On Mon, 15.07.13 12:12, Chris Murphy (lists@colorremedies.com) wrote:
On Jul 15, 2013, at 7:37 AM, Lennart Poettering mzerqung@0pointer.de wrote:
If you care about debugging broken systems journaclt is almost certainly the better option.
So far I haven't seen anything in /var/log/messages that isn't in journalctl -xb. Is it fair to say that journalctl -xb should be a superset of messages (for the current boot)?
The journal will forward everything we have to a running syslog daemon (or actually, recent rsyslog turned this around and now pulls out everything it can). However, that only happens during late boot, i.e. after /var is up. The journal however works pretty much any time, it is already available in the initrd, and in early-boot. If your initrd hangs, you can type journalctl and it will give you log messages already.
This works, since the journal stores things to /run during early boot, and this is then flushed to /var as soon as that's available.
So, this isn't really about the amount of data, it's about when it is available. And if your boot-up fails, then journalctl is more likely to help you than /var/log/messages, since for that you'd first to have /var mounted... (well, beyond that it's also about the metadata. journalctl will always provide you with the full set of metadata, while /var/log/messages by default only contains teh actualy text messages, timezone-less timestamp, hostname, "tag" and PID).
Lennart