You are not logged in.

#1 2013-01-14 19:19:53

duncant
Member
Registered: 2013-01-14
Posts: 2

Journald doesn't log anything

This is a relatively new problem for me. Everything was working well up until recently. I noticed this problem when sshguard stopped doing its job.

Journald doesn't get any log messages. When I do `sudo logger -p auth.info test`, the log message shows up in /var/log/auth.log (I have syslog-ng installed), but not in the output of `sudo journalctl SYSLOG_FACILITY=4 SYSLOG_FACILITY=10` or in the output of `sudo journalctl`. The last log messages in my journal are from a few weeks ago. I checked that syslog was not binding to /dev/log. It's only bound to /run/systemd/journal/syslog. systemd-journalctl and systemd are the only processes bound to /dev/log.

I'm at a total loss as to what could be happening. Obviously, I don't have any logs to go along with this problem.

I apologize if this is the wrong forum for this question.

Offline

#2 2013-01-19 09:46:37

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: Journald doesn't log anything

Welcome to the forum, duncant. The package is just not journald ready. However, since you have syslog-ng installed it should still be working I would reckon (just not with journalctl).
Have a look here for info and alternative (last post): https://bbs.archlinux.org/viewtopic.php?id=151562

Offline

#3 2013-01-19 18:32:21

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 949

Re: Journald doesn't log anything

@duncant:
It's very strange that journal is running but not logging... Do you have persistent storage or it's all volatile? If journal starts properly, I would change Storage= from auto to volatile in /etc/systemd/journal.conf, restart journal, and delete /var/log/journal/* (/var/log/journal belongs to core/filesystem). See if it gets system events like kernel logs.

@strike0:
There is no such thing as "journal ready". If a program logs, its output will be captured by journald.


Arch Linux is more than just GNU/Linux -- it's an adventure

Offline

#4 2013-01-19 19:05:57

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: Journald doesn't log anything

@Leonid.I:
Sorry, but yes there is. You have a misunderstanding about how that tool works. It watches /var/log/auth.log
Follow the link I posted above, the reason for the issue is explained in there.

Offline

#5 2013-01-19 21:59:42

duncant
Member
Registered: 2013-01-14
Posts: 2

Re: Journald doesn't log anything

@Leonid.l
Hmm... that fixed it. Any idea why? I'd kinda like to have persistent logs. Thanks for the fix!

@Strike0
Thanks for the welcome! I don't think that the link you posted is quite applicable. I understand that ordinarily sshguard looks in /var/log/auth.log for log messages. The sshguard package works around this by piping the output of 'journalctl SYSLOG_FACILITY=4 SYSLOG_FACILITY=10' (with some other flags) into sshguard (sshguard can read log messages from stdin). It's my understanding (perhaps I'm wrong) that this should get the log messages to sshguard even without writing them to /var/log/auth.log. So sshguard doesn't actually need /var/log/auth.log to be present on the system if systemd is installed. But that's beside the point.

My problem isn't that sshguard isn't working. That's a symptom of the problem. The problem is that journald doesn't get *any* log messages. In the interim, I've pointed sshguard to /var/log/auth.log with syslog-ng installed. That works fine and I get messages that sshguard is doing its job. I'm trying to debug the more troubling problem of journald not doing its job.

Offline

#6 2013-01-19 23:18:08

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: Journald doesn't log anything

Oh alright. I misunderstood your problem then - just read it too quick. (sorry also Leonid.I)
I have never used sshguard, but from looking at our wiki page here and briefly at their documentation I assumed it has the same problem as the fail2ban package. That was a wrong assumption anyway, since you keep running syslog-ng and it depends how you invoke sshguard. The info how to pipe the journalctl output to sshguard would be a useful addition to the wiki here btw.

To your problem of journald not logging _anything_, I dont have any additional pointers currently. I will add again, if I have an idea.

Offline

#7 2013-01-20 05:21:58

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 949

Re: Journald doesn't log anything

@duncant:
Probably because on-disk version was either corrupted or created with an early version of journald... I honestly don't know better than that because I don't use journal.

I also like persistent logs, but journald is too crude for anything serious. The main issue is that journal puts all logs in one place: /var/log/journal. This dir grows A LOT. For instance, after a week of uptime, I have ~ 5MiB in syslog-ng logs, but ~50MiB in journal.

Moreover, I don't need all logs persistent: some can go to RAM (logs from hostap, cron, iptables), but some must stay on disk (kernel, auth). Firewall logs can grow very fast (~4K lines/day) which will kill my HDDs. How do you configure this in journal? Also, this problem with corrupted journal files just scares me...

Finally, I find fail2ban/sshguard/... quite stupid. My philosophy is not to change firewall rules on the fly, but to make them adaptive. One example was provided by Strike0 in the above link. Another one is using port knocking with the "-m recent" iptables module.

@Strike0:
No problem smile I like you earlier firewall config for dynamic blocking of IPs, although I use plain iptables, not UFW.


Arch Linux is more than just GNU/Linux -- it's an adventure

Offline

Board footer

Powered by FluxBB