buffer logs from initramfs until syslog-ng starts
So I'm trying to find a way to buffer logs from extremely early in the boot process (from when the initramfs is still running), and then dump them to syslog-ng once it starts. Has anyone done anything similar? The only real idea that comes to mind is to use busybox's syslogd and have it use a circular buffer, then configure syslog-ng with a program source that reads the buffer and then terminates the the daemon (something like 'logread ; pkill -x syslogd &>/dev/null'), and set follow_freq to 0. Whether this will work or not, I dont know as I've never played with program sources. Also a problem I see with this is that the busybox syslogd would need to be killed before syslog-ng tries to open /dev/log and /proc/kmsg, but I'm not sure how to go about that. I do seem to recall some other utility I've ran across in my travels that is designed for this exact purpose, in that it buffers syslog messages during boot, then dumps its buffer once the main syslog daemon has started and terminates, but I cant remember what its called (and google is failing me). So does anyone have any good ideas for solving this situation?
I believe some distributions dump the contents of "dmesg" (which displays the contents of the kernel ring buffer) into syslog once it is started.... is that what you're thinking of? Regards, Scott. From: "Patrick H." <syslogng@feystorm.net> To: syslog-ng@lists.balabit.hu Date: 15/09/2011 13:59 Subject: [syslog-ng] buffer logs from initramfs until syslog-ng starts Sent by: syslog-ng-bounces@lists.balabit.hu So I'm trying to find a way to buffer logs from extremely early in the boot process (from when the initramfs is still running), and then dump them to syslog-ng once it starts. Has anyone done anything similar? The only real idea that comes to mind is to use busybox's syslogd and have it use a circular buffer, then configure syslog-ng with a program source that reads the buffer and then terminates the the daemon (something like 'logread ; pkill -x syslogd &>/dev/null'), and set follow_freq to 0. Whether this will work or not, I dont know as I've never played with program sources. Also a problem I see with this is that the busybox syslogd would need to be killed before syslog-ng tries to open /dev/log and /proc/kmsg, but I'm not sure how to go about that. I do seem to recall some other utility I've ran across in my travels that is designed for this exact purpose, in that it buffers syslog messages during boot, then dumps its buffer once the main syslog daemon has started and terminates, but I cant remember what its called (and google is failing me). So does anyone have any good ideas for solving this situation? ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
No, this was an explicit logging utility, that ran as a syslog daemon and actually captured syslog messages. -Patrick Sent: Wed Sep 14 2011 22:23:46 GMT-0600 (MST) From: Scott Rochford <scott.rochford@amadeus.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] buffer logs from initramfs until syslog-ng starts
I believe some distributions dump the contents of "dmesg" (which displays the contents of the kernel ring buffer) into syslog once it is started.... is that what you're thinking of?
Regards,
Scott.
From: "Patrick H." <syslogng@feystorm.net> To: syslog-ng@lists.balabit.hu Date: 15/09/2011 13:59 Subject: [syslog-ng] buffer logs from initramfs until syslog-ng starts Sent by: syslog-ng-bounces@lists.balabit.hu ------------------------------------------------------------------------
So I'm trying to find a way to buffer logs from extremely early in the boot process (from when the initramfs is still running), and then dump them to syslog-ng once it starts. Has anyone done anything similar?
The only real idea that comes to mind is to use busybox's syslogd and have it use a circular buffer, then configure syslog-ng with a program source that reads the buffer and then terminates the the daemon (something like 'logread ; pkill -x syslogd &>/dev/null'), and set follow_freq to 0. Whether this will work or not, I dont know as I've never played with program sources. Also a problem I see with this is that the busybox syslogd would need to be killed before syslog-ng tries to open /dev/log and /proc/kmsg, but I'm not sure how to go about that.
I do seem to recall some other utility I've ran across in my travels that is designed for this exact purpose, in that it buffers syslog messages during boot, then dumps its buffer once the main syslog daemon has started and terminates, but I cant remember what its called (and google is failing me).
So does anyone have any good ideas for solving this situation?______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
"Patrick H." <syslogng@feystorm.net> writes:
So I'm trying to find a way to buffer logs from extremely early in the boot process (from when the initramfs is still running), and then dump them to syslog-ng once it starts. Has anyone done anything similar?
One way to accomplish this is with systemd: it will manage /dev/log itself, and pass the FD to the real syslogd, so you don't have to switch daemons at all, and the init daemon will have /dev/log open from pretty much the earliest time possible. Another option would be to use a dedicated daemon that starts up early, and manages /dev/log by reading from it, and sending the data to another socket if one's available (and buffers otherwise, until the other socket becomes available).
I do seem to recall some other utility I've ran across in my travels that is designed for this exact purpose, in that it buffers syslog messages during boot, then dumps its buffer once the main syslog daemon has started and terminates, but I cant remember what its called (and google is failing me).
You could use klogd, or even busybox's syslogd or pretty much anything else to do this: start them up on boot, configured to log to a file, say, /var/log/boot.log, and change syslog-ng's init script to stop this early-syslogd before starting syslog-ng (thus, freeing up /dev/log for syslog-ng; the kernel will buffer messages in the short time between the old daemon shutting down, and syslog-ng starting up). Then configure syslog-ng to use /var/log/boot.log as source, and either delete the file on shutdown, or during bootup, or whenever. Or just leave it as-is (syslog-ng will remember where to continue from, yay persistence!), or configure rotation as you see fit. Another option would be to just let the kernel buffer until syslog-ng starts up, I guess. -- |8]
On Thu, 2011-09-15 at 10:07 +0200, Gergely Nagy wrote:
"Patrick H." <syslogng@feystorm.net> writes:
So I'm trying to find a way to buffer logs from extremely early in the boot process (from when the initramfs is still running), and then dump them to syslog-ng once it starts. Has anyone done anything similar?
One way to accomplish this is with systemd: it will manage /dev/log itself, and pass the FD to the real syslogd, so you don't have to switch daemons at all, and the init daemon will have /dev/log open from pretty much the earliest time possible.
Another option would be to use a dedicated daemon that starts up early, and manages /dev/log by reading from it, and sending the data to another socket if one's available (and buffers otherwise, until the other socket becomes available).
The solution that systemd uses can in fact be implemented without systemd. Open /dev/log and forward all messages to kmsg Then kmsg is read by syslog-ng at startup, ergo you have all the boot logs.
I do seem to recall some other utility I've ran across in my travels that is designed for this exact purpose, in that it buffers syslog messages during boot, then dumps its buffer once the main syslog daemon has started and terminates, but I cant remember what its called (and google is failing me).
You could use klogd, or even busybox's syslogd or pretty much anything else to do this: start them up on boot, configured to log to a file, say, /var/log/boot.log, and change syslog-ng's init script to stop this early-syslogd before starting syslog-ng (thus, freeing up /dev/log for syslog-ng; the kernel will buffer messages in the short time between the old daemon shutting down, and syslog-ng starting up).
That's not true though. If something sends a log message while the switch takes place, some messages might be lost. You really need systemd or something similar to manage the switchover to avoid losing logs due to races.
Then configure syslog-ng to use /var/log/boot.log as source, and either delete the file on shutdown, or during bootup, or whenever. Or just leave it as-is (syslog-ng will remember where to continue from, yay persistence!), or configure rotation as you see fit.
Another option would be to just let the kernel buffer until syslog-ng starts up, I guess.
-- Bazsi
participants (4)
-
Balazs Scheidler
-
Gergely Nagy
-
Patrick H.
-
Scott Rochford