> The old style syslog does have lots of problems but most of the
> replacements are worse. You can read syslog output without special tools
> and it is reasonably easier for programs to parse (modulo the
> parsability of the logged messages).
It is true, that a special tool is needed to parse journal files, but
(a) it's always possible to pipe the output and then perform further analysis. Actually, this isn't that much different from current .gz/.xz
compressed text files.
(a) there's a nice C interface which is easy to use, so tools for parsing
log messages can certainly be taught to read journal files themselves
without too much work.
(b) the format is documented , so it's possible to create other
> I would also note than a lot of things found to large network, for
> example lights out management and SAN boxes support syslog but none of
> the other solutions. This makes syslog support an important feature.
As other posters have said, it's always possible to keep a syslog daemon around. OTOH, generating syslog messages from journal messages is trivial, and a tool which forwards journal to a remote syslog daemon will certainly be available soon.
> It also reasonably easy to set up a drop safe non-networked logging host > for cracker proof logs. If the journal, or anything else, loses this or > the ability to process the logs without special tools then it is a step > backwards.
Do you mean that it's necessary to install a binary to read journal
files on the host? Doesn't seem to be a problem to me. Or do you mean,
that the messages cannot be forwared to the host (as native journal messages)? This part is in the works, like the article mentions.
Journal actually has the advantage here, that messages from different sources are automatically interleaved in the output, based on their
timestamps, so making sense of messages from multiple hosts is much easier.
> Knowing that your logs have been edited is not enough: as a system admin
> I want to know what was edited out and a drop safe logging host provides
> me with that. Anything that does not support such a box is inferior.
All the parts necessary for that are either already there, or almost. And certainly the quality of log messages matters too, but journal messages
are actually more trustworthy, since the originator is properly identified.