[systemd-devel] journalctl | grep -v mail.*

Olav Vitters olav at vitters.nl
Tue Oct 23 14:35:29 PDT 2012 

On Tue, Oct 23, 2012 at 11:13:32PM +0200, Lennart Poettering wrote:
> On Tue, 23.10.12 22:38, Olav Vitters (olav at vitters.nl) wrote:
> 
> > I'm trying to learn journalctl a bit.
> > 
> > I'd prefer if I could do a grep -v, but in journalctl using some
> > argument, e.g. -v.
> 
> Negative filtering (i.e. not foo=bar, but foo!=bar) is currently not
> implemented. I have figured out how to implement this relatively
> efficiently now, but this will take some time to implement. It's on the
> TODO list.

Cool!

> > I noticed the SYSLOG_FACILITY for postfix is given as "2", shouldn't
> > that be 16? In /usr/include/sys/syslog.h it has 2<<3 for LOG_MAIL, I'd
> > expect that to be in SYSLOG_FACILITY. At the moment I'm still using
> > rsyslog and /etc/syslog.conf allows me to redirect mail related things
> > just fine, example:
> > mail.=debug;mail.=info;mail.=notice
> > -/var/log/mail/info.log
> 
> The full syslog priority field is decoded into PRIORITY= and
> SYSLOG_FACILITY=, so that it is easy to filter for them
> independently. The latter has the SYSLOG_ prefix since we consider a bit
> of an outdated concept. 20 numeric facilities are quite limited, and it
> is _SYSTEMD_UNIT= usually a much better way to filter things. We do
> store it however, in order not to lose any data.

I know there are better ways, but for me it is way easier to reuse some
existing knowledge. The priority I don't care that much about at the
moment, the colours added by journalctl seems to be good enough for now.
Logging the mail stuff into multiple files is the way Mageia/Mandriva
set it up.

> Messages that are not genreated via syslog( )wil not carry
> SYSLOG_FACILITY= however, but they will carry the log priority, since
> that is generally useful functionality.

Postfix should be using "mail" / 16 as priority, otherwise rsyslog
wouldn't have filtered that into /var/log/mail/info.log. And I guess if
it didn't use syslog, it shouldn't have SYSLOG_FACILITY. However, I see
things like:

$ journalctl -n1 -o export SYSLOG_FACILITY=2 
__CURSOR=s=d58b63a971464dc0ae21bc409d611941;i=d742;b=3ae5edd0461841d69be6e46800ec3f3b;m=52ffd54860;t=4ccc0b1ec92f9;x=2526026ee985410d
__REALTIME_TIMESTAMP=1351027897701113
__MONOTONIC_TIMESTAMP=356479486048
_BOOT_ID=3ae5edd0461841d69be6e46800ec3f3b
_TRANSPORT=syslog
PRIORITY=6
SYSLOG_FACILITY=2
SYSLOG_IDENTIFIER=postfix/qmgr
SYSLOG_PID=2193
MESSAGE=1842050036E: removed
_PID=2193
_UID=489
_GID=484
_COMM=qmgr
_EXE=/usr/lib64/postfix/qmgr
_CMDLINE=qmgr -l -t fifo -u -c
_SYSTEMD_CGROUP=/system/postfix.service
_SYSTEMD_UNIT=postfix.service
_SOURCE_REALTIME_TIMESTAMP=1351027897700510
_MACHINE_ID=73d0b740d3400a0f4952366400000206
_HOSTNAME=bkor.dhs.org


Here, the SYSLOG_FACILITY should have read 16, or am I mistaken? Note
that I'm not yet storing things on disk. I assume/hope Mageia will do
that soon.

-- 
Regards,
Olav

More information about the systemd-devel mailing list