[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd's journal

On Sun, Feb 16, 2014 at 09:17:46AM +0100, Helmut Grohne wrote:
> Heh. Maybe we can turn this into a useful question:
> Assume that I have a broken system (maybe the disk is partially broken
> or it got owned and I don't want to rely on its toolbox anymore). Now
> for some reason, I can still access /var/log/journal. Maybe I even have
> an offline copy of the FSS[1] keys? So yeah, what I'll be doing is
> copying off /var/log/journal from that system before more harm happens.
> Unfortunately my recovery system runs sysvinit (not an unlikely scenario
> these days). There is no journalctl on that system. So what do I do now?
Let's image a different scenario. You have a box with text logs in
/var/log, which you copy to a different box, and oh my, you can't read
them because they're binary and have this strange .xz suffix. After
some deliberation you install xz and manage to read them ;)

About the same is true for journalctl. Just install the package,
copy the binary from somewhere, or compile systemd from source and run
journalctl from the build directory.

On Sun, Feb 16, 2014 at 08:50:02AM -0500, The Wanderer wrote:
> What is the log flow here? Specifically, does the logged information
> flow from source - that is, from the process generating the message
> which gets logged - to journald and also, separately, from source to
> syslog (presumably in the form of rsyslogd), or does it flow from source
> to journald to syslog? (Or something else? Or am I missing / making an
> assumption that turns this into a stupid question?)
There are two ways: "traditionally", systemd-journald will forward
messages to /run/systemd/journal/syslog, if it exists, and syslog
daemons can read them "live". The "new" way, used by e.g. rsyslog,
is to use the journal client library to read messages from the
journal. This gives access messages from early boot, and also to
structured data which is not available in the syslog datagrams.

So the answer to your question is "from source to journald to syslog",
with a possible detour through /var/log/journal or /run/log/journal.


Reply to: