As I prepare for the RHCSA/RHCE certifications, I have to do some conversion between the RH6 book I’m using examining the new ways of doing things in RH7 (when I say “RH6” or “RH7” I’m including CentOS and ScientificOS in the list). On to Things to Think About:
One of the new bits in RH7 is how to manage logs. Lots are now binary and contain all the logs for the system. With RH6, logs were generally in /var/log under various files like messages, secure, httpd, etc. Now you use journalctl to view logs.
I have a couple of concerns with this. First, I can’t seem to let a non-root user access the log files. Since in RH6, the files are ‘600’ in permissions, in order for regular users to view the log files (messages or httpd error_log), you’d just change the permissions to ‘640’. The benefit is I can pull the logs to a central server for review. With almost 1,000 systems, having to log in to each one, become root, and review the log is impossible. I’d like to have a central syslog server but I’d also like to keep network traffic down, especially for systems where the application is logging several times a second.
journalctl doesn’t seem to have the ability to let a user view logs on a system without using sudo or having root run the journalctl command to export the data.
I can see this being an issue, not just for system admins, but for users of applications who need access in order to manage the behavior of their applications. Same with monitoring tools such as OpenView. Many of the alarms are generated by syslog scraping (the messages file).
There’s also an issue for application developers. How do they now write their logs, especially for dealing with application level issues.
Is systemd replacing syslogd or rsyslogd or just augmenting it for now, but eventually replacing it? I do see messages, secure, and even dmesg in /var/log.