current debian no longer writes to syslog 😦
if you look in /var/log, someone left a README file.
the README says "you are looking for logs? but you cannot find them?" and continues in broken english, smugly telling you that systemd has made logs obsolete, and you should use "journal cattle" to ask politely for your own logs.
[did you just tell me to fuck off, jim?]
if you run journal cattle, it shows a page of syslog from april. if you hit G to go to the end, it hangs forever.
[slow clap]
With big (4GB, few months of logs) on-disk journal, systemctl status service becomes very slow (!) [13:37:30]:/var/log/journal☠ time systemctl status nginx * nginx.service - A high performance web ...
@hal_pomeranz @robey No, I'm not sure that it is. At least not from the context of a single machine administrator.
The accessibility of my logs has been changed; I can get the logs in traditional time order, oldest at the top, as long as I wait an unpredictable amount of time for 'journalctl' to do its job. Over 2 minutes for this little single-user machine that was only installed a couple of months ago. Nice. I don't know how to ask "how big is the log" before querying it, where I'm used to using 'ls -l' to look at text files.
Or I can get the latest logs instantly with 'journalctl -r', didn't know about that one because I don't need to fix a problem more than I need to complain about my aching knees. But when I get my results, they're in the opposite sequence order to the logs I'm used to seeing, which causes delays in understanding the content.
(I'm not saying that I'm not used to seeing events in that order, just that I don't see that in the context of text streams that look the same as file contents, for good reason)
If you have a bunch of related machines to look after, the absolute last thing you should be doing for logging is looking on the individual machines, you should be streaming log events out over the network to a trusted location. Throw them into an Elastic, or a Greylog, or something like that; and now log events become "a database of events" rather than "a sequence of events". Put your efforts into centralised logging, rather than messing around on the machine itself (unless of course, you're investigating why logging isn't going to your central point, in which case ...)
@robey @hal_pomeranz @phessler I unfortunately had reason to dig into this situation recently. journalctl actually invokes less(1), but with a set of non-default flags, and also in a way that honors a config variable other than the ones less(1) usually consults.
https://mastodon.social/@gnomon/112565743587893108
It's a ludicrous situation but you _can_ convince journalctl to give you a vanilla less(1) experience, if you fight hard enough and keep reading the changelogs to stay ahead of future breakage.
👎
@robey @hal_pomeranz @phessler I'm just glad that relying on the journal is the default but not the only option. Syslog, logrotate, and all the usual log indexing tools remain one apt-get away, and my systems still work exactly the way I want them to.
But that systemd attitude, man... I just have zero patience for it.
Robey ☠️
Hal Pomeranz
CMDR Yojimbosan 🅅⁂
Ben Zanin