That newfangled Journal thing

But forgetting of what was good in old traditions is bad.

It would be nice if people who propose to do things differently, will first write explicit lists of what was good in old way of doing things, and explain how these items will be done in the new way.

The lesser (and perhaps unreasonable) problem I have with the journal scheme is that I'm not convinced the security is going to work in most cases. Most people are going to keep the signing keys in a stupid, obvious place (like /root, or ~), so script-kiddying a complete regeneration of the log hashes isn't going to be hard. The people who take proper precautions will be fine, but that's true now; if you run syslog out a network port or a serial line (or to a line printer...) it's nearly impossible to tamper with it after the fact.

On the other hand, extra security is extra security. Maybe sometimes it will make things just that little bit harder.

The major problem I have is with the undocumented binary format. I have no problem with "binary format", it's "undocumented" that isn't doing it for me. There should be a well documented "dump log to raw text" tool, and a reasonable commitment to format stability. I should be able to read the dump utility source, break out the programming language of my choice, and write my own log data mining tools without having to go through the magic log translator.

There is nothing useful to be gained by obscuring the format; it's the worst form of improper incentives. Attackers have lots of incentive to figure the format out in detail, and can take the time to do so. Defenders just want the damned thing to work, and don't want to have to waste time on understanding the fiddly details until they've been compromised and suddenly have no choice.

Furthermore, unless it's a very simple format with no internal referencing, there's always the chance that an attacker can find some way to make the log file skip parts of itself or lie. Or, for that matter, buffer overflow the log reading tool and do yet more damage. If you could get a buffer overflow into the log data that invoked a "they're on to us, clean everything up" script...

Fundamentally, though, this misses the worst part of the design. Here's the deal breaker: We now have a single point of failure; if the attacker can compromise the log reader program, they have you. Everything goes through the log reader program. The attacker doesn't even have to tamper with the logs any more, they just have to replace the log reader program with something that lies.

With text-based logging, the attacker would have to replace nearly every binary in the system to prevent you from reading the real log (though they could probably guess and just hit less, vi and tail...), so it's easier to rewrite the log. With binary logging, your selection of available tools for reading the log becomes much smaller, and the log reading tools become a potential target rather than the log itself. When there's only one tool (or a small suite of standard tools), the tools themselves become an extremely attractive target.

If I were attacking a system with this kind of logging, what I would be trying to do is (1) replace the log reader with something that lies, and (2) try to get an overflow attack into the actual log data so that if someone tries uncorrupted tools I can corrupt them from within.

If the format were documented and I could write my own tools, the attacker can no longer assume that they can compromise anything that could hit the log, and are back to having to tamper directly with the log.

So, to me, hash-chain log messages? Sure, sounds good, should be worth 10% more security. Data mining messages? Also good. Binary format? No problem, as long as it's simple, stable, well documented, heavily audited for potential malicious data attacks, and has a tool that will dump it. Undocumented log format? Biiiiig red flag.

That undocumented format takes this from a fairly good idea to a very bad one.

Now, if I implement Journal, I can either create small logs in the /var and rsync frequently (bad if the machine dies, I don't have the latest logs) or continue using this and gather logs in Journal on the central server. But then I won't have correct metadata, so why even bother?

So... logging to a network file system? Seriously?

Yes there is room to improve log handling, but there is no need to throw away everything that is good about the existing systems and force everything to re-write it's logging in the process.

If you look at rsyslog and syslog-ng you will see that there has been a lot of improvement in 'traditional' logging over the last several years. Most of this improvement is invisible to desktop users because they just don't care about it, but it is very visible to people who run server farms and actually use their logs on a regular basis

There have been many people who have advocated forcing all applications (and the kernel) to change their logs to make them easier to identify and parse. There are even standards on how to do this (the latest syslog RFC defines key-value pair formatting of log messages and CEE defines standards for what to put in the log messages), but application and kernel programmers do not choose to make the effort to standardize their output. I don't see any way that yet another logging mechanism would make it any more likely that the messages would be well standardized.

One thing that systemd is in a unique position to do, is to define a custom /dev/log for each service that it starts, so that it could insert a tag into each message generated by the program claiming that systemd has validated what service it came from, this could be done without any need to introduce any new logging mechanism, just create a simple pass-though that tweaks the message before handing it off the the existing syslog daemon.

If the messages are well formatted, it is very easy for modern syslog tools to do very powerful things with them. logwatch and simple event correlator (SEC) have very complex rules most of the time because they are dealing with poorly formatted log messages, but if you can feed them well formatted log messages they can have rather simple configurations.

Have fun,

Paul

On the one hand we have the UNIX people. I'd like to speak up for them here in the face of this "We must change or die" mantra developing.

We appear to be fairly conservative in thinking that after four decades we have found a lot of ideas that have stood the test of time and thus any proposed changes should be viewed with a skeptical eye. This is not a bad thing. What works should not be tossed aside lightly for new and shiny. And when the the proposals aren't just an incremental improvement but a total upending of not only current practice but of what we have accepted as core Truths we are especially skeptical. When they are put forth by a group of people who are on record as thinking that pretty much every one of the core UNIX ideas are rubbish... well our flamethrowers self ignite. And they should unless we have lost the belief our culture should survive. Because it should be clear that if we we lack the confidence to defend our traditions we won't keep them in the face of a determined assault.

We have seen what happens when the whole operating system merges into a couple of hopelessly tangled binary chunks that talk among themselves in obscure ways. Just how much of the OS is currently either in or being sucked into the black hole of systemd? Does ANYONE actually understand all of udev/dbus/*kit? Now anyone who didn't have to refer to the source code to figure parts of it out?

We believe in small individually replacable parts that do one task well, that are configured and communicate in human readable formats.

We believe we have seen the future Pottering & Co. are trying to drag us kicking and screaming to.. It is called Windows. Windows 7 doesn't even crash all the time any more, perhaps he and his followers should migrate back. If they believe in the virtues of Free Software, ReactOS could put their undisputed skills to use.

Personally I believe we should be open to change, just not to bad ideas we have already seen fail everywhere else they have been tried. But Plan9 should be our lodestar, not Windows, not OS X, not iOS, not Android. Plan9 might be carrying a few things beyond where current science (hardware and software) are practical, but when looking for ideas it is the inheritor of the UNIX tradition. OpenStep is probably still ripe territory to mine as well.

This Journal does not solve any actual problems, makes some things more difficult and moves us down the road to a towering mass of fail long term. None of the proposed benefits require a rip and replace, none require a binary log. They are offered as justifications for a preexisting goal, that of slowly centralizing all of the 'OS' part of userspace into systemd.

Plus other Lennart inventions have resulted in lots of headaches for me so I mistrust him completely.

* no way to generate pure text files
* no network service
* undocumented binary files
* no way to interface, but api calls
* not UNIX style

One obvious separation into a frontend, for receiving, annotating and generating log records, integrated into systemd, and a configurable back end would make good on the biggest concerns mentioned over and over.

The proposed storage design could still be the default backend and might still be integrated in systemd. But by additionally providing a pipe with a general text based standard record format to other external backends, the whole idea would become much more traditional UNIX style and less irritating, because it wouldn't force unnecessary policy on users.

One can envision: live monitoring, network transport, database, null, filter, live monitoring, alarm trigger, statistic and many other backends.

I can not belief that this would be much of a burden for the developers.

The second, often mentioned concern is missing speaking message ids. I can clearly see the benefits of UUIDs as well as those of speaking ids like reverse domain ids. But I think this could be solved, by allowing speaking ids in addition to required UUIDs as labels.

The third concern, security design, probably can be improved by some additional administrative measures, but the basic idea seem sane and is much better than no security at all. Security is a very tricky area and needs experts to comment, which I am not.

Despite those solvable problems, the journal proposal looks very very promising and has many valuable advantages which shouldn't be overlooked and the the argument we managed without is plain ..
..emmm... unconvincing.

Thus far systemd has mostly worked for me and as a concept it makes sense. Maybe I'm being naive here, but that's my limited experience with it.

PS. What I don't want is a Linux system where components are not interchangeable. I think this is precisely why Linux desktop environments are doing it wrong (in some areas). Too much integration, not enough communication. Sure, integration without communication is great until the time you want that one thing ripped out and replaced with something else. Then it totally sucks.

As another poster mentioned, to date, this individual hasn't made one bit of code that makes for a significant improvement in system operation and HAS created significant amounts of chaos.

As to ' ...haphazard and lame and sad doesn't just apply to kernel messaging; it describes the approach taken by Linux in general', I most respectfully suggest you have a look at error messages in:

Windows (any version)
Mac OS X (can someone please find me documentation for the security controller on OS X Server)
or another bit of code written by more than one person intended to be used by another.

I suspect that until God and/or the gods themselves come down from on high and decree under pain of death that some string format be used, there's going to be a certain amount of "differing" ideas about what is correct. (no, I'm not threatening anyone)

The absolute arrogance of these two (this time) is, in my opinion, rivaled only by Hans Reiser.

systemd, being a whole other topic, I'm still trying to fix. It's usefulness has been overshadowed but a certain binary, all or nothing installation style in my favorite distro. That style has certainly broken quite a bit and forced me to engage in a rather time consuming re-installation. Is that a fault of systemd? No, not really, but it does leave a very bad taste in my mouth and enhances my dislike for code proposed and written by Mr Poettering (and company).

Oftimes we hear of OSS developers wha say that they work on what they like it we should to it ourselves, to paraphrase. The fact of the matter is Lennart is paid to do this work and go to things like the kernel summit and his employers seem to like what he does else they would not... Subsidize is wrong, but employ would seem to imply direction by the entity who pays him, but I digress. The fact remains this is NOT hobby work that Lennart is doing and we, as a community need to recognize the chaos his work/idea/thinking is causing, has caused in the past and is proposing now when we say it deserves serious consideration.

All of the forgoing said, I recognize from long experience that I can't sell ice cubes in the desert and I firmly suspect that all I have written here WILL fall on deaf ears. But I did say it and I STILL prefer my much shorter, MUCH more sarcastic comment from before for which I will NOT apologize.

I'm done now

Then I looked at the proposed design, and thought things looked shaky.

Then I read the faq and was seriously insulted.

A logging facility with no network support?
A logging facility without a stable ABI on disk and no plans to create one?

An attitude that says the classic syslog interface is depercated and the native journal interface is preferred.

Not considering the model that has worked very well for translation of linux userspace messages into other languages and insisting we all use unreadable UUID?

This seems to be a design that has lofty goals but horrible human factors. And the authors seem to be deliberately ignoring design choices that are no more difficult for them are much easier for other developers.

An attitude that says every log message in every server must change, to something bizarre because the developer refuses to look at other successful user space models of doing things?

The desisgn is junk and should never be consider seriously. Unfortunately there seems to be enough propellant behind it that the pig might fly.

But in my opinion no one should seriosly consider journald for real world use. The design is irreponsible crap.

There's been so many attempts to build systems with structured logging (sometimes called 'messaging' or 'events') and always the system proves unable to anticipate the needs of real applications, and builds an inflexible overcomplicated system that no one wants.

That's why we still have text-stream-logging to this day.

Text stream logging offers some other benefits, such as simplicity, and possibility to track the stream without tight coupling.

Moreover most applications want to log to the filesystem, not to a special service. This means that most logging will be in the style of the text stream. Therefore most tools around logging will work with that, and this special journald binary format will just be in the way.

It's the wrong answer to a set of problems that don't really exist.

Lennartlog?

Luckily we can apply the same design principles here:

1. In the new system, comments will have to be structured. For now, the categories will be GNOME3 flames, RPM vs. DEB flames, strident messages about how X violates the spirit of UNIX, and "other." More categories will be added later as needed.

2. The comments will be stored in an undocumented binary format. In the short term, this will prevent anyone from reading them. However, the security will be much higher!

3. You'll have to run systemd to make a comment. Luckily, access will be provided through a shared library and a D-BUS interface.

(Lennart, if you're reading this, don't take it too serious)

People get scared because they use cat/grep, but most setups include the *ugly* logrotate, so you *zcat anyway.
In the end, for people who like text, a "journalc log --pretty=xxx" will probably be available...

What bothers me is:
- If journald wants to become a defacto standard, then the file format should be discussed, others may have some insight on this. Other logging/tracing/generic file formats exist, and people would appreciate if they could be referenced so that we know they have been reviewed (and the wheel is not reinvented) when designing a new file format.
Where's the mailing list, and the wiki for the design info ?
Right now it seems pretty obscure.
The file format should consider other software implementations
Nobody wants it to change in 1 year, but it should be future-proof.
- Despite what the release document says, journald could be separated from systemd, as a separate library
- Finally, and this has nothing to do with journald, software that don't provide syslog logging and write their own logs without any good reason !

... please contact your local Apple HR recruiter and apply for a position in the Core OS team.

You're very clearly intent on copying Apple UNIX innovations into Linux. After a few weeks in Core OS, you might rethink the appropriateness of your Linux projects. Or perhaps not, but you'll be too busy to screw around with interfaces that worked just fine before you arrived on the scene.

Seriously, join Apple. You'll be able to pervert UNIX best practices to your heart's content, all in the name of "progress". You'll be safe and happy in that little bubble of groupthink.

http://blog.gerhards.net/2011/11/journald-log-hash-chaini...

Rainer is asking for information on how to interoperate with the journal and the answers (or lack of them) is interesting, especially the way that the journal refuses to provide information that it has to syslog (and in the process, prevents syslog from gathering the information on it's own)

they say that there would be no reason to create the new mechanism if syslog supports structured data, but they seem to then ignore information saying how to do so through established standards.

http://lists.freedesktop.org/archives/systemd-devel/2011-...

http://logtools.org/2011/12/12/logtools-0-1-0-released/

At least at this point.

UUID=1234-dsa-fweqwe-rwqwer MSG="DEBUG: module xxx loaded" USELESSVAR="I need this for my init hack" BLOBSIZE=12345678 \n

bzcat $FILE | while read LINE ...
case "$LINE" in
*MSG=*)eval $LINE;;
#do more stuff here
*)#treat as binary data or non conformant message
esac
done |bzip -9c >$FILE~ && mv -f $FILE~ $FILE

replace bzip with your favorite compression (bz seems to work better than xz on these type of files though)

you can read the data stream from after the \n for BLOBSIZE bytes
tricky, but doable ... it really should be in a separate file so that the logfile is viewable in a standard text editor

The binary file log could work like this (but I think it is stupid unless you want to tack it on to an avi file as a type of poor man's steganography - use a directory with a unique file name that is identified in the message for crying out loud)
echo '
UUID=1234-dsa-fweqwe-rwqwer MSG="DEBUG: module xxx loaded" USELESSVAR="I need this for my init hack" BLOBSIZE='`stat -c %s myblob` >> /tmp/bloblog
cat myblob >>/tmp/bloblog
(or a similar C equivalent)

then to access the blobs you can use sed (for removing text lines with the messag) + head/tail (using -c $BLOBSIZE to get the blob) ... not the fastest way in the world
... but why not just use a damn directory and a unique file name .../sys/blobs/myblob (it even has a time stamp that could be cross referenced - imagine that)