[syslog-ng] buffer logs from initramfs until syslog-ng starts

Wed Sep 21 11:34:46 CEST 2011

On Thu, 2011-09-15 at 10:07 +0200, Gergely Nagy wrote:
> "Patrick H." <syslogng at feystorm.net> writes:
> 
> > So I'm trying to find a way to buffer logs from extremely early in the
> > boot process (from when the initramfs is still running), and then dump
> > them to syslog-ng once it starts. Has anyone done anything similar?
> 
> One way to accomplish this is with systemd: it will manage /dev/log
> itself, and pass the FD to the real syslogd, so you don't have to switch
> daemons at all, and the init daemon will have /dev/log open from pretty
> much the earliest time possible.
> 
> Another option would be to use a dedicated daemon that starts up early,
> and manages /dev/log by reading from it, and sending the data to another
> socket if one's available (and buffers otherwise, until the other socket
> becomes available).

The solution that systemd uses can in fact be implemented without
systemd. Open /dev/log and forward all messages to kmsg

Then kmsg is read by syslog-ng at startup, ergo you have all the boot
logs.

> 
> > I do seem to recall some other utility I've ran across in my travels
> > that is designed for this exact purpose, in that it buffers syslog
> > messages during boot, then dumps its buffer once the main syslog
> > daemon has started and terminates, but I cant remember what its called
> > (and google is failing me).
> 
> You could use klogd, or even busybox's syslogd or pretty much anything
> else to do this: start them up on boot, configured to log to a file,
> say, /var/log/boot.log, and change syslog-ng's init script to stop this
> early-syslogd before starting syslog-ng (thus, freeing up /dev/log for
> syslog-ng; the kernel will buffer messages in the short time between the
> old daemon shutting down, and syslog-ng starting up).

That's not true though. If something sends a log message while the
switch takes place, some messages might be lost.

You really need systemd or something similar to manage the switchover to
avoid losing logs due to races.

> 
> Then configure syslog-ng to use /var/log/boot.log as source, and either
> delete the file on shutdown, or during bootup, or whenever. Or just
> leave it as-is (syslog-ng will remember where to continue from, yay
> persistence!), or configure rotation as you see fit.
> 
> Another option would be to just let the kernel buffer until syslog-ng
> starts up, I guess.
> 

-- 
Bazsi