Systemd receives its own log implementation
by admin ·
The developers of Systemd have presented a new Linux system log, which is closely linked with Systemd. The new Journald to save the log messages more efficient and safe from tampering and make analysis more efficient.
Lennart Poettering and Kay Sievers, the developer of Systemd keep the current system log on Linux and other Unix systems to be effective for more than 30 years, but it also has fundamental drawbacks. These disadvantages were particularly clearly in an attempt to better integrate with Systemd logs. They now make the proposal to create a new log for Systemd implementation that can be used in parallel to the existing syslog, replace the old system over time, but should.
Disadvantages of syslog are among other things, that the messages are not authenticated and therefore fake messages can be registered, and that the messages are completely free in its form. Tools that will analyze the messages must therefore be constantly adapted to changes in the format. The time stamps do not contain time zone information, messages are written to different files, which makes their assignment difficult, reading the log files is inefficient because it requires linear time, and the network protocol is very limited. In the event of a burglary, the log files are changed, without being noticed.
There are usually no access control except for the Unix file permissions, not the metadata includes the name of the service and any monotonically increasing timestamps that log rotation can not prevent fill up the partition, processes are only a very limited extent prevented the fill log excessively The compression of old log files access makes it even slower, messages that are incurred prior to the start or after the end of the daemon will not be saved, and additional information present in the binary format can not be logged.
In the opinion of Sievers Poettering and these problems are too serious to improve syslog. Instead, a new implementation is needed that takes into account right from the start to the new goals. After consulting with various developers and administrators, some of which serve very large systems, fourteen objectives of the newly created “Journals” were defined. First is the simplicity that is probably the biggest advantage of the current syslog. The code should be as small as possible, include a few dependencies (although Systemd is assumed) and contain no abstractions.
The journal is intended to operate without maintenance and avoid overflows the partition. It should be robust and the data should be copied easily to other systems and read there. It should be portable to all Linux systems, other Unix systems are not considered. Writing reports and analyzing and searching the logs should be very fast. Less space on the hard drive, general utility, logging for several or even a very large number of computers and prevent tampering of the log files are other objectives.
The authors have begun an implementation that already contains the basic operations. The implementation stores much more metadata than syslog, some of which are added by the journal itself and therefore can not be faked. The file format is chosen so that redundancies will be avoided, in addition, the messages themselves compressed. This should increase the space required little or even lower than for syslog. The source code including a client library is in the Git repository of Systemd available.
The journal is scheduled once all log messages to unify and could then replace wtmp, audit logs and UEFI firmware logs. Also kernel messages and core dumps are listed in the Journal. Each message can contain an optional 128-bit UUID large (type 4 according to RFC 4122). Such a UUID can be generated independently by each developer. Where they are used, they can identify a unique type of messages, even when changing the message text. This may support programs that analyze the logs.
Unlike the traditional syslog has the time stamp of journald an accuracy of one microsecond. The rotation of log files is performed by journald even when the size exceeds a limit or restrict the free space on the partition is too small. Network support is provided initially in journald directly. Instead, the developers have provided that the client library can read any number of log files and analyzed in parallel. Thus, the log files from other computers with the usual means to be copied to the computer analysis, and the client tool reads all at once and bring their messages to the correct temporal relationship.
The safety of the log entries will be guaranteed by a cryptographic checksum. The checksum (hash) of each new entry from the new record and creates a hash of its predecessor. If the hash has an entry and this is correct, then one can verify that all previous records are also correct. When the current hash is transferred to a read-only medium, manipulations are always recognizable. Not prevent, however, is that a burglar will delete the entire log. As with the current syslog to this problem only helps you to copy the logs in a secure place.
Also, the access rights to the logs should be handled better. Log messages are written by ordinary users into separate files, which only the user has access via ACLs. Only one group has access to all system logs.
A first version of journald should appear after the plan of the authors in Fedora 17th Syslog will continue to run parallel to, because it will take some time to replace all previous logs. On some systems, a complete separation of syslog will perhaps never be possible. Others, particularly embedded systems, which plays on the logging for the purpose of debugging a major role, could soon benefit from a full conversion.
The binary format of the developers of journald is currently not documented because they are subject to change. Since this is free software, but it is forbidden to anyone to use the code of the client library as a reference for the format, he must expect only so that may change the format yet. If the format is stabilized, it will be expected to obtain a version identifier and documented officially.