previously on this list Helmut Grohne contributed: > > It's just occurred to me that the binary format may not work with append > > only logging? > > That's true for the journal. When the journal opens its binary log, it > flags the file as being opened, but what is the issue with not being > append only? >
I like to use the kernel to enforce append only on certain log files so that they can't be tampered without finding a kernel exploit or rebooting. Your right in that it does mean you can't compress but I find logs are small on modern disks. I do it all the time on OpenBSD with schg backed up by it's ace critical bug free kernel and have done so on Linux with chattr -a mixed with another trick that I forget right now though I believe it can be done with RBACs like grsecurities or SELinux. > > Also recovering those logs from a possibly intentionally > > uncompletely wiped disk would be much harder especially on an ext3/ext4 > > filesystem where carving is required when otherwise you could image or > > ddrescue in case of hardware failure and use grep. > > I have not tried, but I imagine it not being that much harder for the > following reasons: > > If your journal is compressed, you basically lose, but that is true for > compressed text logs as well. So if you need this recovery scenario, > don't compress. > > If your journal is uncompressed, you can exploit aspects of the format > to find the log. Specifically, log entry consists of key-value pairs, > most of which likely match /\(_SYSTEMD_[A-Z_]*\|MESSAGE\)=.*/. Another True and fair enough, though can you read partial fragments from a journal or does it need the whole thing or complete chunks recovered. Anyway it's not like I have ever needed to do this but it's good to know you can and for the same reason I save my odt files as text occasionally when writing them as a more reliable format and advise others to do so. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/889772.23942...@smtp150.mail.ir2.yahoo.com
