[systemd-devel] systemd-logger and external syslog daemon
Rainer Gerhards
rgerhards at hq.adiscon.com
Fri Mar 11 08:26:58 PST 2011
> -----Original Message-----
> From: Lennart Poettering [mailto:lennart at poettering.net]
> Sent: Friday, March 11, 2011 5:22 PM
> To: Rainer Gerhards
> Cc: Michael Biebl; Andrey Borzenkov; Mike Kazantsev; systemd-
> devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] systemd-logger and external syslog daemon
>
> On Fri, 11.03.11 17:08, Rainer Gerhards (rgerhards at hq.adiscon.com) wrote:
>
> > > > Lennart recommended that to me and I had some code in place to do it.
> > > > However, at that time this did not work because the kernel did not
> > > > record that timestamp. This was added a while later, but I did not
> > > > yet revisit that issue. I was a bit hesitant to dig into this
> > > > issue as I found no simple enough method to setup a system with
> > > > systemd (I know it's important, but there are many other important
> things as well...).
> > > > I'll see that I can at least see what kernel patch needs to be
present.
> > >
> > > Nah, these are actually two different things. The SO_TIMESTAMP stuff
> > > does not matter in this context.
> > >
> > > What I'd like to see that SO_TIMESTAMP is used when messages come in
> > > via /dev/log.
> > >
> > > And for messages coming in from /proc/kmsg it would be cool to parse
> > > the kernel timestamps that (optionally) are in the message prefix in
> > > the []
> > part.
> >
> > Got it -- but "optionally" does not sound too good. What if systemd's
> > minimal syslog implementation would guarantee that a timestamp is
> > written for "forwarded" logs?
>
> Well, if the kernel adds timestamps anyway, then there's little point to
add
> another set of timestamps from userspace, snce then we might end up with
> two timestamps in each message. And it is difficult to figure out whether
> kernel-side timestamping is on.
Well, I could check a special cookie for the "systemd" timestamp. I am *not*
concerned so much about regular kernel messages. What concerns me are
messages that are originally destined to the system log socket.
Also note that it may be dangerous to change the output format of syslogd.
Various processes seem to die in that case (at least that's why almost all
distros still have the silly old-style timestamp set as default, because a
variety of tools abort if RFC3339 timestamps are being used...).
>
>
> All big distros enable printk timestamping by default. That means this is
an
> opt-out and not an opt-in feature nowadays. That probably means we
> shouldn't try to ignore the user configuration and add in timestamps when
> the kernel doesn't genreate them anyway.
>
> Also, note that systemd is not the only one logging to /dev/kmsg. The
kernel
> timestamping covers all those sources equally.
As I said, I am concerned about the forwarded messages, for which I think
systemd ist he only source.
Rainer
>
> Lennart
>
> --
> Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list