Is it good practice to run a system without a syslog daemon?

DeltaWingDragon@sh.itjust.works to Linux@lemmy.ml – 33 points –

If I'm using Arch or another minimal distro, is it a good idea to install a syslog daemon? Or can I go without?

22

You dont need syslog. Journald is good enough for most systems.

I also don't like the duplication of logs in journald and syslog, so I always disable forwarding to syslog

What if I'm on another minimal distro, like Artix, that doesn't use systemd? Journald is a systemd thing, and I'm not going to install systemd on top of a perfectly good init system.

Use whatever that distro recommends then - which as far as I can tell seems to be svlogd for runit based systems. Though you should consult their documentation and make your own decision on which logger to use.

Whatever floats your boat, but if something goes wrong you don't really have anything to figure out what's going on.

wish I knew how to use the journal, seems like there isn't any good way to just search the previous session's logs without a mountain of fuss or having to guess file names

Check that you actually have persistent storage enabled. (See man journald.conf and search for Storage)

Read up on the numerous parameters to journalctl. (man journalctl)

journalctl --boot -2 will show logs from previous boot.

journalctl --since "-2 weeks" --unit=sshd last two weeks worth of sshd logs.

I think there's a minor mistake in your command. jounalctl --boot -1 is the previous boot. The counting starts at --boot 0 for the current one.

What if I'm on another minimal distro, like Artix, that doesn't use systemd? Journald is a systemd thing, and I'm not going to install systemd on top of a perfectly good init system.

If adopt systems then the question is easy to answer: no, journald does everything you need.

without adopting systemd.. well. Are you evaluating going without any log handling at all and maybe just dumping logs ephemerally to tty0? DIYing all log stuff like your init scripts DIY things?

Personally if I had to go without journald I'd probably go back to using syslog-ng. But I guess there's an argument for shipping straight into something like opentelemetry-collector if you're willing to put in a lot of work.

It’s often more useful for minimal installations to keep the system log daemon running so that you can see when things happen and stop them from happening.

Especially now that even very low power embedded systems run multiple cpu cores at multi-ghz clocks, interface with gigabytes of memory, hundreds of gigabytes of attached storage and communicate through multi-gigabit network links, lots of stuff can be happening that is unwanted or simply unnecessary without any external indications.

What are you trying to accomplish by not running a syslog daemon?

Not really trying to accomplish much, just trying to save a few seconds in the manual installation process.

If it’s a race from boot to login prompt then making sure the installer never has to dial out and retrieve packages would be a bigger savings. Making sure the installer is on the fastest bus possible would be huge too. I think one nvme installing to another one would be fastest (assuming enough lanes).

Don’t take the wheelie bars off your dragster to save weight, wheelies are slow.

If you're on arch you use redhat's garbage. On non-corpo linux syslog can be disabled if you want, though I'd prefer to just symlink/mount /var/log to a memory filesystem instead.

On non-corpo linux syslog can be disabled

systemctl disable --now systemd-journald

I'd prefer to just symlink/mount /var/log to a memory filesystem instead

Set Storage=volatile in /etc/systemd/journald.conf

Like how you cropped my message to make it seem like I was implying you couldn't disable logging on systemd

Then what's the meaning of this whole part?

On non-corpo linux syslog can be disabled if you want, though I'd prefer to just symlink/mount /var/log to a memory filesystem instead.

Is it just a random tidbit that could be replaced with a blueberry muffin recipe without any change of meaning of the whole comment? Because it sure won't help OP at all with their Arch-specific question, so it's either that, or it provides contrast to the "corpo Linux", which is how I interpreted it.

And here's the remaining part of your comment I left out, just to make sure people won't lose the context between two three sentence long comments (for those without any attention span, it comes before the previous quoted part):

If you're on arch you use redhat's garbage.

OP was asking about syslog so I answered about using using syslog. You're reading too much into it. They asked if they could go with or without a syslog daemon, so I told them they can disable syslog if they want to. They did not ask about journald so I didn't answer about journald.