Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

it's a bit odd to defend the new kid on the block, journald, and then go and link to fluentbit.

I feel like we're missing the elephant in the room, which is that almost everyone is going to forward logs over the network completely bypassing journald/journalctl altogether. At which point you have to ask: who is journald for? In the server environment, you're going to send everything to Splunk or whatever.

Which just leaves desktop users to deal with the headache that is journald. Desktop/workstation users don't care about tamper detection, corruption, or any of that nonsense. If there is corruption going on, I doubt they care that their boot logs are invalid. I'm 100% sure they care more that their 3D render that took 30 hours to render is now corrupt, or some other asset or document.

And in the rare case they do need to dive into the logs, they aren't going to want to re-learn journalctl again.

journald is a solution to a 1990s problem that no longer exists.



I linked to fluentbit only as an independent journal reader, not for what it does as a service.

To be clear, I wasn't defending usefulness of sealing and signing. Just the fact that not only it's independently readable, but also you can find out about corruption of it matters to you for forensic purposes raised.

Journalctl does provide at least one significant feature though - on a properly configured system "journalctl -u foobar" gives you the logs of foobar. No more chasing which file they live in, no more stdout goes here, stderr there, and logs get split in that special way over there. This is great for desktop users.


This is a pretty good description of the problems for sure. Thanks for writing it up.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: