自从启用了systemd以后,没有腰不酸腿不痛,反而被systemd-journal搞得半死。systemd-journal是systemd自带的日志组件,据称非常牛逼。但问题是,这东西太不稳定了。189版每天都要segment fault一下,升级到192版,倒是不seg fault了,来了个什么insert问题,然后193版又变成了invalid argument。反正每天都要挂掉一次,还好挂了能自动重启程序。但是/var/log/journal/里面就会有一堆乱七八糟的文件,而且有时候甚至还会丢失日志。
最关键的是查看日志的journalctl效率很低。systemd-journal写入日志时候倒还好,读取就麻烦了。而且因为systemd-journal每天挂掉,所以产生了很多很小的日志文件,零零散散的,更是加大了读取时候的IO。
举个栗子,我要看邮件系统的日志。这些日志由dovecot和postfix产生,所以我让journalctl输出这两个服务的日志,再grep今天的日期。输出直接放到/dev/null里,然后计时。
/usr/bin/time -v sudo journalctl -b _SYSTEMD_UNIT=dovecot.service _SYSTEMD_UNIT=postfix.service|grep "Oct 02" > /dev/null
Command being timed: "sudo journalctl -b _SYSTEMD_UNIT=dovecot.service _SYSTEMD_UNIT=postfix.service"
User time (seconds): 0.05
System time (seconds): 0.03
Percent of CPU this job got: 7%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:01.09
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 2560
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 122
Minor (reclaiming a frame) page faults: 1203
Voluntary context switches: 187
Involuntary context switches: 18
Swaps: 0
File system inputs: 26208
File system outputs: 8
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0同样,直接读取syslog-ng产生的mail.log日志,计时。
/usr/bin/time -v sudo grep "Oct 2" /var/log/mail.log* > /dev/null
Command being timed: "sudo grep Oct 2 /var/log/mail.log /var/log/mail.log.1 /var/log/mail.log.2"
User time (seconds): 0.00
System time (seconds): 0.00
Percent of CPU this job got: 7%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.19
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 1512
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 16
Minor (reclaiming a frame) page faults: 872
Voluntary context switches: 37
Involuntary context switches: 1
Swaps: 0
File system inputs: 1288
File system outputs: 8
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0这两个的差别还是蛮大的。
甚至在文件大小上也看不出systemd-journal的优势。官方声称journal的二进制文件会占用较少的空间,但是在我的系统上看来,systemd-journal一天产生大概40-50M的日志,跟原本syslog-ng一个月产生的日志总和差不多。唯一的好处是所有日志都在一起,可以根据服务来输出日志,而不用考虑这个服务的日志是记录在哪个文件中。
看来目前比较好的办法是把日志还是forward给syslog-ng,然后类似fail2ban之类的定时脚本就直接读取文本文件,也能避免丢失日志的麻烦,而要查看日志的话就可以用journalctl查看。
