Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1025719: logcheck: please enable checking of the system journal by default
318 views
Skip to first unread message
Richard Lewis
Dec 7, 2022, 6:40:04 PM12/7/22
to
Package: logcheck
Version: 1.3.24
Tags: patch
X-Debbugs-Cc: richard.le...@googlemail.com
logcheck should check the systemd journal by default.
Support is available, but not currently enabled by default.
To enable support you should (as root):
a) touch /var/lib/logcheck/offset.journal
b) chown logcheck /var/lib/logcheck/offset.journal
c) echo journal > /etc/logcheck/logcheck.logfiles.d/journal.logfiles
d) run logcheck as normal
(a) and (b) are needed to work round a bug in logcheck: the first time
logcheck checks the journal it attempts to check every single line ever
written to the journal, which is likely to be result in logcheck being
killed by the OOM-killer. Creating the files in /var/lib means only new
lines are checked. The attached patch fixes this by making logcheck only
check the most recent 5 hours if the offset file is not present.
In addition to this patch, logcheck should
- move 'rsyslog | system-log-daemon' from 'depends' to 'suggests'
- ship a file /etc/logcheck/logcheck.logfiles.d/journal.logfiles
containing the word 'journal'
- there is no need to remove the existing /etc/logcheck/logcheck.logfiles
but the comments could be updated - the 'default' is no longer to use
the syslog at all
- add an entry in NEWS.Debian
(if no-one else does, i'll send as a MR once the other MRs are merged/closed)
What about non-systemd systems?
-------------------------------
This setting should not affect non-systemd systems (untested).
inside logcheck, logoutput() already knows to do nothing if journalctl is not in
the $PATH but i dont know what happens if a system has journalctl installed but
the journal is not running: journalctl may still work or the user may get an error
on every invocation of logcheck.
We could easily patch logcheck to deal with this if it is an issue (I dont know
how to check whether the journal is not being used, but there are other options
including not reporting errors or not attempting to check the journal if systemd
is not running)
Of course, such systems are increasingly non-standard and a user who has opted out
of systemd or its journal will presumably be easily capable of editing
/etc/logcheck/logcheck.logfiles.d/journal.logfiles to turn off journal checking if
they want.
Why systemd should be considered the default
--------------------------------------------
For bookworm, my understanding is:
- the default is for logging to primarily happen via the systemd journal
writing log entries into /var/log/journal
- the journal will duplicate these messages into /var/log/syslog only
if a) system-log-daemon (provided by rsyslog and other packages) is installed
and b) the user does not disable this feature by setting ForwardToSyslog=no
in /etc/systemd/journald.conf
- (I _think_ i saw the systemd maintainers suggest on debian-devel that either they
or upstream will turn off the forwarding at some point, but this has not yet been done.)
- rsyslog is demoted to priority:optional (stated by the maintainer here
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=1023596;msg=15
- I was not able to find this in rsyslog's changelog, but it seems to be the
case in unstable today (7 Dec 2022)
- no other package providing system-log-daemon has been increased to priority
higher than optional (checked in unstable using aptitude)
therefore, new bookworm installations will only have logging via the journal
unless the user requested a syslog - (tens of package depend on rsyslog).
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-15-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages logcheck depends on:
ii adduser 3.118
ii exim4-daemon-light [mail-transport-agent] 4.94.2-7
ii lockfile-progs 0.1.18
ii logtail 1.3.24+local6
ii mime-construct 1.11+nmu3
Versions of packages logcheck recommends:
ii logcheck-database 1.3.24+local6
Version: 1.3.24
Tags: patch
X-Debbugs-Cc: richard.le...@googlemail.com
logcheck should check the systemd journal by default.
Support is available, but not currently enabled by default.
To enable support you should (as root):
a) touch /var/lib/logcheck/offset.journal
b) chown logcheck /var/lib/logcheck/offset.journal
c) echo journal > /etc/logcheck/logcheck.logfiles.d/journal.logfiles
d) run logcheck as normal
(a) and (b) are needed to work round a bug in logcheck: the first time
logcheck checks the journal it attempts to check every single line ever
written to the journal, which is likely to be result in logcheck being
killed by the OOM-killer. Creating the files in /var/lib means only new
lines are checked. The attached patch fixes this by making logcheck only
check the most recent 5 hours if the offset file is not present.
In addition to this patch, logcheck should
- move 'rsyslog | system-log-daemon' from 'depends' to 'suggests'
- ship a file /etc/logcheck/logcheck.logfiles.d/journal.logfiles
containing the word 'journal'
- there is no need to remove the existing /etc/logcheck/logcheck.logfiles
but the comments could be updated - the 'default' is no longer to use
the syslog at all
- add an entry in NEWS.Debian
(if no-one else does, i'll send as a MR once the other MRs are merged/closed)
What about non-systemd systems?
-------------------------------
This setting should not affect non-systemd systems (untested).
inside logcheck, logoutput() already knows to do nothing if journalctl is not in
the $PATH but i dont know what happens if a system has journalctl installed but
the journal is not running: journalctl may still work or the user may get an error
on every invocation of logcheck.
We could easily patch logcheck to deal with this if it is an issue (I dont know
how to check whether the journal is not being used, but there are other options
including not reporting errors or not attempting to check the journal if systemd
is not running)
Of course, such systems are increasingly non-standard and a user who has opted out
of systemd or its journal will presumably be easily capable of editing
/etc/logcheck/logcheck.logfiles.d/journal.logfiles to turn off journal checking if
they want.
Why systemd should be considered the default
--------------------------------------------
For bookworm, my understanding is:
- the default is for logging to primarily happen via the systemd journal
writing log entries into /var/log/journal
- the journal will duplicate these messages into /var/log/syslog only
if a) system-log-daemon (provided by rsyslog and other packages) is installed
and b) the user does not disable this feature by setting ForwardToSyslog=no
in /etc/systemd/journald.conf
- (I _think_ i saw the systemd maintainers suggest on debian-devel that either they
or upstream will turn off the forwarding at some point, but this has not yet been done.)
- rsyslog is demoted to priority:optional (stated by the maintainer here
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=1023596;msg=15
- I was not able to find this in rsyslog's changelog, but it seems to be the
case in unstable today (7 Dec 2022)
- no other package providing system-log-daemon has been increased to priority
higher than optional (checked in unstable using aptitude)
therefore, new bookworm installations will only have logging via the journal
unless the user requested a syslog - (tens of package depend on rsyslog).
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-15-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages logcheck depends on:
ii adduser 3.118
ii exim4-daemon-light [mail-transport-agent] 4.94.2-7
ii lockfile-progs 0.1.18
ii logtail 1.3.24+local6
ii mime-construct 1.11+nmu3
Versions of packages logcheck recommends:
ii logcheck-database 1.3.24+local6
0 new messages