[syslog-ng] buffer logs from initramfs until syslog-ng starts

[Gergely Nagy]

"Patrick H." <syslogng at feystorm.net> writes:

> So I'm trying to find a way to buffer logs from extremely early in the
> boot process (from when the initramfs is still running), and then dump
> them to syslog-ng once it starts. Has anyone done anything similar?

One way to accomplish this is with systemd: it will manage /dev/log
itself, and pass the FD to the real syslogd, so you don't have to switch
daemons at all, and the init daemon will have /dev/log open from pretty
much the earliest time possible.

Another option would be to use a dedicated daemon that starts up early,
and manages /dev/log by reading from it, and sending the data to another
socket if one's available (and buffers otherwise, until the other socket
becomes available).

> I do seem to recall some other utility I've ran across in my travels
> that is designed for this exact purpose, in that it buffers syslog
> messages during boot, then dumps its buffer once the main syslog
> daemon has started and terminates, but I cant remember what its called
> (and google is failing me).

You could use klogd, or even busybox's syslogd or pretty much anything
else to do this: start them up on boot, configured to log to a file,
say, /var/log/boot.log, and change syslog-ng's init script to stop this
early-syslogd before starting syslog-ng (thus, freeing up /dev/log for
syslog-ng; the kernel will buffer messages in the short time between the
old daemon shutting down, and syslog-ng starting up).

Then configure syslog-ng to use /var/log/boot.log as source, and either
delete the file on shutdown, or during bootup, or whenever. Or just
leave it as-is (syslog-ng will remember where to continue from, yay
persistence!), or configure rotation as you see fit.

Another option would be to just let the kernel buffer until syslog-ng
starts up, I guess.

-- 
|8]