Jochen,
On 12/13/23 16:42, Jochen Bern wrote:
On 13.12.23 21:58, Christopher Schultz wrote:
Thank you for your reply, but /var/log is basically empty (meaning very few files located there). journald has absorbed everything and files are no longer the way to get logs from systemd-based environments.
The only thing which contains non-trivial information is /var/log/journal/* which is a bunch of binary files.
My reply below shows how you can get the stunnel-related log messages. I don't believe they are available through any traditional text-based log file.
I don't know about Amazon Linux, but for Linux in general, that's not true.
Yeah, I've been using Linux since 1994 and I have to admit I'm pretty annoyed by the behavior I'm experiencing, here. It's nothing to do with stunnel and everything to do with the choices made by the journald project and the package maintainers for Amazon Linux 2023.
The "Red Hat way" (extending to Fedora, CentOS, Rocky, etc.), in particular, is to have journald pass all data to rsyslogd¹, which then deals with a) long-term plaintext file storage and b) forwarding to remote log servers, areas where journald is still not up to snuff AFAIK.
The is absolutely not happening in this environment.
¹ Squashing the journald-ish structured data into the almost-entirely-flat olde syslog-style message format, of course.
Logically, RHELish distros still do run logrotate as well, and auditd logs directly to files in /var/log/audit/ (that it rotates itself), in spite of the OS being fully systemd based.
Notably, /var/log/audit/ is one of the things that DOES exist in this environment. But /var/log is a wasteland:
$ sudo ls -1F /var/log README@ amazon/ audit/ btmp btmp-20231201 chrony/ cloud-init-output.log cloud-init.log dnf.librepo.log dnf.log dnf.rpm.log hawkey.log hawkey.log-20231203 hawkey.log-20231210 journal/ lastlog private/ sa/ sssd/ tallylog wtmp
/var/log/README says:
" You are looking for the traditional text log files in /var/log, and they are gone?
Here's an explanation on what's going on:
You are running a systemd-based OS where traditional syslog has been replaced with the Journal. The journal stores the same (and more) information as classic syslog. To make use of the journal and access the collected log data simply invoke "journalctl", which will output the logs in the identical text-based format the syslog files in /var/log used to be. For further details, please refer to journalctl(1).
Alternatively, consider installing one of the traditional syslog implementations available for your distribution, which will generate the classic log files for you. Syslog implementations such as syslog-ng or rsyslog may be installed side-by-side with the journal and will continue to function the way they always did.
Thank you!
Further reading: man:journalctl(1) man:systemd-journald.service(8) man:journald.conf(5) https://0pointer.de/blog/projects/the-journal.html "
So I guess the way to get the "Red Hat way" is to additionally install a form of syslog on top of the base system. I'm not sussed to having to do that, since I consider syslog to be one of the most basic parts of a Linux system.
I guess what I'm trying to say is "get off my lawn". :)
-chris