That newfangled Journal thing
That newfangled Journal thing
Posted Nov 20, 2011 19:55 UTC (Sun) by mordae (guest, #54701)Parent article: That newfangled Journal thing
Now, if I implement Journal, I can either create small logs in the /var and rsync frequently (bad if the machine dies, I don't have the latest logs) or continue using this and gather logs in Journal on the central server. But then I won't have correct metadata, so why even bother?
So... logging to a network file system? Seriously?
Posted Nov 20, 2011 20:23 UTC (Sun)
by intgr (subscriber, #39733)
[Link] (13 responses)
FTFA: "In the initial version journalds network support will be very simple" "In a later version we plan to extend the journal minimally to support live remote logging, in both PUSH and PULL modes always using a local journal as buffer for a store-and-forward logic" The sky isn't falling. In fact, such a store-and-forward model sounds like a much more robust method than syslog over TCP or UDP.
Posted Nov 20, 2011 21:13 UTC (Sun)
by dlang (guest, #313)
[Link] (11 responses)
Lennart could get almost everything he is lookin for out of rsyslog today.
The hashes would be trivial to add (and for that matter, you could use a database store and have it do the normalization and hashing as part of the insert today)
The ability to easily combine or split files of logs is a very important feature, changing to a binary format that compresses early, but prevents the functionality of simple tools like split and cat is a huge step backwards.
The only think that this proposal actually gains is knowing what pid generated the message, and that only works on a local machine (as soon as you send the log remotely, the remote machine can no longer trust the pid)
Posted Nov 20, 2011 21:23 UTC (Sun)
by khim (subscriber, #9252)
[Link] (3 responses)
Again: there are no difference between local and remote case. You can trust pid till the "intrusion moment" even if you log remotely and after that moment even local log is suspect. I still fail to see where you get this weird ideas about local/remote dichotomy.
Posted Nov 20, 2011 21:35 UTC (Sun)
by dlang (guest, #313)
[Link] (2 responses)
As soon as you go through a second daemon on a local system, you have to trust that that daemon hasn't been broken.
As soon as you read a message from disk you have to trust that the file hasn't been tampered with (and if you hash the file or the messages to try and prevent this, you now have to trust that your store of valid hashes hasn't been tampered with)
Posted Nov 20, 2011 22:14 UTC (Sun)
by khim (subscriber, #9252)
[Link] (1 responses)
Rilly? Perhaps my English is failing me, but I thought and that only works on a local machine was quite unambigous... That's fair. But as I've noted there a little difference between local and remote case: if you know daemon and kernel are Ok you can trust the logs, if you don't know if they are Ok then you don't. Since the usual way to see if something is broken is to analyze logs, again, and they are available on both local and remote system... no, I don't get your point. What makes logging over network so special and why can you trust info about pid in local case but not in remote case?
Posted Nov 20, 2011 22:47 UTC (Sun)
by dlang (guest, #313)
[Link]
once you go to another machine, you no longer 'know' anything about what is really generating the message (unless you have crytographic authentication to the sending program, and event that only proves that the sender has access to the key)
Posted Nov 30, 2011 7:34 UTC (Wed)
by alison (subscriber, #63752)
[Link] (6 responses)
Why not in fact use git (or similar) to frequently snapshot a flat ASCII log file, storing the deltas in a repo over which hashes are generated in the usual manner? The UUIDs need not be present in the ASCII log but can be git tags that are stored as part of the commit data. Then git can be used in its usual fashion to propagate the log to networked machines if desired. Furthermore, the generation of hashes and remote propagation provide the usual level of verifiability we associate with git.
In other words, why not keep the flat file, but generate a verifiable log in a standard machine-readable format from it on the fly? Is this not how we are already using DVCS to generate trees from programmer-generated source code? Why wouldn't git work just as well with programmer-formatted log messages?
Posted Nov 30, 2011 8:49 UTC (Wed)
by dlang (guest, #313)
[Link] (5 responses)
tripwire, ossec, and other similar tools already can track a log file and detect the difference between the file being extended and the file being modified.
Also, if you have another machine you can send data to, just send the logs using the standard syslog mechanisms. unless you are generating gigantic amounts (hundreds of thousands of logs per second) of logs or would be logging over a wan, the bandwidth needed for the logs is just not going to be significant
Posted Nov 30, 2011 22:20 UTC (Wed)
by elanthis (guest, #6227)
[Link] (4 responses)
Argument: journald is more complex than syslogd, and complexity is evil!
Proposal: use the simpler syslogd and then add complex and error-prone log parsing toolkits to get 70% of the features of journald at 200% the complexity cost.
Rationale: Pulseaudio was buggy a couple years ago.
Posted Nov 30, 2011 23:26 UTC (Wed)
by dlang (guest, #313)
[Link] (3 responses)
he's 'solving' a problem that isn't really there, and he doesn't actually solve the stated problem.
Also, please point out anywhere that I have said anything about pulseaudio.
Posted Nov 30, 2011 23:34 UTC (Wed)
by anselm (subscriber, #2796)
[Link] (2 responses)
Read the <expletive> proposal. Journald isn't just about the hashes.
Posted Nov 30, 2011 23:44 UTC (Wed)
by dlang (guest, #313)
[Link] (1 responses)
if you want to ignore the hashes part of things, we can talk about the structured log part of things. logs are only as structured as the programmer creating them makes them, if you have a super-detailed log structure available and the programmer creates a field "details" type "string" and puts everything into that field it is going to be just as unstructured as syslog traditionally has been.
He ignores or is ignorant of recent standards in syslog (some of which go back quite a few years)
he has a few new ideas buried in the proposal, but they are so overshadowed by misstatements and 'solutions' to problems that already have documented, standardized solutions (that are not compatible with the proposed solution other than running logging services in parallel) that it undermines the entire proposal
Posted Dec 1, 2011 17:03 UTC (Thu)
by kh (guest, #19413)
[Link]
Posted Nov 21, 2011 8:00 UTC (Mon)
by mordae (guest, #54701)
[Link]
Ad security: The security is not the only reason for logging! It's also about overall serviceability of the infrastructure. And in that case... who cares about trusting remote hosts. If libvirt crashes, I need to know why and in that moment I really don't speculate about incursion.
That newfangled Journal thing
That newfangled Journal thing
Yet again: there are no difference...
As soon as you send the log remotely, the remote machine can no longer trust the pid
Yet again: there are no difference...
I don't know what you wanted to say, but I DO know what you said...
I am not saying that you can trust it locally,
I am just pointing out that the remote machine has no way of knowing if what is sent to it is valid or not.
I don't know what you wanted to say, but I DO know what you said...
That newfangled Journal thing
The hashes would be trivial to add (and for that matter, you could use a database store and have it do the normalization and hashing as part of the insert today)
That newfangled Journal thing
That newfangled Journal thing
That newfangled Journal thing
That newfangled Journal thing
That newfangled Journal thing
That newfangled Journal thing
That newfangled Journal thing