora 18?
>
> Right, you'll have to port them to understand CEE from updated rsyslog. HTH,
> HAND. <- note: THIS IS A JOKE.

FWIW - the current plan for Lumberjack/CEE is to keep
/var/log/{messages,secure etc} unmodified, and store the full data in
a separate file.  We can easily change this if the logging users don't
think this is the right thing to do, and users who require maximum
logging performance an obviously use a customized information - but
keeping the files and not requiring a flag day for everyone to convert
their tools immediately sounds like a good default.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-12 Thread Lennart Poettering

On Fri, 12.10.12 15:29, Bill Nottingham (nott...@redhat.com) wrote:

Heya,

> And we've got a lot of technology going around. journald - that's
> technology. rsyslog - that's technology. libumberlog & ceelog - that's
> technology.

THis really makes me wonder where CEE actually belongs in this. Is
anybody using this currently? What area is this supposed to cover that
is not already covered by the journal or rsyslog? Is there really room
for another format besides BSD syslog and journal records? So, what's
our story here with CEE?

> If people want CEE format logs, or plain text logs, maybe journald should
> grow those as output formats. 

To me it appears that CEE isn't widely accepted so far (heck, not even
properly defined as multiple different vocabularies for fields are
floating around), and I am bit unsure where it really fits in the big
picture. I am a bit conservative in adding output formatting for CEE if
it isn't clear that there is a need for CEE, that it's going to stick
around for long and we actually have people using this.

> Or maybe rsyslog should produce those formats.  Maybe rsyslog should
> grow a journald plugin, so instead of duplicating some of journald's
> code for associating entries with pid/exec/etc., it can read the
> already annotated journal stream and add its own metadata & spit out
> whatever formats it wants. (Maybe it already does this!)

Yes, this would certainly be useful. If rsyslog wants access to the full
data stream systemd generates then using our C APIs is a good choice, it
will get all meta data, and can process them the way they want.

> Maybe rsyslog or journald should take over audit logging in some way.

Since the audit logs contain a lot of useful data we definitely want to
acquire auditing as another input for the journal. In fact, Eric has
been working on kernel support to allow the journal to get a copy of the
audit stream without interfering with auditd.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-12 Thread Bill Nottingham

Konstantin Ryabitsev (i...@fedoraproject.org) said: 
> > Not sure I can parse this, but IIUC you are wondering whether logwatch
> > is compatible with the journal. Not to my knowledge, no. But adding this
> > should be fairly easy as the output of "journalctl" is a pixel-perfect
> > copy of the original format, so where it works on /var/log/messages it
> > should simply work on the output of journalctl and all should be good.
> >
> > Note however that with the capabilities of the journal it might be
> > interesting to add journal support to logwatch that goes beyond mere
> > compatibility. For example, tests such as "look for messages which are
> > claimed to come from PID xyz but actually came from uvw" and suchlike
> > would be really interesting to have. That information is not available
> > in the /var/log/messages format however...
> 
> So, in other words, all our existing log analysis tools have to be
> modified if they are to be of any use in Fedora 18?

Right, you'll have to port them to understand CEE from updated rsyslog. HTH,
HAND. <- note: THIS IS A JOKE.

MORE SERIOUSLY

There are a lot of usage cases that people want from their logging.

1) Administrators want their plain-text logs that they know and love (or at
least know and have gotten accustomed to) that they can use their normal
unix tools and their homegrown custom shell/awk/perl/python/whatever scripts
for parsing. (For the purposes of this discussion, consider logwatch one of
those homegrown things, as it basically is that writ large.)

2) System management authors would love to have a mechanism where they can
subscribe to particular alerts as they come in, without having to subscribe
to all messages, or try and parse the unstructured text of syslog

3) Application developers might want to be able to express stuff they log in
a more structured fashion rather than just:

"(function:line) bad juju happened here in frobnitz"

4) Administrators want to be able to do things like 'show me everything sshd
did/logged about', or 'show me what happened last Thursday, because I can
never get the hang of them.'

5) Standards People want to have messages in the new CEE format, so they can
use their new CEE tools on them and merge some of their homegrown tools.

6) Meanwhile, you've got the poor audit logger over there on the side doing its
own thing, and there are users who Really Like those audit logs.

And we've got a lot of technology going around. journald - that's
technology. rsyslog - that's technology. libumberlog & ceelog - that's
technology.

What we've got to do is take the usage cases we have, and the technology we
have, and get a coherent solution that covers them. And it's certainly not
clear at this point what that solution would be.

If people want CEE format logs, or plain text logs, maybe journald should
grow those as output formats. Or maybe rsyslog should produce those formats.
Maybe rsyslog should grow a journald plugin, so instead of duplicating some
of journald's code for associating entries with pid/exec/etc., it can read
the already annotated journal stream and add its own metadata & spit out
whatever formats it wants. (Maybe it already does this!) Maybe rsyslog or
journald should take over audit logging in some way.

But the point is, there's a lot of work in this space going on on all sides
(take ceelog, liumberlog, and journald - all relatively new bits of
technology touching portions of this space). And at this point I'd say it's
way too early to say that Fedora Shall Be XYZ, or to conversly say that
Fedora Shall Not Be XYZ. A full plan for hitting all the usage cases we
might want just isn't known. (Although it would be a lot easier to get there
if y'all would stop shouting AT & PAST each other.)

So no, you don't need to change anything for Fedora 18. rsyslog is there by
default, journald is there too if you want to look at that. And until we
actually have a Plan, rather than just Technology, I'm not sure why you'd
say that Fedora will do XYZ in F-19 either.

Well, you can probably say that Fedora 19 won't ship with sysklogd by
default; that should be safe.

Bill
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kevin Fenzi

On Thu, 11 Oct 2012 01:48:07 +0200
Lennart Poettering  wrote:

> These two are much better implemented via explicit time seeks. The
> journal APIs support that just fine, journalctl currently
> doesn't. However it's trivial to add that based on the lower level
> APIs, the only thing that stopped me from doing that so far is that
> for that we'd have to come up with a nice way to parse calendar
> timestamps, and I want to be careful about that. that said the idea
> is to have two command line args to journalctl where you can pass
> things such as:
> 
> $ journalctl --start-time=2012-10-01
> ...
> $ journalctl --start-time=-5d
> ...
> $ journalctl --start-time=2012-01-01 --end-time=2012-05-02
> ...
> 
> And this would do the right things. Since the journal will coalesce
> the current journal and the rotated ones into one this will simply
> show you everything that matches.

Sounds great. 

> Of course the time expressions for this need to be powerful enough so
> that people can trivially express things like "everything from today",
> or "everything since two weeks ago" and suchlike.

Yeah, I am reminded (pardon the pun) of the 'remind' program that did
this very well. 

> > "This thing might have messed up when I last booted... uptime shows
> > 16 days"
> 
> For this we already have "journalctl -b" which only shows messages
> from the current boot. We'll probably extend that later so that you
> can pass "journalctl -b4" or so which would show you the messages
> from 4 boots earlier only.

Excellent. 

> The takeaway here is that rotation is not a feature for finding
> things. There are much better ways to find things and we should make
> them available, and we can, because the backend allows that.

Right, which is why I was trying to move to use cases over just asking
for time rotation. ;) If these use cases can be solved better ways,
thats just fine with me. 

kevin



signature.asc
Description: PGP signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Adam Williamson

On Wed, 2012-10-10 at 14:37 -0400, Konstantin Ryabitsev wrote:
> On Wed, Oct 10, 2012 at 2:32 PM, Lennart Poettering
>  wrote:
> >> Can journalctl send the logs via logwatch?
> >
> > Not sure I can parse this, but IIUC you are wondering whether logwatch
> > is compatible with the journal. Not to my knowledge, no. But adding this
> > should be fairly easy as the output of "journalctl" is a pixel-perfect
> > copy of the original format, so where it works on /var/log/messages it
> > should simply work on the output of journalctl and all should be good.
> >
> > Note however that with the capabilities of the journal it might be
> > interesting to add journal support to logwatch that goes beyond mere
> > compatibility. For example, tests such as "look for messages which are
> > claimed to come from PID xyz but actually came from uvw" and suchlike
> > would be really interesting to have. That information is not available
> > in the /var/log/messages format however...
> 
> So, in other words, all our existing log analysis tools have to be
> modified if they are to be of any use in Fedora 18?

The signal seems to have been lost somewhere along the path, so apart
from anything else, no, because rsyslog is still installed by default in
F18, and the systemd journal doesn't do permanent logging by default
(/var/log/journal does not exist). rsyslog is still the primary system
logging mechanism in F18 and that is not going to change (he said
meaningfully, targeting the QA orbital laser on Lennart's home address.)

There is a proposal in this thread to stop installing rsyslog by default
and enable permanent logging by journal in F19, but that's just a
proposal so far, and does not affect F18.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Matthew Miller

On Thu, Oct 11, 2012 at 01:48:07AM +0200, Lennart Poettering wrote:
> > "My laptop started acting up last tuesday, I should see whats in the
> > logs from then"
> > "I'd like to run a daily report on my logs"
> These two are much better implemented via explicit time seeks. The
> journal APIs support that just fine, journalctl currently
> doesn't. However it's trivial to add that based on the lower level APIs,
> the only thing that stopped me from doing that so far is that for that
> we'd have to come up with a nice way to parse calendar timestamps, and I
> want to be careful about that. that said the idea is to have two command
> line args to journalctl where you can pass things such as:

Not coincidentially, I filed an RFE bug for this yesterday:
https://bugzilla.redhat.com/show_bug.cgi?id=864672

> Of course the time expressions for this need to be powerful enough so
> that people can trivially express things like "everything from today",
> or "everything since two weeks ago" and suchlike.

+1 awesome.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 16:50, Kevin Fenzi (ke...@scrye.com) wrote:

> "My laptop started acting up last tuesday, I should see whats in the
> logs from then"
> 
> "I'd like to run a daily report on my logs"

These two are much better implemented via explicit time seeks. The
journal APIs support that just fine, journalctl currently
doesn't. However it's trivial to add that based on the lower level APIs,
the only thing that stopped me from doing that so far is that for that
we'd have to come up with a nice way to parse calendar timestamps, and I
want to be careful about that. that said the idea is to have two command
line args to journalctl where you can pass things such as:

$ journalctl --start-time=2012-10-01
...
$ journalctl --start-time=-5d
...
$ journalctl --start-time=2012-01-01 --end-time=2012-05-02
...

And this would do the right things. Since the journal will coalesce the
current journal and the rotated ones into one this will simply show you
everything that matches.

Of course the time expressions for this need to be powerful enough so
that people can trivially express things like "everything from today",
or "everything since two weeks ago" and suchlike.

> "This thing might have messed up when I last booted... uptime shows 16
> days"

For this we already have "journalctl -b" which only shows messages from
the current boot. We'll probably extend that later so that you can pass
"journalctl -b4" or so which would show you the messages from 4 boots
earlier only.

The takeaway here is that rotation is not a feature for finding
things. There are much better ways to find things and we should make
them available, and we can, because the backend allows that.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Chris Adams

Once upon a time, Matthew Miller  said:
> On Wed, Oct 10, 2012 at 02:44:53PM -0400, Konstantin Ryabitsev wrote:
> > Well, hang on, Kay. My understanding was that we're trying to make
> > syslog an optional install in Fedora 18 (or is it 19?). If that is the
> 
> The suggestion was to propose this as a feature for F19. I think there's
> some additional basic functionality we really need in place before that
> would be ready.

One additional thing related to log analysis: I have some logs that are
owned by different groups, and analysis tools that run under user
accounts (for example CGIs scanning for certain types of errors).  How
does that work with journald?
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kevin Fenzi

On Wed, 10 Oct 2012 22:02:26 +0200
Kay Sievers  wrote:

> On Wed, Oct 10, 2012 at 9:49 PM, Simo Sorce  wrote:

...snip...

> > So make it really better and support time-based rotation. You don't
> > need to make time-based rotation the default, but you'll make a lot
> > of people happy to have the option.
> 
> I really don't mind someone implementing a "maximum retention policy"
> for the journal, surely sounds useful for some setups, but I'm
> personally not really interested in implementing it.

Note there are more use cases than a "retention policy" type thing in
having time based log rotation. 

"My laptop started acting up last tuesday, I should see whats in the
logs from then"

a) search each rotated journal file until you find last tuesday. 
or
b) run journalctl on last tuesdays log since it was rotated daily and
you can clearly see what one is tuesdays. 

"I'd like to run a daily report on my logs"

a) journalctl out the journal, figure out when the last day started,
cut things before that out. 
or
b) journalctl after the daily rotate on the previous days journal. 

"This thing might have messed up when I last booted... uptime shows 16
days"

a) Figure out what journal was from 16 days ago by hunting around. 
or
b) journalctl out the one from 16 days ago

kevin

signature.asc
Description: PGP signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Chris Murphy

On Oct 10, 2012, at 2:54 PM, Lennart Poettering wrote:

> On Wed, 10.10.12 14:39, Chris Murphy (li...@colorremedies.com) wrote:
> 
>> How is rsyslog properly disabled?
>> 
>> sockets.target syslog.target rsyslog.service all seem related.
> 
> "systemctl disable rsyslog.service" should suffice.

I did that and now syslog.socket is angry, or at least its status is failed. 
I'm not sure if it's related, and if it's merely cosmetic.

Chris Murphy
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 14:39, Chris Murphy (li...@colorremedies.com) wrote:

> 
> On Oct 10, 2012, at 2:02 PM, Kay Sievers wrote:
> 
> > Syslog is by fact today already an "add-on", and not a
> > required component, it is just installed by default today. I don't use
> > or run syslog on any of my boxes since quite a while.
> 
> How is rsyslog properly disabled?
> 
> sockets.target syslog.target rsyslog.service all seem related.

"systemctl disable rsyslog.service" should suffice.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 22:19, Tomasz Torcz (to...@pipebreaker.pl) wrote:

> On Wed, Oct 10, 2012 at 03:49:11PM -0400, Simo Sorce wrote:
> > So make it really better and support time-based rotation. You don't need
> > to make time-based rotation the default, but you'll make a lot of people
> > happy to have the option.
> 
>   Journald will rotate logs when signalled with SIGUSR2.  So you need 
> something
> like “systemctl kill --signal=USR2 systemd-journald.service” executed by cron
> or from .timer unit.

Note that this will not really implement something that would be useful
for data retention policy enforcement. Sending USR2 will cause journald
to rotate the files, but not delete more than necessary to fulfill the
disk space limits. To enforce data retention policy enforcement we need
to bump this logic up to delete all journal files which contain entries
older than a specific time.

Implementing this is actually not hard... happy to take patches.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Chris Murphy

On Oct 10, 2012, at 2:02 PM, Kay Sievers wrote:

> Syslog is by fact today already an "add-on", and not a
> required component, it is just installed by default today. I don't use
> or run syslog on any of my boxes since quite a while.

How is rsyslog properly disabled?

sockets.target syslog.target rsyslog.service all seem related.

Chris Murphy

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Tomasz Torcz

On Wed, Oct 10, 2012 at 03:49:11PM -0400, Simo Sorce wrote:
> So make it really better and support time-based rotation. You don't need
> to make time-based rotation the default, but you'll make a lot of people
> happy to have the option.

  Journald will rotate logs when signalled with SIGUSR2.  So you need something
like “systemctl kill --signal=USR2 systemd-journald.service” executed by cron
or from .timer unit.
  BTW, .timer units will grow calendar scheduling in future, so cron will
go after rsyslog, too.

  (Johann, I've stolen your idea ;)
-- 
Tomasz Torcz Morality must always be based on practicality.
xmpp: zdzich...@chrome.pl-- Baron Vladimir Harkonnen

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Konstantin Ryabitsev

On Wed, Oct 10, 2012 at 3:44 PM, Kay Sievers  wrote:
>> I think you overestimate how much a sysadmin cares about fake
>> messages. The thing that's really important to a sysadmin is to make
>> sure that none of the REAL messages are lost. If someone fakes root
>> login entries by using something as trivial as "logger", I can easily
>> establish they are fake by looking at auditd logs. And then I would
>> *really* make that user regret their actions by using blunt
>> cryptanalysis tools.
>>
>> So, it's not accurate to say that we don't currently have ways to detect 
>> that.
>
> That works only for very very few of the logged messages, and it is a
> good example how things should really not be designed or work today.

Yeah, I wasn't saying it's a stellar system, but it is well-understood
by sysadmins -- syslog messages are "discretionary logging" vs. auditd
messages, which are "compulsory syscall logging." I monitor the
former, since it's my first-line alert system for something strange
going on, but I certainly don't rely solely on syslog for forensics.

> We need one source of system log and not a bunch of daemons with all
> overlap but still have only parts of the picture, store their own
> stuff all over the place.

Well, the counter-argument is that we also don't want to put all our
proverbial eggs in one basket. I was kinda fond of not mixing
discretionary free-for-all "I-think-I-just-burped" random junk that
ends up in syslog from hard auditd data. My favourite was always
seeing syslog entries in other languages if workstation user happened
to select something other than "English" for their desktop.

> Manual matching between the different data sources can sometimes be
> used to find out what was really going on, but that's really not good
> enough today.

It is nearly always inevitable, especially in large heterogeneous
environments. I've done quite a few forensic analyses in the past and
you always have to correlate logs from multiple sources. You'll have
Apache log files, PHP error log files, database log files, FTP log
files, etc. I'm not even sure I want to put it all into journal -- and
a lot of it can't go into journal for various reasons. Apache can
either log to syslog or to a file, unless you do some horrible magic
with piping it to tee and logger.

Not saying that the situation won't be improved with journal, but it
will have less of an impact on "real" people for whom log analysis and
correlation is bread-and-butter.

> The journal daemon uses similar close-to-the-kernel properties to
> establish trust in logged messages, and in the future it is planned
> that it will also rad all audit messages directly. The audit daemon
> will then mostly be a policy execution engine for (rather exotic)
> requirements like "crash the box if the message does not go to disk".

I'm not sure anyone actually cares to join the two, honestly. Ausearch
and aureport are well understood and cherished by (admittedly few)
people that know what they do.

Best,
-- 
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kay Sievers

On Wed, Oct 10, 2012 at 9:49 PM, Simo Sorce  wrote:
> On Wed, 2012-10-10 at 21:44 +0200, Kay Sievers wrote:
>> On Wed, Oct 10, 2012 at 9:31 PM, Konstantin Ryabitsev
>>  wrote:
>> > On Tue, Oct 9, 2012 at 5:24 PM, Lennart Poettering  
>> > wrote:
>> >> I am not generally against adding time-based rotation, but really, this
>> >> is much less of a "necessity" than other things the journal provides,
>> >> which syslog does not: for example per-service rate limits, and
>> >> unfakable meta-data for log messages. I mean, really, how can we ship
>> >> a syslog where every random user can fake messages, say they are from a
>> >> privileged process and offer no way how to detect that?
>> >
>> > I think you overestimate how much a sysadmin cares about fake
>> > messages. The thing that's really important to a sysadmin is to make
>> > sure that none of the REAL messages are lost. If someone fakes root
>> > login entries by using something as trivial as "logger", I can easily
>> > establish they are fake by looking at auditd logs. And then I would
>> > *really* make that user regret their actions by using blunt
>> > cryptanalysis tools.
>> >
>> > So, it's not accurate to say that we don't currently have ways to detect 
>> > that.
>>
>> That works only for very very few of the logged messages, and it is a
>> good example how things should really not be designed or work today.
>>
>> We need one source of system log and not a bunch of daemons with all
>> overlap but still have only parts of the picture, store their own
>> stuff all over the place.
>>
>> Manual matching between the different data sources can sometimes be
>> used to find out what was really going on, but that's really not good
>> enough today.
>>
>> The journal daemon uses similar close-to-the-kernel properties to
>> establish trust in logged messages, and in the future it is planned
>> that it will also rad all audit messages directly. The audit daemon
>> will then mostly be a policy execution engine for (rather exotic)
>> requirements like "crash the box if the message does not go to disk".
>
> It seem your intention is to make the journal so much better that it
> will be the preferred choice (and indeed the default).

The journal is nothing really to choose, it's a mandatory core part of
the operating system, systemd needs it itself, and it always runs.

A running syslog daemon always gets its data forwarded only from the
journal daemon. Syslog is by fact today already an "add-on", and not a
required component, it is just installed by default today. I don't use
or run syslog on any of my boxes since quite a while.

> So make it really better and support time-based rotation. You don't need
> to make time-based rotation the default, but you'll make a lot of people
> happy to have the option.

I really don't mind someone implementing a "maximum retention policy"
for the journal, surely sounds useful for some setups, but I'm
personally not really interested in implementing it.

Kay
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Simo Sorce

On Wed, 2012-10-10 at 21:44 +0200, Kay Sievers wrote:
> On Wed, Oct 10, 2012 at 9:31 PM, Konstantin Ryabitsev
>  wrote:
> > On Tue, Oct 9, 2012 at 5:24 PM, Lennart Poettering  
> > wrote:
> >> I am not generally against adding time-based rotation, but really, this
> >> is much less of a "necessity" than other things the journal provides,
> >> which syslog does not: for example per-service rate limits, and
> >> unfakable meta-data for log messages. I mean, really, how can we ship
> >> a syslog where every random user can fake messages, say they are from a
> >> privileged process and offer no way how to detect that?
> >
> > I think you overestimate how much a sysadmin cares about fake
> > messages. The thing that's really important to a sysadmin is to make
> > sure that none of the REAL messages are lost. If someone fakes root
> > login entries by using something as trivial as "logger", I can easily
> > establish they are fake by looking at auditd logs. And then I would
> > *really* make that user regret their actions by using blunt
> > cryptanalysis tools.
> >
> > So, it's not accurate to say that we don't currently have ways to detect 
> > that.
> 
> That works only for very very few of the logged messages, and it is a
> good example how things should really not be designed or work today.
> 
> We need one source of system log and not a bunch of daemons with all
> overlap but still have only parts of the picture, store their own
> stuff all over the place.
> 
> Manual matching between the different data sources can sometimes be
> used to find out what was really going on, but that's really not good
> enough today.
> 
> The journal daemon uses similar close-to-the-kernel properties to
> establish trust in logged messages, and in the future it is planned
> that it will also rad all audit messages directly. The audit daemon
> will then mostly be a policy execution engine for (rather exotic)
> requirements like "crash the box if the message does not go to disk".

It seem your intention is to make the journal so much better that it
will be the preferred choice (and indeed the default).

So make it really better and support time-based rotation. You don't need
to make time-based rotation the default, but you'll make a lot of people
happy to have the option.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kay Sievers

On Wed, Oct 10, 2012 at 9:31 PM, Konstantin Ryabitsev
 wrote:
> On Tue, Oct 9, 2012 at 5:24 PM, Lennart Poettering  
> wrote:
>> I am not generally against adding time-based rotation, but really, this
>> is much less of a "necessity" than other things the journal provides,
>> which syslog does not: for example per-service rate limits, and
>> unfakable meta-data for log messages. I mean, really, how can we ship
>> a syslog where every random user can fake messages, say they are from a
>> privileged process and offer no way how to detect that?
>
> I think you overestimate how much a sysadmin cares about fake
> messages. The thing that's really important to a sysadmin is to make
> sure that none of the REAL messages are lost. If someone fakes root
> login entries by using something as trivial as "logger", I can easily
> establish they are fake by looking at auditd logs. And then I would
> *really* make that user regret their actions by using blunt
> cryptanalysis tools.
>
> So, it's not accurate to say that we don't currently have ways to detect that.

That works only for very very few of the logged messages, and it is a
good example how things should really not be designed or work today.

We need one source of system log and not a bunch of daemons with all
overlap but still have only parts of the picture, store their own
stuff all over the place.

Manual matching between the different data sources can sometimes be
used to find out what was really going on, but that's really not good
enough today.

The journal daemon uses similar close-to-the-kernel properties to
establish trust in logged messages, and in the future it is planned
that it will also rad all audit messages directly. The audit daemon
will then mostly be a policy execution engine for (rather exotic)
requirements like "crash the box if the message does not go to disk".

Kay
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Konstantin Ryabitsev

On Tue, Oct 9, 2012 at 5:24 PM, Lennart Poettering  wrote:
> I am not generally against adding time-based rotation, but really, this
> is much less of a "necessity" than other things the journal provides,
> which syslog does not: for example per-service rate limits, and
> unfakable meta-data for log messages. I mean, really, how can we ship
> a syslog where every random user can fake messages, say they are from a
> privileged process and offer no way how to detect that?

I think you overestimate how much a sysadmin cares about fake
messages. The thing that's really important to a sysadmin is to make
sure that none of the REAL messages are lost. If someone fakes root
login entries by using something as trivial as "logger", I can easily
establish they are fake by looking at auditd logs. And then I would
*really* make that user regret their actions by using blunt
cryptanalysis tools.

So, it's not accurate to say that we don't currently have ways to detect that.

Regards,
-- 
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kay Sievers

On Wed, Oct 10, 2012 at 9:01 PM, Matthew Miller
 wrote:
> Additionally, it _would_ be cool for log monitoring and analysis tools to
> gain journald support, so that users of those tools can take advantage of
> all the features Lennart lists. If we could have some of those in place
> along with the proposed feature, that would be a win.

Along with the ability to retrieve data from the journal, tools should
probably start at the same time to support real message ids. They will
allow us reliable recognition without weird regex matches in human
readable syslog lines, allow catalogization of messages,
documentation, metadata handling, or even localization.

What we have in systemd so far is:
  http://cgit.freedesktop.org/systemd/systemd/tree/src/systemd/sd-messages.h

We also have proper identifiers for devices/hardware in the kernel
logs now. The journal reads them already and connects them to the
current udev supplied data. These identifiers should also be used to
identify a device instead of the unreliable guessing of strings in
human readable syslog messages:
  http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html

Kay
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Tomas Mraz

On Wed, 2012-10-10 at 15:01 -0400, Matthew Miller wrote: 
> On Wed, Oct 10, 2012 at 02:44:53PM -0400, Konstantin Ryabitsev wrote:

> > case, then even if I require rsyslog for a package, that won't work
> > unless rsyslog is started and running. So, sysadmin's experience
> > changes:
> > Was: Install logwatch.
> > Becomes: Install logwatch. Make sure you install and enable rsyslog.
> > I just want to make sure people are aware of the change.
> 
> Well, we've got: http://fedoraproject.org/wiki/Features/PackagePresets and
> it seems like we could probably come up with a preset selection for
> non-desktop system use. I'd say "server-presets", except it goes beyond
> server, of course. But yeah, we'd need to make that easy -- a list of "now
Then call it unix-presets perhaps?

> you get to jump through these hoops because we've made things better!" won't
> make anyone happy with us.

We are just dropping another part of the UNIX API - this time the system
logs. Who cares? (I do.)

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Konstantin Ryabitsev

On Wed, Oct 10, 2012 at 3:01 PM, Matthew Miller
 wrote:
> Additionally, it _would_ be cool for log monitoring and analysis tools to
> gain journald support, so that users of those tools can take advantage of
> all the features Lennart lists. If we could have some of those in place
> along with the proposed feature, that would be a win.

Hint-hint, nudge-nudge? :)

I'm not sure I can swing that, unfortunately. :( But I certainly am
interested in seeing where journal is headed, as it improves a lot of
aspects of log management that log analysis tools have to work around.

Regards,
-- 
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Matthew Miller

On Wed, Oct 10, 2012 at 02:44:53PM -0400, Konstantin Ryabitsev wrote:
> Well, hang on, Kay. My understanding was that we're trying to make
> syslog an optional install in Fedora 18 (or is it 19?). If that is the

The suggestion was to propose this as a feature for F19. I think there's
some additional basic functionality we really need in place before that
would be ready.

> case, then even if I require rsyslog for a package, that won't work
> unless rsyslog is started and running. So, sysadmin's experience
> changes:
> Was: Install logwatch.
> Becomes: Install logwatch. Make sure you install and enable rsyslog.
> I just want to make sure people are aware of the change.

Well, we've got: http://fedoraproject.org/wiki/Features/PackagePresets and
it seems like we could probably come up with a preset selection for
non-desktop system use. I'd say "server-presets", except it goes beyond
server, of course. But yeah, we'd need to make that easy -- a list of "now
you get to jump through these hoops because we've made things better!" won't
make anyone happy with us.

Additionally, it _would_ be cool for log monitoring and analysis tools to
gain journald support, so that users of those tools can take advantage of
all the features Lennart lists. If we could have some of those in place
along with the proposed feature, that would be a win.

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kay Sievers

On Wed, Oct 10, 2012 at 8:44 PM, Konstantin Ryabitsev
 wrote:
> On Wed, Oct 10, 2012 at 2:39 PM, Kay Sievers  wrote:
>>> So, in other words, all our existing log analysis tools have to be
>>> modified if they are to be of any use in Fedora 18?
>>
>> What part of "Run the syslog daemon like you always did, if you need
>> syslog files." did you not understand?
>
> Well, hang on, Kay. My understanding was that we're trying to make
> syslog an optional install in Fedora 18 (or is it 19?).

Surely not f18, and there is not even a feature for f19 as of now.

> If that is the
> case, then even if I require rsyslog for a package, that won't work
> unless rsyslog is started and running.

Services can pull-in service dependencies to start stuff they depend
on, it's unreleated RPM dependencies.

> So, sysadmin's experience
> changes:
>
> Was: Install logwatch.
> Becomes: Install logwatch. Make sure you install and enable rsyslog.
>
> I just want to make sure people are aware of the change.

Ah, sorry that I was just unable to translate: "all our existing log
analysis tools have to be modified if they are to be of any use in
Fedora" to "just want to make sure ... you install and enable
rsyslog". :)

Kay
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Konstantin Ryabitsev

On Wed, Oct 10, 2012 at 2:39 PM, Kay Sievers  wrote:
>> So, in other words, all our existing log analysis tools have to be
>> modified if they are to be of any use in Fedora 18?
>
> What part of "Run the syslog daemon like you always did, if you need
> syslog files." did you not understand?

Well, hang on, Kay. My understanding was that we're trying to make
syslog an optional install in Fedora 18 (or is it 19?). If that is the
case, then even if I require rsyslog for a package, that won't work
unless rsyslog is started and running. So, sysadmin's experience
changes:

Was: Install logwatch.
Becomes: Install logwatch. Make sure you install and enable rsyslog.

I just want to make sure people are aware of the change.

Best,
-- 
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Seth Vidal





On Wed, 10 Oct 2012, Kay Sievers wrote:



So, in other words, all our existing log analysis tools have to be
modified if they are to be of any use in Fedora 18?


What part of "Run the syslog daemon like you always did, if you need
syslog files." did you not understand?



Kay,
 This is not an acceptable tone. There is no need for this sort of sarcasm 
or snark. Please amend this in the future.


-sv

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Matthew Miller

On Wed, Oct 10, 2012 at 02:37:05PM -0400, Konstantin Ryabitsev wrote:
> So, in other words, all our existing log analysis tools have to be
> modified if they are to be of any use in Fedora 18?

No, not in the even slightest. I don't think that's even up for discussion.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kay Sievers

On Wed, Oct 10, 2012 at 8:37 PM, Konstantin Ryabitsev
 wrote:
> On Wed, Oct 10, 2012 at 2:32 PM, Lennart Poettering
>  wrote:
>>> Can journalctl send the logs via logwatch?
>>
>> Not sure I can parse this, but IIUC you are wondering whether logwatch
>> is compatible with the journal. Not to my knowledge, no. But adding this
>> should be fairly easy as the output of "journalctl" is a pixel-perfect
>> copy of the original format, so where it works on /var/log/messages it
>> should simply work on the output of journalctl and all should be good.
>>
>> Note however that with the capabilities of the journal it might be
>> interesting to add journal support to logwatch that goes beyond mere
>> compatibility. For example, tests such as "look for messages which are
>> claimed to come from PID xyz but actually came from uvw" and suchlike
>> would be really interesting to have. That information is not available
>> in the /var/log/messages format however...
>
> So, in other words, all our existing log analysis tools have to be
> modified if they are to be of any use in Fedora 18?

What part of "Run the syslog daemon like you always did, if you need
syslog files." did you not understand?

Kay
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Konstantin Ryabitsev

On Wed, Oct 10, 2012 at 2:32 PM, Lennart Poettering
 wrote:
>> Can journalctl send the logs via logwatch?
>
> Not sure I can parse this, but IIUC you are wondering whether logwatch
> is compatible with the journal. Not to my knowledge, no. But adding this
> should be fairly easy as the output of "journalctl" is a pixel-perfect
> copy of the original format, so where it works on /var/log/messages it
> should simply work on the output of journalctl and all should be good.
>
> Note however that with the capabilities of the journal it might be
> interesting to add journal support to logwatch that goes beyond mere
> compatibility. For example, tests such as "look for messages which are
> claimed to come from PID xyz but actually came from uvw" and suchlike
> would be really interesting to have. That information is not available
> in the /var/log/messages format however...

So, in other words, all our existing log analysis tools have to be
modified if they are to be of any use in Fedora 18?

Best,
-- 
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 10:12, Richard W.M. Jones (rjo...@redhat.com) wrote:

> On Wed, Oct 10, 2012 at 09:54:28AM +0100, Richard W.M. Jones wrote:
> > On Wed, Oct 10, 2012 at 09:50:43AM +0200, Björn Persson wrote:
> > > Lennart Poettering wrote:
> > > > On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > > > > How do you read this log when the system is not running (e.g.
> > > > > mounting filesystems of a drive on another system, running from a
> > > > > rescue image, etc.)?
> > > > 
> > > > journalctl -D 
> > > 
> > > So the rescue system (which might not always be Fedora) must have 
> > > journalctl installed. Is the file format stable, or can it break if the 
> > > rescue system has a different version of journalctl? Is the format 
> > > perchance even documented so that other tools for reading logs could be 
> > > written?
> > 
> > This would be essential for libguestfs tools to parse logs out of
> > guests (we do it now by reading /var/log/messages etc which has all of
> > the properties you state).
> 
> I checked out the code, and it does seem as if the format is intended
> to be backwards compatible.  It uses a set of filesystem-like
> "compatible" and "incompatible" flags, so presumably a sufficiently
> recent journalctl would be able to read any previous version of the
> binary file format.
> 
> It would be nice to have this confirmed, and indeed enshrined in the
> policy of the journal, because it is IMHO essential that the binary
> log files will always be readable.

Yes, the compatible and incompatible flag bit fields are precisely to
provide good compatibility as the format evolves.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 09:54, Richard W.M. Jones (rjo...@redhat.com) wrote:

> On Wed, Oct 10, 2012 at 09:50:43AM +0200, Björn Persson wrote:
> > Lennart Poettering wrote:
> > > On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > > > How do you read this log when the system is not running (e.g.
> > > > mounting filesystems of a drive on another system, running from a
> > > > rescue image, etc.)?
> > > 
> > > journalctl -D 
> > 
> > So the rescue system (which might not always be Fedora) must have 
> > journalctl installed. Is the file format stable, or can it break if the 
> > rescue system has a different version of journalctl? Is the format 
> > perchance even documented so that other tools for reading logs could be 
> > written?
> 
> This would be essential for libguestfs tools to parse logs out of
> guests (we do it now by reading /var/log/messages etc which has all of
> the properties you state).

I'd recommend simply using our C API for this. For details see:

http://www.freedesktop.org/software/systemd/man/

Look for the various APIs with the sd_journal_ prefix. With those you
get full access to the journal. Here you find an example how to do this:

http://www.freedesktop.org/software/systemd/man/sd_journal_next.html

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 08:54, Frank Murphy (frankl...@gmail.com) wrote:

> On 09/10/12 15:16, Lennart Poettering wrote:
> 
> >journalctl -D 
> >
> >Lennart
> >
> 
> Can journalctl send the logs via logwatch?

Not sure I can parse this, but IIUC you are wondering whether logwatch
is compatible with the journal. Not to my knowledge, no. But adding this
should be fairly easy as the output of "journalctl" is a pixel-perfect
copy of the original format, so where it works on /var/log/messages it
should simply work on the output of journalctl and all should be good.

Note however that with the capabilities of the journal it might be
interesting to add journal support to logwatch that goes beyond mere
compatibility. For example, tests such as "look for messages which are
claimed to come from PID xyz but actually came from uvw" and suchlike
would be really interesting to have. That information is not available
in the /var/log/messages format however...

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Seth Vidal





On Wed, 10 Oct 2012, Lennart Poettering wrote:


On Wed, 10.10.12 14:16, Seth Vidal (skvi...@fedoraproject.org) wrote:


On Tue, 09.10.12 22:30, Simo Sorce (s...@redhat.com) wrote:


logrotate has time based policies for very good reasons.


Yeah, because Unix doesn't really allow much else...


Oh come on, stop bashing unix, logrotate could certainly grow a size
checking policy if people felt the need, unix is not holding you back,
in fact you are building this stuff on a unix-like system.


Ah, Unix cron can start things based on disk space changes? Interesting,
I wasn't aware of that. I thought it only could start logrotate by time,
not by disk space changes...


yum info incron

Description : This program is an "inotify cron" system.
: It consists of a daemon and a table manipulator.
: You can use it a similar way as the regular cron.
: The difference is that the inotify cron handles
: filesystem events rather than time periods.


And rsyslog pulls that in? I wasn't aware of that. I am learning new
stuff every day...



I never said anything like that.

I said it existed.

Please stop adding words where they are not.


-sv

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 14:16, Seth Vidal (skvi...@fedoraproject.org) wrote:

> >On Tue, 09.10.12 22:30, Simo Sorce (s...@redhat.com) wrote:
> >
> logrotate has time based policies for very good reasons.
> >>>
> >>>Yeah, because Unix doesn't really allow much else...
> >>>
> >>Oh come on, stop bashing unix, logrotate could certainly grow a size
> >>checking policy if people felt the need, unix is not holding you back,
> >>in fact you are building this stuff on a unix-like system.
> >
> >Ah, Unix cron can start things based on disk space changes? Interesting,
> >I wasn't aware of that. I thought it only could start logrotate by time,
> >not by disk space changes...
> 
> yum info incron
> 
> Description : This program is an "inotify cron" system.
> : It consists of a daemon and a table manipulator.
> : You can use it a similar way as the regular cron.
> : The difference is that the inotify cron handles
> : filesystem events rather than time periods.

And rsyslog pulls that in? I wasn't aware of that. I am learning new
stuff every day...

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 17:05, Miloslav Trmač (m...@volny.cz) wrote:

> On Tue, Oct 9, 2012 at 11:24 PM, Lennart Poettering
>  wrote:
> > I am not generally against adding time-based rotation, but really, this
> > is much less of a "necessity" than other things the journal provides,
> > which syslog does not: for example per-service rate limits,
> 
> False.  http://www.rsyslog.com/doc/imuxsock.html, "There is input rate
> limiting available", currently enabled by default in Fedora.

I know, I asked Rainer to add that.

But this is actually much less useful than what the journal does: it's
per-pid, not per-service.

> > and
> > unfakable meta-data for log messages.
> 
> False: http://www.rsyslog.com/doc/imuxsock.html, "trusted syslog
> properties are available" (and in v7 they can be enabled in the Fedora[M#}5
> configuration by default)

Yes, I know, I asked Rainer to add that. But it's not on, and there's no
accepted syntax for syslog messages to carry this, and it's pretty
incomplete. No selinux labels, no audit, and no service information.

> For the cryptographic protection, false.
> http://cgit.freedesktop.org/systemd/systemd/tree/man/journalctl.xml#n358
> defaults to 15 minutes, which is an eternity.

This is not what I talked of. I simply was pointing to the fact that
messages end up in /var/log/messages that cannot be traced back to who
actually sent them.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Seth Vidal





On Wed, 10 Oct 2012, Lennart Poettering wrote:


On Tue, 09.10.12 22:30, Simo Sorce (s...@redhat.com) wrote:


logrotate has time based policies for very good reasons.


Yeah, because Unix doesn't really allow much else...


Oh come on, stop bashing unix, logrotate could certainly grow a size
checking policy if people felt the need, unix is not holding you back,
in fact you are building this stuff on a unix-like system.


Ah, Unix cron can start things based on disk space changes? Interesting,
I wasn't aware of that. I thought it only could start logrotate by time,
not by disk space changes...




yum info incron

Description : This program is an "inotify cron" system.
: It consists of a daemon and a table manipulator.
: You can use it a similar way as the regular cron.
: The difference is that the inotify cron handles
: filesystem events rather than time periods.


-sv

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Tue, 09.10.12 22:30, Simo Sorce (s...@redhat.com) wrote:

> > > logrotate has time based policies for very good reasons.
> > 
> > Yeah, because Unix doesn't really allow much else...
> > 
> Oh come on, stop bashing unix, logrotate could certainly grow a size
> checking policy if people felt the need, unix is not holding you back,
> in fact you are building this stuff on a unix-like system.

Ah, Unix cron can start things based on disk space changes? Interesting,
I wasn't aware of that. I thought it only could start logrotate by time,
not by disk space changes...

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Miloslav Trmač

On Wed, Oct 10, 2012 at 6:13 PM, Kay Sievers  wrote:
>>> and
>>> unfakable meta-data for log messages.
>>
>> False: http://www.rsyslog.com/doc/imuxsock.html, "trusted syslog
>> properties are available" (and in v7 they can be enabled in the Fedora
>> configuration by default)
>
> It's well meant, but really, it sounds more like a joke. Adding
> "garbage" to the end of the human readable plain text is not
> comparable with the journal.

That's where the v7 reference comes in - stored as a Lumberjack field.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Kay Sievers

On Wed, Oct 10, 2012 at 5:05 PM, Miloslav Trmač  wrote:
> On Tue, Oct 9, 2012 at 11:24 PM, Lennart Poettering  
> wrote:

>> which syslog does not: for example per-service rate limits,
>
> False.  http://www.rsyslog.com/doc/imuxsock.html, "There is input rate
> limiting available", currently enabled by default in Fedora.

Insufficient in rsyslog. And it's right what Lennart said. This really
needs to be per service/user not per pid. Pids are almost entirely
useless to key-off here.

>> and
>> unfakable meta-data for log messages.
>
> False: http://www.rsyslog.com/doc/imuxsock.html, "trusted syslog
> properties are available" (and in v7 they can be enabled in the Fedora
> configuration by default)

It's well meant, but really, it sounds more like a joke. Adding
"garbage" to the end of the human readable plain text is not
comparable with the journal.

> On Wed, Oct 10, 2012 at 12:08 AM, Lennart Poettering
>  wrote:
>> I am not a security guy, but having
>> logs where unprivileged users cannot insert undetectable fakes
> (Re: the implied claim that systemd provides that):

It surely does provide it. Rsyslog can do something similar, but
really, with pushing stuff into plain text files, mixing it into the
human readable message it can't really get too far without creating a
mess in the files.

> For the "unprivileged user" part, see above.
>
> For the cryptographic protection, false.

It's not about tamper-proof log files, it was about unfakeable message
source context.

> http://cgit.freedesktop.org/systemd/systemd/tree/man/journalctl.xml#n358
> defaults to 15 minutes, which is an eternity.

The sealing was not even mentioned, but it's still better than
nothing. And 15 min are the current default, and this will change as
soon as the details are hashed out to efficiently move the sealing
forward in time.

> [1] An adjective belongs here.  I can think of about 10 candidates,
> but I feel too ill and grumpy to trust myself to choose well.

I'm sure you should wait until you are back to full speed. You
comparision seem pretty bad researched. :)

Thanks,
Kay
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Miloslav Trmač

I apologize, I'm ill and not generally up to providing detailed
responses.  So just some sourced facts to counter [1] untruths.

For education on what current syslogs do,
http://blog.gerhards.net/2012/10/main-advantages-of-rsyslog-v7-vs-v5.html
is a possible start and http://www.rsyslog.com/doc/manual.html
contains much more.

On Tue, Oct 9, 2012 at 11:24 PM, Lennart Poettering
 wrote:
> I am not generally against adding time-based rotation, but really, this
> is much less of a "necessity" than other things the journal provides,
> which syslog does not: for example per-service rate limits,

False.  http://www.rsyslog.com/doc/imuxsock.html, "There is input rate
limiting available", currently enabled by default in Fedora.

> and
> unfakable meta-data for log messages.

False: http://www.rsyslog.com/doc/imuxsock.html, "trusted syslog
properties are available" (and in v7 they can be enabled in the Fedora
configuration by default)

On Wed, Oct 10, 2012 at 12:08 AM, Lennart Poettering
 wrote:
> I am not a security guy, but having
> logs where unprivileged users cannot insert undetectable fakes
(Re: the implied claim that systemd provides that):

For the "unprivileged user" part, see above.

For the cryptographic protection, false.
http://cgit.freedesktop.org/systemd/systemd/tree/man/journalctl.xml#n358
defaults to 15 minutes, which is an eternity.
   Mirek

[1] An adjective belongs here.  I can think of about 10 candidates,
but I feel too ill and grumpy to trust myself to choose well.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Richard W.M. Jones

On Wed, Oct 10, 2012 at 02:54:13PM +0200, drago01 wrote:
> On Wed, Oct 10, 2012 at 12:49 PM, Richard W.M. Jones  
> wrote:
> > On Wed, Oct 10, 2012 at 10:11:03AM +, "Jóhann B. Guðmundsson" wrote:
> >> On 10/10/2012 08:54 AM, Richard W.M. Jones wrote:
> >> >This would be essential for libguestfs tools to parse logs out of
> >> >guests (we do it now by reading /var/log/messages etc which has all of
> >> >the properties you state).
> >>
> >> I'm not sure how you are doing this currently but for shutdown guest
> >> I assume you would mount then run something like
> >>
> >> journalctl -D /path/to/journal/files | the script you use to parse the logs
> >
> > The question is whether this works with different versions of journal
> > on the host and in the guest.  A typical case we have to deal with is
> > someone running a stable RHEL host, and Fedora guests
> > (ie. host version < guest version).
> 
> Can't you run the journal from the guest? Or does this open another
> can of worms?

Security worms, yes.

We try very much to avoid running code from the guest.  cf. grub
problems previously discussed on this list.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread drago01

On Wed, Oct 10, 2012 at 2:54 PM, drago01  wrote:
> On Wed, Oct 10, 2012 at 12:49 PM, Richard W.M. Jones  
> wrote:
>> On Wed, Oct 10, 2012 at 10:11:03AM +, "Jóhann B. Guðmundsson" wrote:
>>> On 10/10/2012 08:54 AM, Richard W.M. Jones wrote:
>>> >This would be essential for libguestfs tools to parse logs out of
>>> >guests (we do it now by reading /var/log/messages etc which has all of
>>> >the properties you state).
>>>
>>> I'm not sure how you are doing this currently but for shutdown guest
>>> I assume you would mount then run something like
>>>
>>> journalctl -D /path/to/journal/files | the script you use to parse the logs
>>
>> The question is whether this works with different versions of journal
>> on the host and in the guest.  A typical case we have to deal with is
>> someone running a stable RHEL host, and Fedora guests
>> (ie. host version < guest version).
>
> Can't you run the journal from the guest? Or does this open another
> can of worms?

s/journal/journalctl/
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread drago01

On Wed, Oct 10, 2012 at 12:49 PM, Richard W.M. Jones  wrote:
> On Wed, Oct 10, 2012 at 10:11:03AM +, "Jóhann B. Guðmundsson" wrote:
>> On 10/10/2012 08:54 AM, Richard W.M. Jones wrote:
>> >This would be essential for libguestfs tools to parse logs out of
>> >guests (we do it now by reading /var/log/messages etc which has all of
>> >the properties you state).
>>
>> I'm not sure how you are doing this currently but for shutdown guest
>> I assume you would mount then run something like
>>
>> journalctl -D /path/to/journal/files | the script you use to parse the logs
>
> The question is whether this works with different versions of journal
> on the host and in the guest.  A typical case we have to deal with is
> someone running a stable RHEL host, and Fedora guests
> (ie. host version < guest version).

Can't you run the journal from the guest? Or does this open another
can of worms?
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Matthew Miller

On Wed, Oct 10, 2012 at 12:12:26PM +0530, Rahul Sundaram wrote:
> >>About time :-)
> >Awesome.
> >And I want to take a moment to thank everyone for listening to these
> >concerns. I'm optimistic that we can make this all work very nicely.
> Is this documented in the relevant man pages as well?

In fact, I think it's big enough that it should go in the release notes.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Lennart Poettering

On Wed, 10.10.12 09:50, Björn Persson (bjorn@rombobjörn.se) wrote:

> Lennart Poettering wrote:
> > On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > > How do you read this log when the system is not running (e.g.
> > > mounting filesystems of a drive on another system, running from a
> > > rescue image, etc.)?
> > 
> > journalctl -D 
> 
> So the rescue system (which might not always be Fedora) must have 
> journalctl installed. Is the file format stable, or can it break if the 
> rescue system has a different version of journalctl? Is the format 
> perchance even documented so that other tools for reading logs could be 
> written?

Yes, they need journalctl installed. Yes, the format is stable, we
haven't broken it since we first came up with it, and we are happy with
it so it is unlikely that we will break it any time soon. The format is
designed to be extensible while staying compatible and there are two bit
flag fields in the header that encode feature flags that allow us to
evolve the format as needed while still clarifying the level of
compatibility. That means the newest journalctl should always be capable
to read all old files, and to a lesser degree even old journalctls
decode newer files.

Since we are quite confident that the design of the file format is
pretty OK I actually intend to document it in the systemd wiki
soon. Maybe this will happen already by the time F18 is released, but
most likely around F19 the latest.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Björn Persson

Daniel P. Berrange wrote:
> On Wed, Oct 10, 2012 at 12:00:41PM +0200, Björn Persson wrote:
> > So if my Fedora box won't boot, and I take the disk out and mount it
> > in a CentOS box, I might not be able to read the log because
> > journalctl in CentOS might be too old? Not fun.
> 
> You can easily just boot the current Fedora Live CD on your other box
> instead of CentOS. Or boot the Fedora Live CD inside a KVM guest and
> mount the broken disk to your guest instead of the host.

Downloading a CD image, setting up a virtual machine and figuring out how 
to mount a disk on it might not be a very hard problem, but it does take 
more time and effort than typing "less /mnt/var/log/messages".

Björn Persson

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Richard W.M. Jones

On Wed, Oct 10, 2012 at 10:11:03AM +, "Jóhann B. Guðmundsson" wrote:
> On 10/10/2012 08:54 AM, Richard W.M. Jones wrote:
> >This would be essential for libguestfs tools to parse logs out of
> >guests (we do it now by reading /var/log/messages etc which has all of
> >the properties you state).
> 
> I'm not sure how you are doing this currently but for shutdown guest
> I assume you would mount then run something like
> 
> journalctl -D /path/to/journal/files | the script you use to parse the logs

The question is whether this works with different versions of journal
on the host and in the guest.  A typical case we have to deal with is
someone running a stable RHEL host, and Fedora guests
(ie. host version < guest version).

For RHEL 6 I guess this will involve backporting.  This is why stable,
well-documented formats like plain text are better.  That's not to say
however that the journal isn't possible to handle -- the format looks
like someone thought about this case to some extent, and we already
have to deal with undocumented binary formats like the Windows
registry and Windows event log.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Jóhann B. Guðmundsson


On 10/10/2012 07:54 AM, Frank Murphy wrote:

On 09/10/12 15:16, Lennart Poettering wrote:


journalctl -D 

Lennart



Can journalctl send the logs via logwatch? 



As far as I know logwatch has not been patched to parse and use journal.

Try filing an RFE against logwatch for that

JBG
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Jóhann B. Guðmundsson


On 10/10/2012 08:54 AM, Richard W.M. Jones wrote:

This would be essential for libguestfs tools to parse logs out of
guests (we do it now by reading /var/log/messages etc which has all of
the properties you state).


I'm not sure how you are doing this currently but for shutdown guest I 
assume you would mount then run something like


journalctl -D /path/to/journal/files | the script you use to parse the logs

And or use systemd-gateway for active guests as in

# 
systemctl start systemd-journal-gatewayd.service


Then run

# wget http://localhost:19531/entries

To download the journal contents in a /var/log/messages compatible format

Or if you want to download it in JASON compatible format

# curl -H"Accept: application/json" http://localhost:19531/entries

If you simply want to browse the log file of an running guest you would 
just visit the http://IP:19531/browse  in 
your favorite browser


JBG
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Daniel P. Berrange

On Wed, Oct 10, 2012 at 12:00:41PM +0200, Björn Persson wrote:
> Richard W.M. Jones wrote:
> > I checked out the code, and it does seem as if the format is intended
> > to be backwards compatible.  It uses a set of filesystem-like
> > "compatible" and "incompatible" flags, so presumably a sufficiently
> > recent journalctl would be able to read any previous version of the
> > binary file format.
> 
> So if my Fedora box won't boot, and I take the disk out and mount it in 
> a CentOS box, I might not be able to read the log because journalctl in 
> CentOS might be too old? Not fun.

You can easily just boot the current Fedora Live CD on your other box
instead of CentOS. Or boot the Fedora Live CD inside a KVM guest and
mount the broken disk to your guest instead of the host.

Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Björn Persson

Richard W.M. Jones wrote:
> I checked out the code, and it does seem as if the format is intended
> to be backwards compatible.  It uses a set of filesystem-like
> "compatible" and "incompatible" flags, so presumably a sufficiently
> recent journalctl would be able to read any previous version of the
> binary file format.

So if my Fedora box won't boot, and I take the disk out and mount it in 
a CentOS box, I might not be able to read the log because journalctl in 
CentOS might be too old? Not fun.

Björn Persson

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Richard W.M. Jones

On Wed, Oct 10, 2012 at 09:54:28AM +0100, Richard W.M. Jones wrote:
> On Wed, Oct 10, 2012 at 09:50:43AM +0200, Björn Persson wrote:
> > Lennart Poettering wrote:
> > > On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > > > How do you read this log when the system is not running (e.g.
> > > > mounting filesystems of a drive on another system, running from a
> > > > rescue image, etc.)?
> > > 
> > > journalctl -D 
> > 
> > So the rescue system (which might not always be Fedora) must have 
> > journalctl installed. Is the file format stable, or can it break if the 
> > rescue system has a different version of journalctl? Is the format 
> > perchance even documented so that other tools for reading logs could be 
> > written?
> 
> This would be essential for libguestfs tools to parse logs out of
> guests (we do it now by reading /var/log/messages etc which has all of
> the properties you state).

I checked out the code, and it does seem as if the format is intended
to be backwards compatible.  It uses a set of filesystem-like
"compatible" and "incompatible" flags, so presumably a sufficiently
recent journalctl would be able to read any previous version of the
binary file format.

It would be nice to have this confirmed, and indeed enshrined in the
policy of the journal, because it is IMHO essential that the binary
log files will always be readable.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Richard W.M. Jones

On Wed, Oct 10, 2012 at 09:50:43AM +0200, Björn Persson wrote:
> Lennart Poettering wrote:
> > On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > > How do you read this log when the system is not running (e.g.
> > > mounting filesystems of a drive on another system, running from a
> > > rescue image, etc.)?
> > 
> > journalctl -D 
> 
> So the rescue system (which might not always be Fedora) must have 
> journalctl installed. Is the file format stable, or can it break if the 
> rescue system has a different version of journalctl? Is the format 
> perchance even documented so that other tools for reading logs could be 
> written?

This would be essential for libguestfs tools to parse logs out of
guests (we do it now by reading /var/log/messages etc which has all of
the properties you state).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Björn Persson

Lennart Poettering wrote:
> On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > How do you read this log when the system is not running (e.g.
> > mounting filesystems of a drive on another system, running from a
> > rescue image, etc.)?
> 
> journalctl -D 

So the rescue system (which might not always be Fedora) must have 
journalctl installed. Is the file format stable, or can it break if the 
rescue system has a different version of journalctl? Is the format 
perchance even documented so that other tools for reading logs could be 
written?

Björn Persson

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-10 Thread Frank Murphy


On 09/10/12 15:16, Lennart Poettering wrote:


journalctl -D 

Lennart



Can journalctl send the logs via logwatch?

--
Regards,
Frank
"Jack of all, fubars"
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Rahul Sundaram


On 10/09/2012 09:42 PM, Matthew Miller wrote:

On Tue, Oct 09, 2012 at 11:59:08AM -0400, Simo Sorce wrote:

In current versions .service is implied if no extension is provided:
https://bugs.freedesktop.org/show_bug.cgi?id=39386

About time :-)


Awesome.

And I want to take a moment to thank everyone for listening to these
concerns. I'm optimistic that we can make this all work very nicely.


Is this documented in the relevant man pages as well?

Rahul

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Stephen John Smoogen

On 9 October 2012 20:45, Simo Sorce  wrote:
> On Tue, 2012-10-09 at 22:33 -0400, Matthew Miller wrote:
>> On Tue, Oct 09, 2012 at 10:30:38PM -0400, Simo Sorce wrote:
>> > Oh come on, stop bashing unix, logrotate could certainly grow a size
>> > checking policy if people felt the need, unix is not holding you back,
>> > in fact you are building this stuff on a unix-like system.
>>
>> In fact, logrotate _has_ a size checking policy and has for years. Possibly
>> always. The main drawback is that with nightly runs, a log which grows
>> suddenly during the day may grow out of control.
>
> Yeah I meant more of an online checker based on something like inotify
> that would run the logrotate job ahead of time if needed. It's not
> rocket science, but if it is not widespread it probably means that
> either those in need use alternative log rotation tools, or people never
> felt the urge to do it.

At previous jobs I have seen it usually done by moving logrotate to
every hour or smaller time frame using a custom config that only
checked the sizes of files. I think they had some sort of inotify tool
also but it had a tendency to go bonkers at times.


-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Simo Sorce

On Tue, 2012-10-09 at 22:33 -0400, Matthew Miller wrote:
> On Tue, Oct 09, 2012 at 10:30:38PM -0400, Simo Sorce wrote:
> > Oh come on, stop bashing unix, logrotate could certainly grow a size
> > checking policy if people felt the need, unix is not holding you back,
> > in fact you are building this stuff on a unix-like system.
> 
> In fact, logrotate _has_ a size checking policy and has for years. Possibly
> always. The main drawback is that with nightly runs, a log which grows
> suddenly during the day may grow out of control.

Yeah I meant more of an online checker based on something like inotify
that would run the logrotate job ahead of time if needed. It's not
rocket science, but if it is not widespread it probably means that
either those in need use alternative log rotation tools, or people never
felt the urge to do it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Matthew Miller

On Tue, Oct 09, 2012 at 10:30:38PM -0400, Simo Sorce wrote:
> Oh come on, stop bashing unix, logrotate could certainly grow a size
> checking policy if people felt the need, unix is not holding you back,
> in fact you are building this stuff on a unix-like system.

In fact, logrotate _has_ a size checking policy and has for years. Possibly
always. The main drawback is that with nightly runs, a log which grows
suddenly during the day may grow out of control.

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Simo Sorce

On Tue, 2012-10-09 at 23:24 +0200, Lennart Poettering wrote:
> I am not generally against adding time-based rotation, but really,
> this
> is much less of a "necessity" than other things the journal provides,
> which syslog does not: for example per-service rate limits, and
> unfakable meta-data for log messages. I mean, really, how can we ship
> a syslog where every random user can fake messages, say they are from
> a privileged process and offer no way how to detect that?


I am not saying you need to remove any of the good features, not even
sure why you seem to make an either/or case.

The point of adding time based rotation is exactly so that *more* users
can use it and benefit from the other features.

> > Also rotating based on use is generally annoying to admins, as it
> makes
> > more difficult to predict where stuff will end up and what will
> > deterministically be in backups.
> 
> For some sure, for most not.

For most people you could simply throw away multiuser support and always
run as root, I don't think that makes for a good argument to do so
anyway.

> > logrotate has time based policies for very good reasons.
> 
> Yeah, because Unix doesn't really allow much else...
> 
Oh come on, stop bashing unix, logrotate could certainly grow a size
checking policy if people felt the need, unix is not holding you back,
in fact you are building this stuff on a unix-like system.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Jóhann B. Guðmundsson


On 10/09/2012 10:08 PM, Lennart Poettering wrote:

With the feature I am planning to propose for F19:


Which in essence is the same as I proposed for F18 ( Although for 
completely different purposes ).


There was absolutely nothing preventing this feature having been 
accepted and those changed being made this release cycle ( and reverted 
if necessary by beta ) allowing for once us in QA to work ahead of us in 
identifying bugs shortcomings and what not but hey let's introduce not 
even alpha quality ready installer into the release which under normal 
circumstances would be postponed to F19.


It's going to be interesting indeed to see the same people vote against 
their coworker vs community member and after Fedora 18 being released 
thus those changes off the RHEL7 radar which seem to heavily dictated 
Fedora's release cycle during the releases Red Hat chooses to base it's 
RHEL release upon.


Yes there are times that I truly feel the entire feature readiness 
process should be entirely managed by the QA community.


JBG
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Stephen John Smoogen

On 9 October 2012 16:24, Matthew Miller  wrote:
> On Tue, Oct 09, 2012 at 04:20:14PM -0600, Stephen John Smoogen wrote:
>> > "If you have strict requirements on time-based logging rotation or
>> > certain audit requirements, then something like rsyslog(?) is required
>> > in parallel with the journal.  In most other cases (desktops, tablets,
>> > many servers) the journal is sufficient."
>> *patch acked*
>
> Okay, so, given that: isn't systemd with time-based rotation logging more
> desirable than pushing that aspect off to rsyslog, because rsyslog loses the
> secure logging aspect?

OK I don't know enough of the journald "file" format and such to answer this.

> I would also note that the scope of organizations that have requirements for
> time-based rotation are much, much larger than than the set of organizations
> who need their servers to crash on error. It's an important use case, not
> just a thought experiment.

Yes they are but I think they would be in the same field of not being
the main candidate of using just the journal. Mainly because they
require sending the data to centralized locations, timestamping in
required formats etc.

-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Matthew Miller

On Tue, Oct 09, 2012 at 04:20:14PM -0600, Stephen John Smoogen wrote:
> > "If you have strict requirements on time-based logging rotation or
> > certain audit requirements, then something like rsyslog(?) is required
> > in parallel with the journal.  In most other cases (desktops, tablets,
> > many servers) the journal is sufficient."
> *patch acked*

Okay, so, given that: isn't systemd with time-based rotation logging more
desirable than pushing that aspect off to rsyslog, because rsyslog loses the
secure logging aspect?

I would also note that the scope of organizations that have requirements for
time-based rotation are much, much larger than than the set of organizations
who need their servers to crash on error. It's an important use case, not
just a thought experiment.

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Stephen John Smoogen

On 9 October 2012 17:18, Dan Williams  wrote:
> On Tue, 2012-10-09 at 15:57 -0600, Stephen John Smoogen wrote:
>> On 9 October 2012 15:50, Matthew Miller  wrote:
>> > On Tue, Oct 09, 2012 at 03:41:51PM -0600, Stephen John Smoogen wrote:
>> >> > If you want audit-like semantics with crashing if we cannot write, then
>> >> > use something else, not the journal. The journal is supposed to be
>> >> > robust and do the right thing so that you can leave it unnatteneded and
>> >> > whatever happens it didn't spill the disk or become unavailable. It's
>> >> > supposed to be "zero maintainance".
>> >>
>> >> So in those cases rsyslog would be required, but would be seen as a
>> >> post-install step.
>> >>
>> >> EG what you are looking at is building a GNOME-OS and for those sorts
>> >> of tablets, etc the journal is right for that. The other cases like at
>> >> a Hospital, trading firm or various .gov.XX then having rsyslog
>> >> installed with audit post would be the way to get the needed features.
>> >
>> > If so, this seems unfortunate, because the other features discussed (e.g.,
>> > trustable metadata) would be very welcome in these environments. Can't the
>> > enterprise have nice things?
>>
>> Sorry I didn't mean to make that either/or. The enterprise gets the
>> journald but does not get to keep its contents unless there is a
>> program that sends it to say rsyslog.
>
> Ah; I think what you meant to say is:
>
> "*IF* what you are looking at..."

In my head I thought I wrote that *IF* until you pointed out I missed it.

> but I'd suggest instead:
>
> "If you have strict requirements on time-based logging rotation or
> certain audit requirements, then something like rsyslog(?) is required
> in parallel with the journal.  In most other cases (desktops, tablets,
> many servers) the journal is sufficient."

*patch acked*


> No?
>
> Dan
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel



-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Stephen John Smoogen

On 9 October 2012 16:08, Lennart Poettering  wrote:
> On Tue, 09.10.12 15:41, Stephen John Smoogen (smo...@gmail.com) wrote:
>
>> On 9 October 2012 15:24, Lennart Poettering  wrote:
>> > On Tue, 09.10.12 16:53, Simo Sorce (s...@redhat.com) wrote:
>>
>> > If you want audit-like semantics with crashing if we cannot write, then
>> > use something else, not the journal. The journal is supposed to be
>> > robust and do the right thing so that you can leave it unnatteneded and
>> > whatever happens it didn't spill the disk or become unavailable. It's
>> > supposed to be "zero maintainance".
>>
>> So in those cases rsyslog would be required, but would be seen as a
>> post-install step.
>>
>> EG what you are looking at is building a GNOME-OS and for those sorts
>> of tablets, etc the journal is right for that. The other cases like at
>> a Hospital, trading firm or various .gov.XX then having rsyslog
>> installed with audit post would be the way to get the needed features.
>
> This is BS. The journal is for most folks, not just GNOME users.

Ugh.. look I was trying to restate exactly what you said in previous
emails to make sure I understood what you were saying and to show I
agreed where that is coming from.. and it looks like I dropped some
packets somewhere

By GNOME-OS I meant a particular use-case where a journal would be
useful and it is built for like you said in previous emails. Change
GNOME-OS to Fedora, KDE-OS, Mozilla-OS, whatever.. it is a use case
for a lot of people.

Sites that need specialized big business needs are going to need
something like rsyslog because they have limited case issues.. like
never over-writing logs, halting when logs fill up, etc. Those are
written in regulations that aren't going to change in anytime before
say RHEL-10 comes out.

> How many people actually enable "auditctl -f2"? There's probably not
> many except a few three letter agencies and similar folks.

The hospital servers I helped work with had to have it for HIPAA and
SOX Banes. The money systems that had PCI-DSS also had it on some. But
I am agreeing with you it is a small case.

-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Dan Williams

On Tue, 2012-10-09 at 15:57 -0600, Stephen John Smoogen wrote:
> On 9 October 2012 15:50, Matthew Miller  wrote:
> > On Tue, Oct 09, 2012 at 03:41:51PM -0600, Stephen John Smoogen wrote:
> >> > If you want audit-like semantics with crashing if we cannot write, then
> >> > use something else, not the journal. The journal is supposed to be
> >> > robust and do the right thing so that you can leave it unnatteneded and
> >> > whatever happens it didn't spill the disk or become unavailable. It's
> >> > supposed to be "zero maintainance".
> >>
> >> So in those cases rsyslog would be required, but would be seen as a
> >> post-install step.
> >>
> >> EG what you are looking at is building a GNOME-OS and for those sorts
> >> of tablets, etc the journal is right for that. The other cases like at
> >> a Hospital, trading firm or various .gov.XX then having rsyslog
> >> installed with audit post would be the way to get the needed features.
> >
> > If so, this seems unfortunate, because the other features discussed (e.g.,
> > trustable metadata) would be very welcome in these environments. Can't the
> > enterprise have nice things?
> 
> Sorry I didn't mean to make that either/or. The enterprise gets the
> journald but does not get to keep its contents unless there is a
> program that sends it to say rsyslog.

Ah; I think what you meant to say is:

"*IF* what you are looking at..."

but I'd suggest instead:

"If you have strict requirements on time-based logging rotation or
certain audit requirements, then something like rsyslog(?) is required
in parallel with the journal.  In most other cases (desktops, tablets,
many servers) the journal is sufficient."

No?

Dan

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 15:41, Stephen John Smoogen (smo...@gmail.com) wrote:

> On 9 October 2012 15:24, Lennart Poettering  wrote:
> > On Tue, 09.10.12 16:53, Simo Sorce (s...@redhat.com) wrote:
> 
> > If you want audit-like semantics with crashing if we cannot write, then
> > use something else, not the journal. The journal is supposed to be
> > robust and do the right thing so that you can leave it unnatteneded and
> > whatever happens it didn't spill the disk or become unavailable. It's
> > supposed to be "zero maintainance".
> 
> So in those cases rsyslog would be required, but would be seen as a
> post-install step.
> 
> EG what you are looking at is building a GNOME-OS and for those sorts
> of tablets, etc the journal is right for that. The other cases like at
> a Hospital, trading firm or various .gov.XX then having rsyslog
> installed with audit post would be the way to get the needed features.

This is BS. The journal is for most folks, not just GNOME users.

How many people actually enable "auditctl -f2"? There's probably not
many except a few three letter agencies and similar folks.

I don't really want to play in the three letter agency area. That
doesn't mean I want to break things for them, I am just saying that the
super-strict policies they want should not dictate how the system works
for everybody else. As long as we make their setups possible (and yeah,
installing rsyslog is not that hard), that's fine. But really, a webshop
couldnt care less for such a mode. For most people reliability is more
important than "auditctl -f2".

Really, I have no intention to provide anything like "auditctl -f2" in
journald. Not going to happen. People can install auditd/rsyslog for
that. It's not my turf, I don't want those bugs.

And anyway: it is really confused to believe that people care more for
"auditcl -f2" than unfakable logs... I am not a security guy, but having
logs where unprivileged users cannot insert undetectable fakes is much
much much much much much more interesting to me thatn "auditctl -f2"
like behaviour. And if that's any standard we never would have allowed
syslog in the distro at all...

To stress this:

With the feature I am planning to propose for F19:

- I just want to change what is installed/enabled by default
- I do not want to break rsyslog or auditd or make them unavailable
- I do plan to support the equivalent of most things syslog offers, but
  do not plan to provide *everything* syslog offers. One of these things
  is UDP syslog proto support.
- I just want to provide something that is robust and secure and works
  for the vast majority of people without reconfiguration
- something that brings a number of important improvements over syslog at
  a lower footprint
- That works for server folks, embedded folks, desktop folks alike, but
  not necessarily all thinkable usecases of these uses.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Dan Williams

On Tue, 2012-10-09 at 15:41 -0600, Stephen John Smoogen wrote:
> On 9 October 2012 15:24, Lennart Poettering  wrote:
> > On Tue, 09.10.12 16:53, Simo Sorce (s...@redhat.com) wrote:
> 
> > If you want audit-like semantics with crashing if we cannot write, then
> > use something else, not the journal. The journal is supposed to be
> > robust and do the right thing so that you can leave it unnatteneded and
> > whatever happens it didn't spill the disk or become unavailable. It's
> > supposed to be "zero maintainance".
> 
> So in those cases rsyslog would be required, but would be seen as a
> post-install step.
> 
> EG what you are looking at is building a GNOME-OS and for those sorts
> of tablets, etc the journal is right for that. The other cases like at
> a Hospital, trading firm or various .gov.XX then having rsyslog
> installed with audit post would be the way to get the needed features.

That's a completely manufactured fake dichotomy.  So either we're
building an OS for tablets, or we're building an OS for Goldman Sachs?
And nothing in between?  Come on...

Dan

> 
> -- 
> Stephen J Smoogen.
> "Don't derail a useful feature for the 99% because you're not in it."
> Linus Torvalds
> "Years ago my mother used to say to me,... Elwood, you must be oh
> so smart or oh so pleasant. Well, for years I was smart. I
> recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd


-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Stephen John Smoogen

On 9 October 2012 15:50, Matthew Miller  wrote:
> On Tue, Oct 09, 2012 at 03:41:51PM -0600, Stephen John Smoogen wrote:
>> > If you want audit-like semantics with crashing if we cannot write, then
>> > use something else, not the journal. The journal is supposed to be
>> > robust and do the right thing so that you can leave it unnatteneded and
>> > whatever happens it didn't spill the disk or become unavailable. It's
>> > supposed to be "zero maintainance".
>>
>> So in those cases rsyslog would be required, but would be seen as a
>> post-install step.
>>
>> EG what you are looking at is building a GNOME-OS and for those sorts
>> of tablets, etc the journal is right for that. The other cases like at
>> a Hospital, trading firm or various .gov.XX then having rsyslog
>> installed with audit post would be the way to get the needed features.
>
> If so, this seems unfortunate, because the other features discussed (e.g.,
> trustable metadata) would be very welcome in these environments. Can't the
> enterprise have nice things?

Sorry I didn't mean to make that either/or. The enterprise gets the
journald but does not get to keep its contents unless there is a
program that sends it to say rsyslog.

-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Matthew Miller

On Tue, Oct 09, 2012 at 03:41:51PM -0600, Stephen John Smoogen wrote:
> > If you want audit-like semantics with crashing if we cannot write, then
> > use something else, not the journal. The journal is supposed to be
> > robust and do the right thing so that you can leave it unnatteneded and
> > whatever happens it didn't spill the disk or become unavailable. It's
> > supposed to be "zero maintainance".
> 
> So in those cases rsyslog would be required, but would be seen as a
> post-install step.
> 
> EG what you are looking at is building a GNOME-OS and for those sorts
> of tablets, etc the journal is right for that. The other cases like at
> a Hospital, trading firm or various .gov.XX then having rsyslog
> installed with audit post would be the way to get the needed features.

If so, this seems unfortunate, because the other features discussed (e.g.,
trustable metadata) would be very welcome in these environments. Can't the
enterprise have nice things?



-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Stephen John Smoogen

On 9 October 2012 15:24, Lennart Poettering  wrote:
> On Tue, 09.10.12 16:53, Simo Sorce (s...@redhat.com) wrote:

> If you want audit-like semantics with crashing if we cannot write, then
> use something else, not the journal. The journal is supposed to be
> robust and do the right thing so that you can leave it unnatteneded and
> whatever happens it didn't spill the disk or become unavailable. It's
> supposed to be "zero maintainance".

So in those cases rsyslog would be required, but would be seen as a
post-install step.

EG what you are looking at is building a GNOME-OS and for those sorts
of tablets, etc the journal is right for that. The other cases like at
a Hospital, trading firm or various .gov.XX then having rsyslog
installed with audit post would be the way to get the needed features.


-- 
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Matthew Miller

On Tue, Oct 09, 2012 at 11:26:19PM +0200, Lennart Poettering wrote:
> Well, you have to actually enable the journal on persistent storage
> first. Try "mkdir /var/log/journal". Without that we will only keep a
> very small set of logs in RAM, so that things are flushed out quickly.

So, minutes before seeing this message, on my F17 test system, I did:

$ mkdir /var/log/journal
$ sudo systemctl restart  systemd-journald.service

And now I get

Logs begin at Sat, 29 Sep 2012 09:23:21 -0400, end at Tue, 09 Oct 2012 17:30:59 
-0400.
Failed to iterate through journal: Bad message
Sep 29 09:23:21 localhost.localdomain systemd-journal[313]: Journal started

Is this the expected behavor?

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 14:57, Chris Murphy (li...@colorremedies.com) wrote:

> 
> On Oct 9, 2012, at 11:20 AM, Lennart Poettering wrote:
> 
> > On Tue, 09.10.12 15:35, Bryn M. Reeves (b...@redhat.com) wrote:
> >> Setting PIPE or piping to a pager is even worse - the lines are
> >> truncated at 77 chars regardless of the term width so for now I'm
> >> running journalctl --no-pager -a | less to get wrapped lines in a
> >> pager.
> > 
> > Fixed in F18.
> 
> 
> Not for me. I get one result for the first command, and 20+ for the second:
> 
> journalctl | grep btrfs
> cat /var/log/messages | grep btrfs
> 
> systemd-194-1.fc18.x86_64

Well, you have to actually enable the journal on persistent storage
first. Try "mkdir /var/log/journal". Without that we will only keep a
very small set of logs in RAM, so that things are flushed out quickly.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 16:53, Simo Sorce (s...@redhat.com) wrote:

> > > Also: what is the equivalent for logrotate in the systemd journal
> > > case?
> > 
> > Rotation happens in-line, i.e. each time before we are about to write an
> > entry we check if rotation is necessary and execute it. This should make
> > things a lot more robust, as this fixes a common issue with syslog where
> > a lot of data generated in bursts could flood the fs until a much later
> > time-based rotation took place. This time window goes away with the journal.
> 
> Lovely so now I have a perfect way to remove all traces of access all we
> need is to cause a lot of logging to go through until it is merrily
> deleted ?

We enforce per-cgroup ratelimiting. That means a service can run amok,
but this will cause its stream to be throttled while leaving other
services unaffacted.

> This *must* be configurable, there are places where rotation is not
> allowed at all and the system *must* crash and stop if logs can't be
> written and preserved.

Well, I am not sure what you are requesting. We cannot store more on a
disk than fits on a disk. So we need to do things based on disk
size/free space. Almost everybody would rather have log messages being
dropped than the machine come to a standstill because log messages can't
be written anymore.

If you want audit-like semantics with crashing if we cannot write, then
use something else, not the journal. The journal is supposed to be
robust and do the right thing so that you can leave it unnatteneded and
whatever happens it didn't spill the disk or become unavailable. It's
supposed to be "zero maintainance".

> > See SystemMaxUse= resp. SystemKeepFree= in journald.conf(5).
> 
> You need to allow boundless configurations, see above.

No, I don't. The journal is not a reimplementation of auditd. If people
want a "yes, please, crash my machine if a client enters a log spam
loop" policy, then we have other options than the journal, and which can
run side-by-side with the journal. I dont think this is in anyway
relevant for 99.9% of all installations. In those it is more interesting
to minimize the negative impact a misbehaving service can have, rather
than amplifying it. So no, I don't need, I don't must support all
thinkable setups.

I am not generally against adding time-based rotation, but really, this
is much less of a "necessity" than other things the journal provides,
which syslog does not: for example per-service rate limits, and
unfakable meta-data for log messages. I mean, really, how can we ship
a syslog where every random user can fake messages, say they are from a
privileged process and offer no way how to detect that?

> Also rotating based on use is generally annoying to admins, as it makes
> more difficult to predict where stuff will end up and what will
> deterministically be in backups.

For some sure, for most not.

> logrotate has time based policies for very good reasons.

Yeah, because Unix doesn't really allow much else...

> Your policy may make sense on space-constrained configuration but in any
> other system they make little sense, and log compression on rotation is
> all you really need (lots of repetitions in the logs allow big gains
> when compressing).

Well, I guess we have to agree to disagree on what is necessary to make
things robust, safe and secure.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Chris Murphy


On Oct 9, 2012, at 11:20 AM, Lennart Poettering wrote:

> On Tue, 09.10.12 15:35, Bryn M. Reeves (b...@redhat.com) wrote:
>> Setting PIPE or piping to a pager is even worse - the lines are
>> truncated at 77 chars regardless of the term width so for now I'm
>> running journalctl --no-pager -a | less to get wrapped lines in a
>> pager.
> 
> Fixed in F18.


Not for me. I get one result for the first command, and 20+ for the second:

journalctl | grep btrfs
cat /var/log/messages | grep btrfs

systemd-194-1.fc18.x86_64

Chris Murphy
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Simo Sorce

On Tue, 2012-10-09 at 20:47 +0200, Lennart Poettering wrote:
> On Tue, 09.10.12 13:40, Chris Adams (cmad...@hiwaay.net) wrote:
> 
> > Once upon a time, Lennart Poettering  said:
> > > Only users in the "adm" group can see system logs and logs of
> > > other users.
> > 
> > Is this configurable (if so, how)?  For example, all the "wheel is
> > special" behavior I am aware of is configurable (e.g. PAM config,
> > visudo).
> 
> This is currently not configurable.

This is bad, I certainly do not want adm users to be able to
read /var/log/secure, passwords do accidentally end up there, only root
should be allowed to read that file.

And AFAIK only root can read /var/log/messages in fedora, so you are
*relaxing* access and that is something that should be carefully
reviewed.

What is the rationale for relaxing access ?
Who is normally added to the adm group ?

> > Also: what is the equivalent for logrotate in the systemd journal
> > case?
> 
> Rotation happens in-line, i.e. each time before we are about to write an
> entry we check if rotation is necessary and execute it. This should make
> things a lot more robust, as this fixes a common issue with syslog where
> a lot of data generated in bursts could flood the fs until a much later
> time-based rotation took place. This time window goes away with the journal.

Lovely so now I have a perfect way to remove all traces of access all we
need is to cause a lot of logging to go through until it is merrily
deleted ?

This *must* be configurable, there are places where rotation is not
allowed at all and the system *must* crash and stop if logs can't be
written and preserved.

> > How can you configure how much log data is kept and for how long?
> 
> Rotation is strictly bound to disk size and space. There's an upper
> limit on how much journald will consume, and a lower limit on how much
> journald will always leave free.
> 
> See SystemMaxUse= resp. SystemKeepFree= in journald.conf(5).

You need to allow boundless configurations, see above.
Also rotating based on use is generally annoying to admins, as it makes
more difficult to predict where stuff will end up and what will
deterministically be in backups.

logrotate has time based policies for very good reasons.

Your policy may make sense on space-constrained configuration but in any
other system they make little sense, and log compression on rotation is
all you really need (lots of repetitions in the logs allow big gains
when compressing).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread John . Florian

> From: Matthew Miller 
> On Tue, Oct 09, 2012 at 03:55:30PM -0400, john.flor...@dart.biz wrote:
> > So maybe I should say that I think Fedora has always had it just about 

> > right, IMHO.  A very small, but functional system ready to grow and 
can do 
> > so with its own tools.
> 
> Yeah, but there's _so much_ room to quibble over what "functional" means
> there. For cloud JEOS images, I think we need less than that (because
> extremely ridiculously minimal is what people are asking for).

Agreed.  I think this also goes back to one of the requests here asking 
for a definition of what "minimal" means.  It also clearly shows the need 
for other "minimal-like" installs.

> > Makes sense, but can someone please tell me what "comps" stands for? I 

> > mostly know what they're used for, but have never guessed the acronym. 
 My 
> > best guess just came to me after years of pondering: compilations? 
Anyway, 
> > I feel rather stupid asking this Q, but hey "there's no stupid Qs, 
right?" 
> >  ;-)
> 
> Once upon a time, the installer presented you with a dialog with the 
title
> "Components to install". (I believe this even *predates anaconda*.)
> 
> This is the list of those components. The "comps file".

Oh yes, of course!  I remember the days ... having started with RHL 4.0. 
Some acronyms are just more obvious than others and comps.* is just about 
as cryptic as trans.* (arbitrary, fictional example) so thank you for 
clearing that up.

--
John Florian

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Matthew Miller

On Tue, Oct 09, 2012 at 03:55:30PM -0400, john.flor...@dart.biz wrote:
> So maybe I should say that I think Fedora has always had it just about 
> right, IMHO.  A very small, but functional system ready to grow and can do 
> so with its own tools.

Yeah, but there's _so much_ room to quibble over what "functional" means
there. For cloud JEOS images, I think we need less than that (because
extremely ridiculously minimal is what people are asking for).

> Makes sense, but can someone please tell me what "comps" stands for?  I 
> mostly know what they're used for, but have never guessed the acronym.  My 
> best guess just came to me after years of pondering: compilations? Anyway, 
> I feel rather stupid asking this Q, but hey "there's no stupid Qs, right?" 
>  ;-)

Once upon a time, the installer presented you with a dialog with the title
"Components to install". (I believe this even *predates anaconda*.)

This is the list of those components. The "comps file".

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread John . Florian

> From: Jesse Keating 
> On 10/09/2012 05:55 AM, john.flor...@dart.biz wrote:
> >> From: "Jóhann B. Guðmundsson" 
> >
> >> I personally want to see the documentation releng/fesco has about 
what
> >> the default minimal set, what the process is to have something
> >> include,excluded from it and why the packages that exist in it are 
there
> >
> >> in the first place.
> >
> > I too would very much like to see this as almost all of the (hundreds,
> > soon to be thousands of) systems I manage start life as a minimal 
install
> > and grow "just enough" to fit their role.  I take "minimal" quite
> > literally in that I believe it should be the absolute minimum to boot,
> > login and install more atop of that, but only as needed.  Anything 
beyond
> > this is some "use case", but minimal is minimal.
> >
> > --
> > John Florian
> >
> >
> >
> >
> 
> And now we see why Anaconda did /not/ have a "minimal" option for a 
> while.  Minimal means different things.
> 
> To some, it means an OS that boots, lets root log in, read man pages, 
> use non-english languages, and add more packages with depsolving.  To 
> others it means an OS that boots and lets root login, and that's it. 
> Others feel that minimal should be enough to give you a filesystem and 
> runtime you can chroot into (but no kernel/bootloader).

I stumbled onto the multiple meanings while writing that message.  I had 
started to say that minimal should consist of no more than grub, kernel, 
bash, login, yum and their deps, then thought to myself, well of course I 
want init (systemd) and ... and ...

So maybe I should say that I think Fedora has always had it just about 
right, IMHO.  A very small, but functional system ready to grow and can do 
so with its own tools.

 
> Right now, "minimal" is defined in comps, as a set of packages. 
> Installing this group will depsolve and add more of course, which is 
> controlled by the packages itself.  Anaconda will add a few more things 
> forcefully, such as a kernel and a bootloader and potential arch 
> specific utilities, as well as authconfig and 
> system-config-firewall-base in order to add the root user and configure 
> the firewall.

Makes sense, but can someone please tell me what "comps" stands for?  I 
mostly know what they're used for, but have never guessed the acronym.  My 
best guess just came to me after years of pondering: compilations? Anyway, 
I feel rather stupid asking this Q, but hey "there's no stupid Qs, right?" 
 ;-)

--
John Florian

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Till Maas

On Tue, Oct 09, 2012 at 07:51:30PM +0200, Lennart Poettering wrote:

> To summarize:
> 
> Previously: /var/log/secure readable only for root, /var/log/messages
> readable for everybody and including data from everybody.

Currently (Fedora 17 and before) /var/log/message is only readably by
root.

Regards
Till
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Dan Williams

On Tue, 2012-10-09 at 21:29 +0200, Reindl Harald wrote:
> 
> Am 09.10.2012 19:19, schrieb Lennart Poettering:
> > On Tue, 09.10.12 15:19, Tom Hughes (t...@compton.nu) wrote:
> > 
> >> On 09/10/12 15:04, Lennart Poettering wrote:
> >>
> >>> h) It's much shorter to type: "journalctl" than "less
> >>>/var/log/messages". "journalctl -n" is shorter than "tail
> >>>/var/log/messages". And "journalctl -f" is shorter than "tail -f
> >>>/var/log/messages".
> >>
> >> While "less" helpfully wraps your log lines at the edge of your
> >> terminal journalctl unhelpfully truncates them or, if -a is used,
> >> makes you use left/right cursor to scroll back and forth in an
> >> attempt to read the lines. Especially since it fully qualifies the
> >> host name so the actual message has barely got started by column 80.
> > 
> > On f18 we will not trucnate lines we pass to less.
> > 
> > If you don't like the behaviour of less in regards of long lines, please
> > file a bug to less.
> 
> why is "less" used at all instead of "more" which
> supports scrolling down AND up as example?

I think you have less and more reversed?

Dan

> for me it is STIL a bad idea paging as default
> and force users to set shell-aliases
> 
> the unix-way to go is "whaterver | more"
> 
> truncating and paging as default is really bad behavior
> 


-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Reindl Harald



Am 09.10.2012 19:19, schrieb Lennart Poettering:
> On Tue, 09.10.12 15:19, Tom Hughes (t...@compton.nu) wrote:
> 
>> On 09/10/12 15:04, Lennart Poettering wrote:
>>
>>> h) It's much shorter to type: "journalctl" than "less
>>>/var/log/messages". "journalctl -n" is shorter than "tail
>>>/var/log/messages". And "journalctl -f" is shorter than "tail -f
>>>/var/log/messages".
>>
>> While "less" helpfully wraps your log lines at the edge of your
>> terminal journalctl unhelpfully truncates them or, if -a is used,
>> makes you use left/right cursor to scroll back and forth in an
>> attempt to read the lines. Especially since it fully qualifies the
>> host name so the actual message has barely got started by column 80.
> 
> On f18 we will not trucnate lines we pass to less.
> 
> If you don't like the behaviour of less in regards of long lines, please
> file a bug to less.

why is "less" used at all instead of "more" which
supports scrolling down AND up as example?

for me it is STIL a bad idea paging as default
and force users to set shell-aliases

the unix-way to go is "whaterver | more"

truncating and paging as default is really bad behavior



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Matthew Miller

On Tue, Oct 09, 2012 at 03:14:06PM -0400, Seth Vidal wrote:
> This must be changed. Many policies at IT departments world wide
> have a date-based requirement, not a disk space size.
> It is simply unacceptable.

https://bugzilla.redhat.com/show_bug.cgi?id=864629


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Seth Vidal





On Tue, 9 Oct 2012, Lennart Poettering wrote:

Rotation happens in-line, i.e. each time before we are about to write an
entry we check if rotation is necessary and execute it. This should make
things a lot more robust, as this fixes a common issue with syslog where
a lot of data generated in bursts could flood the fs until a much later
time-based rotation took place. This time window goes away with the journal.


How can you configure how much log data is kept and for how long?


Rotation is strictly bound to disk size and space. There's an upper
limit on how much journald will consume, and a lower limit on how much
journald will always leave free.



This must be changed. Many policies at IT departments 
world wide have a date-based requirement, not a disk space size.


It is simply unacceptable.

-sv

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 13:40, Chris Adams (cmad...@hiwaay.net) wrote:

> Once upon a time, Lennart Poettering  said:
> > Only users in the "adm" group can see system logs and logs of
> > other users.
> 
> Is this configurable (if so, how)?  For example, all the "wheel is
> special" behavior I am aware of is configurable (e.g. PAM config,
> visudo).

This is currently not configurable.

> Also: what is the equivalent for logrotate in the systemd journal
> case?

Rotation happens in-line, i.e. each time before we are about to write an
entry we check if rotation is necessary and execute it. This should make
things a lot more robust, as this fixes a common issue with syslog where
a lot of data generated in bursts could flood the fs until a much later
time-based rotation took place. This time window goes away with the journal.

> How can you configure how much log data is kept and for how long?

Rotation is strictly bound to disk size and space. There's an upper
limit on how much journald will consume, and a lower limit on how much
journald will always leave free.

See SystemMaxUse= resp. SystemKeepFree= in journald.conf(5).

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Chris Adams

Once upon a time, Lennart Poettering  said:
> Only users in the "adm" group can see system logs and logs of
> other users.

Is this configurable (if so, how)?  For example, all the "wheel is
special" behavior I am aware of is configurable (e.g. PAM config,
visudo).

Also: what is the equivalent for logrotate in the systemd journal case?
How can you configure how much log data is kept and for how long?

-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Jesse Keating


On 10/09/2012 05:55 AM, john.flor...@dart.biz wrote:

From: "Jóhann B. Guðmundsson" 



I personally want to see the documentation releng/fesco has about what
the default minimal set, what the process is to have something
include,excluded from it and why the packages that exist in it are there



in the first place.


I too would very much like to see this as almost all of the (hundreds,
soon to be thousands of) systems I manage start life as a minimal install
and grow "just enough" to fit their role.  I take "minimal" quite
literally in that I believe it should be the absolute minimum to boot,
login and install more atop of that, but only as needed.  Anything beyond
this is some "use case", but minimal is minimal.

--
John Florian






And now we see why Anaconda did /not/ have a "minimal" option for a 
while.  Minimal means different things.


To some, it means an OS that boots, lets root log in, read man pages, 
use non-english languages, and add more packages with depsolving.  To 
others it means an OS that boots and lets root login, and that's it. 
Others feel that minimal should be enough to give you a filesystem and 
runtime you can chroot into (but no kernel/bootloader).


Right now, "minimal" is defined in comps, as a set of packages. 
Installing this group will depsolve and add more of course, which is 
controlled by the packages itself.  Anaconda will add a few more things 
forcefully, such as a kernel and a bootloader and potential arch 
specific utilities, as well as authconfig and 
system-config-firewall-base in order to add the root user and configure 
the firewall.


There are a couple places to make adjustment to what "minimal" is, comps 
and the packages.  As for the things Anaconda adds, we're not too keen 
on having that be "configurable".  Anaconda is really meant to be 
creating bootable systems, not necessarily stripped down chroots.


That said, we do have multiple install paths in Anaconda now, and it's 
not beyond the realm of imagination that there could be a mode that 
creates a chroot, optionally bootable, with a very trimmed down set. 
This would likely have to be driven by kickstart files, but does seem to 
dovetail a bit with the Arm effort, where installs are just blasting 
bits onto a SD card.


Interested parties should take up this effort and run with it, the 
Anaconda team won't likely be spending any time on this for a while, if 
ever.  We will however review patches and guide those wanting to work on it.


--
Jesse Keating
Fedora -- Freedom² is a feature!
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 11:30, Matthew Miller (mat...@fedoraproject.org) wrote:

> On Tue, Oct 09, 2012 at 05:24:42PM +0200, Richard Marko wrote:
> > > Compared to the other things I mentioned this is less important (because
> > > hey, sysadmins can learn new ways!), but I wanted to elaborate on where 
> > > this
> > > is coming from.
> > +1. For example swapping action and name parameters for systemctl
> > compared to service calls is just annoying.
> 
> Yes. Again, you're not the first person I've heard this from. Likewise,
> needing to fill out the .service extension. Both make a certain logical
> sense from a design point of view, but they're not putting the user first.

Note that in F18 we will append ".service" if a unit name otherwise
makes no sense.

In fact, there are a number of other little gimmicks in there:

"systemctl status foobar" is equivalent to "systemctl status foobar.service"
"systemctl status /dev/sda" is equivalent to "systemctl status dev-sda.device"
"systemctl status /home" is equivalent to "systemctl status home.mount"
"systemctl status dödel.service" is equivalent to "systemctl status 
d\xc3\xb6del.service"

Or with other words: we now have rules to qualify strings that otherwise
make no sense or are invalid with a very minimal, simple and static logic.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 11:00, Matthew Miller (mat...@fedoraproject.org) wrote:

> On Tue, Oct 09, 2012 at 10:45:24AM -0400, Matthew Miller wrote:
> > > c) it auto-pages if run on a tty
> > Hmmm. That's not necessarily what people are expecting, but okay.
> 
> To expand on this: there is a general expectation that non-interactive
> console tools will return control to the user immediately. Auto-paging is a
> different user-experience that doesn't necessarily dovetail with the Linux
> lineage. UI and UX aren't _just_ for GUI programs, after all. 

Not true. Open your eyes. git! man! ...

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 10:45, Matthew Miller (mat...@fedoraproject.org) wrote:

> > i) You always see the full set of logs you have access to. No need
> >anymore to to look through /var/log/messages, /var/log/secure and so
> >on one individually. And you get all of this nicely interleaved.
> 
> As noted in an earlier message, that distinction is there for a reason. We
> need a way to provide the same in the new system.

The journal is actually tighter in security in this regard. By default
users can only get access to their own logs, but not to the system
logs. Only users in the "adm" group can see system logs and logs of
other users. We also securely determine who is logging and split this
off into separate files, so that unprivileged users cannot spam the logs
anymore and have their fake messages spill into supposedly secure logs.

To summarize:

Previously: /var/log/secure readable only for root, /var/log/messages
readable for everybody and including data from everybody.

Now: A journal for each user with only his data in it. Only readable by
the user himself and members of "adm" and root. One journal for the
system, with only trusted data in it. Only readable by adm and root. For
each caller all accessible files interleaved transparently on display.

I think the new behaviour makes a ton more sense than anything before.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Matthew Miller

On Tue, Oct 09, 2012 at 07:27:19PM +0200, Lennart Poettering wrote:
> That all said, the color and autopaging is disabled automatically if you
> pipe the tools to something that is not a tty. You can also enable this
> via command line args, and env vars. This is similar to man or git. If

As long as it does the right thing in the non-tty case, it's not such a big
deal. But in the current version, it _doesn't_ do the right thing. It's good
that you've fixed the upcoming release, but didn't we also go through this
exact same thing with systemctl output?

Searching through output is a _primary activity_ of the consumers of both of
these utilities!

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 18:37, Richard W.M. Jones (rjo...@redhat.com) wrote:

> On Tue, Oct 09, 2012 at 07:34:50PM +0200, drago01 wrote:
> > On Tue, Oct 9, 2012 at 7:30 PM, Richard W.M. Jones  
> > wrote:
> > > On Tue, Oct 09, 2012 at 04:16:16PM +0200, Lennart Poettering wrote:
> > >> On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > >>
> > >> > Once upon a time, Lennart Poettering  said:
> > >> > > If people want some pixel-perfect copy of the traditional
> > >> > > /var/log/messages, then they should just run "journalctl" without any
> > >> > > args. It's much better than /var/log/messages:
> > >> >
> > >> > How do you read this log when the system is not running (e.g. mounting
> > >> > filesystems of a drive on another system, running from a rescue image,
> > >> > etc.)?
> > >>
> > >> journalctl -D 
> > >
> > > What is  in an actual system?
> > 
> > From the man page:
> > 
> > By default the journal stores log data in /run/log/journal/. Since
> > /run/ is volatile log data is lost at reboot.
> 
> WTF?
> 
> > To make the data
> > persistent it is sufficient to create /var/log/journal/ where
> > systemd-journald will then store the data.
> 
> I'm assuming this directory will be created, before /var/log/messages
> disappears.

Yes, of course.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Richard W.M. Jones

On Tue, Oct 09, 2012 at 07:34:50PM +0200, drago01 wrote:
> On Tue, Oct 9, 2012 at 7:30 PM, Richard W.M. Jones  wrote:
> > On Tue, Oct 09, 2012 at 04:16:16PM +0200, Lennart Poettering wrote:
> >> On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> >>
> >> > Once upon a time, Lennart Poettering  said:
> >> > > If people want some pixel-perfect copy of the traditional
> >> > > /var/log/messages, then they should just run "journalctl" without any
> >> > > args. It's much better than /var/log/messages:
> >> >
> >> > How do you read this log when the system is not running (e.g. mounting
> >> > filesystems of a drive on another system, running from a rescue image,
> >> > etc.)?
> >>
> >> journalctl -D 
> >
> > What is  in an actual system?
> 
> From the man page:
> 
> By default the journal stores log data in /run/log/journal/. Since
> /run/ is volatile log data is lost at reboot.

WTF?

> To make the data
> persistent it is sufficient to create /var/log/journal/ where
> systemd-journald will then store the data.

I'm assuming this directory will be created, before /var/log/messages
disappears.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 09:38, Chris Adams (cmad...@hiwaay.net) wrote:

> Once upon a time, Lennart Poettering  said:
> > On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
> > > Once upon a time, Lennart Poettering  said:
> > > > If people want some pixel-perfect copy of the traditional
> > > > /var/log/messages, then they should just run "journalctl" without any
> > > > args. It's much better than /var/log/messages:
> > > 
> > > How do you read this log when the system is not running (e.g. mounting
> > > filesystems of a drive on another system, running from a rescue image,
> > > etc.)?
> > 
> > journalctl -D 
> 
> And just what is the  (relative to system /)?

The path where the journal files resides or where the per-machine
subdirs reside. More specifically "-D/var/log/journal/" if you
only want to see the logs from that one machine. Or "-D/var/log/journal" if
you want to see the logs from all per-machine dirs in there. The files
will be interleaved as appropriate in that case. The machine ID is the
contents of /etc/machine-id.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread drago01

On Tue, Oct 9, 2012 at 7:30 PM, Richard W.M. Jones  wrote:
> On Tue, Oct 09, 2012 at 04:16:16PM +0200, Lennart Poettering wrote:
>> On Tue, 09.10.12 09:09, Chris Adams (cmad...@hiwaay.net) wrote:
>>
>> > Once upon a time, Lennart Poettering  said:
>> > > If people want some pixel-perfect copy of the traditional
>> > > /var/log/messages, then they should just run "journalctl" without any
>> > > args. It's much better than /var/log/messages:
>> >
>> > How do you read this log when the system is not running (e.g. mounting
>> > filesystems of a drive on another system, running from a rescue image,
>> > etc.)?
>>
>> journalctl -D 
>
> What is  in an actual system?

From the man page:

By default the journal stores log data in /run/log/journal/. Since
/run/ is volatile log data is lost at reboot. To make the data
persistent it is sufficient to create /var/log/journal/ where
systemd-journald will then store the data.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]

2012-10-09 Thread Lennart Poettering

On Tue, 09.10.12 15:45, Tom Hughes (t...@compton.nu) wrote:

> On 09/10/12 15:35, Bryn M. Reeves wrote:
> >On 10/09/2012 03:19 PM, Tom Hughes wrote:
> >
> >>More importantly though, what is the equivalent of "fgrep xxx
> >>/var/log/messages" which is certainly pretty much the most common thing
> >>I do on my logs... I can't see any sort of searching in journalctl?
> >
> >journalctl | fgrep?
> >
> >This one is pretty fine by me tbh.
> 
> Sure, though having just tried that is took 33s to search about a
> months worth of logs instead of the 0.05s that greping the last
> months messages took ;-)

Ist this F18? We made some imprvoements there. 33s is way too long
indeed.

Note that journalctl used like this will probably always be a bit slower
than the pre-serialized form read directly from the fs (which
/var/log/messages is), since we crawl through a ton more metadata, and
do a number of conversions during presentation. But not by this margin.

Please file a bug (but only if this against current F18). Make sure to
base this on the same dataset though. Also, please mention whether this
is on SSD or on rotating media.

There are a number of low-hanging fruits how we can easily optimize this
still, especially for rotating media.

Alsonote that if you use the built-in filtering of journalctl things
should already look a lot better. ("journalctl
_SYSTEMD_UNIT=avahi-daemon.service" instead of "journalctl | grep
avahi-daemon" for example.)

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

1 2 >

1 - 100 of 134 matches

Mail list logo