LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

syslog vs other solutions

syslog vs other solutions

Posted Nov 9, 2012 12:27 UTC (Fri) by zuki (subscriber, #41808)
In reply to: syslog vs other solutions by dps
Parent article: LCE: Systemd two years on

> The old style syslog does have lots of problems but most of the
> replacements are worse. You can read syslog output without special tools
> and it is reasonably easier for programs to parse (modulo the
> parsability of the logged messages).
It is true, that a special tool is needed to parse journal files, but
(a) it's always possible to pipe the output and then perform further analysis. Actually, this isn't that much different from current .gz/.xz
compressed text files.
(a) there's a nice C interface which is easy to use, so tools for parsing
log messages can certainly be taught to read journal files themselves
without too much work.
(b) the format is documented [1], so it's possible to create other
parsers

[1] http://www.freedesktop.org/wiki/Software/systemd/journal-...

> I would also note than a lot of things found to large network, for
> example lights out management and SAN boxes support syslog but none of
> the other solutions. This makes syslog support an important feature.
As other posters have said, it's always possible to keep a syslog daemon around. OTOH, generating syslog messages from journal messages is trivial, and a tool which forwards journal to a remote syslog daemon will certainly be available soon.

> It also reasonably easy to set up a drop safe non-networked logging host > for cracker proof logs. If the journal, or anything else, loses this or > the ability to process the logs without special tools then it is a step > backwards.
Do you mean that it's necessary to install a binary to read journal
files on the host? Doesn't seem to be a problem to me. Or do you mean,
that the messages cannot be forwared to the host (as native journal messages)? This part is in the works, like the article mentions.
Journal actually has the advantage here, that messages from different sources are automatically interleaved in the output, based on their
timestamps, so making sense of messages from multiple hosts is much easier.

> Knowing that your logs have been edited is not enough: as a system admin
> I want to know what was edited out and a drop safe logging host provides
> me with that. Anything that does not support such a box is inferior.
All the parts necessary for that are either already there, or almost. And certainly the quality of log messages matters too, but journal messages
are actually more trustworthy, since the originator is properly identified.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds