From Fedora Project Wiki

Revision as of 10:20, 26 July 2013 by Lennart (talk | contribs)

No Default Syslog

Summary

No longer install a traditional syslog service by default. (Specifically, remove rsyslog from the @core or @standard groups in comps.)

The systemd journal will be the default logging solution. Rsyslog, Syslog-NG, and even traditional sysklogd will continue to cover use cases outside of the default.

Owner

  • Name: Matthew Miller
  • Email: mattdm at fedoraproject org
  • Release notes owner:

Current status

  • Targeted release: Fedora 20
  • Last updated: 2013-07-15
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Let's change the default install to no longer install a syslog service by default — let's remove rsyslog from the "comps" default.

The journal has been around for a few releases and is well tested. F19 already enabled persistent journal logging on disk, thus all logs have been stored twice on disk, once in journal files and once in /var/log/messages. This feature hence recommends no longer installing rsyslog by default, leaving only the journal in place.

rsyslog will remain the recommended option to install if users require /var/log/messages, need support for the syslog network protocol, or need to enforce strict data lifecycle policies. It's sufficient to install and start rsyslog to get /var/log/messages and BSD syslog support.

Also see previous attempt: https://fedoraproject.org/wiki/Features/systemd-journal and FESCO meeting minutes, and previous mailing list discussion (later than that feature proposal) at https://lists.fedoraproject.org/pipermail/devel/2012-October/172682.html

Also note that other distributions (notably ArchLinux) already default to journal-only by default, so Fedora wouldn't be the pioneer here, just follow suit.

Benefit to Fedora

The journal is already available and active in Fedora 19. See https://www.youtube.com/watch?v=i4CACB7paLc for a video presentation of benefits for users and system administrators.

Our default install will need less footprint on disk and at runtime (especially since logs will not be kept around twice anymore). This is significant on systems with limited resources, like the Fedora Cloud image.

As a side effect, removes of cyrus-sasl and hesiod packages from the minimal install, reducing the number of things which might need security in JEOS or cloud installs.

Also, we'll boot a bit faster, which is always nice.

Scope

Simply remove "rsyslog" from all default install groups in "comps".

Packages which strictly require /var/log/messages to exist might need updating to gain dependencies on some kind of syslog daemon (but they needed that before too, so this is mostly just bugfixing that's useful anyway). If any of the packages in the default install is one of those, we need to look at it in detail, and find a solution. However, currently no package of the default install is requiring a syslog implementation.

Some tools such as logcheck might need to be updated to process data from the journal instead of /var/log/message. This should be fairily easy as "journalctl" generates the same output as "cat /var/log/messages" previously did.

  • Proposal owners: Commit a change to "comps" to remove "rsyslog" from it. Drop in a file /var/log/README informing users where the log files went, and how do get to the same data as before.
  • Other developers: logcheck needs updating to stay useful. It needs to grep through the output of "journalctl", rather than /var/log/messages.
  • Release engineering: nothing really.
  • Policies and guidelines: Guidelines should clarify that /var/log/message doesn't exist on many systems, but that was already the case before -- so little changes. QA should add a few tests and release criteria about journal functionality.

Note that logrotate should stay in the default install, as it is required to rotate wtmp and btmp (the journal synchronously rotates before writing and does not require logrotate for operation).

Upgrade/compatibility impact

Old installs will continue to have rsyslog installed, nothing changes for them.

How To Test

Just make sure that everything works correctly. Since journald features have been incrementally enabled over the

User Experience

"cat /var/log/messages" will now become "journalctl".

"tail -f /var/log/messages" will now become "journalctl -f".

"grep foobar /var/log/messages" will now become "journalctl | grep foobar".

Dependencies

Log analysis packages should either directly require rsyslog or are ideally updated. Some of these are small changes to rather obscure diagnostic-collection scripts. Logwatch and fail2ban have been identified as the most critical.

ccze: log colorizer; should work with journalctl output in theory but gets ^Ms inserted somehow.

epylog: This is really meant to be run on a central log-collecting server (from the documentation, designed for clusters of "50 and upwards"). It won't work out of the box with journal, but adding a hard dependency may also be inappropriate.

hplip (HP Linux Imaging and Printing Project): includes a helper script to scrape info from system logs. Will file a RFE for journal support.

logcheck: needs to be either updated or have a dependency added. (Note that it also requires /usr/bin/sendmail). This package actually never had complete functionality, as it is meant to exec /usr/bin/syslog-summary, which is not packaged. Will check with maintainer about best course of action.

logwatch: RFE for journal support https://bugzilla.redhat.com/show_bug.cgi?id=864872

fail2ban: RFE for journal support https://bugzilla.redhat.com/show_bug.cgi?id=985567

lvm2: contains lvmdump, which among other things includes "recent entries from /var/log/messages". Will file RFE for update to journalctl.


nova-manage (from openstack): has functionality to extract nova info from system log files. Tries /var/log/syslog, falls back to /var/log/messages. This would actually be significantly nicer using journalctl.

pcp (Performance Co-Pilot): can be configured with syslog output as a datasource; will investigate further.

Contingency Plan

The full contingency plan is simply to put rsyslog back in @core. Alternately, we could fall back to the smaller change of moving rsyslog from @core (the smallest possible install) to @standard (the default install). That way, minimal installations (including the Fedora cloud image) could benefit now while also serving as an incremental proving ground until whatever issues are resolved.

  • Contingency mechanism: Re-add "rsyslog" to comps, either back in @core or in @standard.
  • Contingency deadline: beta release
  • Blocks release? probably

Documentation

"journalctl" has been documented extensively at http://www.freedesktop.org/wiki/Software/systemd/. No additional documentation should be necessary but would be welcome.

Release Notes

Something like this should be added to the release notes:

"Note that F20 does not install a Syslog service by default anymore. For browsing log messages please type "journalctl" rather than "less /var/log/messages". Please type "journalctl -f" instead of "tail -f /var/log/messages". Please use "journalctl | grep foobar" instead of "grep foobar /var/log/messages". If the administrator needs /var/log/messages or support for the BSD syslog network protocol we recommend installing a syslog daemon such as rsyslog or syslog-ng with a command like like the following:

$ yum install rsyslog

"