←back to thread

Show HN: Nerdlog – Fast, multi-host TUI log viewer with timeline histogram

(github.com)
134 points dimonomid | 5 comments | 21 Apr 25 11:38 UTC | HN request time: 0.002s | source

For more background and technical details, I wrote this up as well: https://dmitryfrank.com/projects/nerdlog/article
Show context
Zopieux ◴[21 Apr 25 13:51 UTC] No.43752026[source]
journalctl is mentioned once in the landing page and it seems to imply that journalctl is not supported per se, as logs need to be stored plaintext to legacy syslog (?).

I do not want to store plaintext logs and use ancient workarounds like logrotate. journald itself has the built-in ability to receive logs from remote hosts (journald remote & gateway) and search them using --merge.

replies(2): >>43752090 #>>43752347 #
dimonomid ◴[21 Apr 25 14:23 UTC] No.43752347[source]
That's true, as of today nerdlog doesn't use journalctl, and needs plain log files. There were a few reasons of that, primarily related to the sheer amount of logs that we were dealing with.

As mentioned in the article, my original use case was: having a fleet of hosts, each printing pretty sizeable amount of logs, e.g. having more than 1-2GB log file on every host on a single day was pretty common. My biggest problem with journalctl is that, during some intensive spikes of logs, it might drop logs; we were definitely observing this behavior that some messages are clearly missing from the journalctl output, but when we check the plain log files, the messages are there. I don't remember details now, but I've read about some kind of ratelimiting / buffer overflow going on there (and somehow the part which writes to the files enjoys not having these limits, or at least having more permissive limits). So that's the primary one; I definitely didn't want to deal with missing logs. Somehow, old school technology like plain log files keeps being more reliable.

Second, at least back then, journalctl was noticeably slower than simply using tail+head hacks to "select" the requested time range.

Third, having a dependency like journalctl it's just harder to test than plain log files.

Lastly, I wanted to be able to use any log files, not necessarily controlled by journalctl.

I think adding support for journalctl should be possible, but I still do have doubts on whether it's worth it. You mention that you don't want to store plaintext logs and using logrotate, but is it painful to simply install rsyslog? I think it takes care of all this without us having to worry about it.

replies(2): >>43752929 #>>43753531 #
lenova ◴[21 Apr 25 16:07 UTC] No.43753531[source]
I appreciate this response, and want to say I really like your tool's UI over something like lazyjournal. But like the above commentor, I would love to see journald support as well, just because it's the default these days on the distros I use, and seems like the direction the Linux system industry has headed in.
replies(2): >>43753848 #>>43770859 #
dimonomid ◴[23 Apr 25 11:29 UTC] No.43770859[source]
Fyi I've done a simple benchmark today, and journalctl is indeed a lot slower than simply reading log files. In case you're interested: https://github.com/dimonomid/nerdlog/issues/7#issuecomment-2...
replies(1): >>43786194 #
lenova ◴[24 Apr 25 18:59 UTC] No.43786194[source]
I have no doubt that journald is slower, and I have no real preference for it. The request for journald support goes back to it being the default on most distros these days. I have to interact with a variety of different servers in different environments, most of which are not managed by myself, and hence I have to interact with was previously setup... which is usually the default config provided by the distro.
replies(1): >>43790919 #
dimonomid ◴[25 Apr 25 06:56 UTC] No.43790919[source]
I see, interesting. If you don't mind me asking, is it a sysadmin kind of job? Just trying to understand the use case better.

Regardless, journalctl support is the single most requested feature, so yeah I'll at least try to make that happen; hopefully on the upcoming weekend if I'm lucky.

replies(1): >>43808469 #
1. lenova ◴[27 Apr 25 00:35 UTC] No.43808469[source]
My role is classified as DevOps consulting, working for several different companies, each with their own unique setup and teams... but yeah, it's basically glorified sysadmin work ;-). On the plus side though, I get to see the realities of internal company tech stacks, and that the default settings often are chosen over better solutions.

Thanks again for considering journald, and at the same time, don't forget that it's your project at the end of the day... you can always disregard feature requests if it's not a direction you want to head in. Though in this case, I do believe journald support would get your tool more traction with a larger audience in the long term.

replies(1): >>43815184 #
2. dimonomid ◴[27 Apr 25 21:13 UTC] No.43815184[source]
Thanks for sharing! Good to know that nerdlog turns out to be helpful not only for devs (the original use case), but also for DevOps :)

Fyi, support for journalctl was added to master, in case you wanted to try it out. I didn't yet add automated tests with the mocked journalctl, but my manual tests show that it's working fine.

If a system doesn't have either `/var/log/messages` or `/var/log/syslog`, nerdlog will now resort to `journalctl` by default.

It can also be selected explicitly by specifying `journalctl` as the file, e.g. `myserver.com:22:journalctl`.

replies(1): >>43823088 #
3. lenova ◴[28 Apr 25 16:13 UTC] No.43823088[source]
Looking good so far! Now it just needs localhost-without-SSH enabled by default (so that as a new user I test out nerdlog immediately without having to think about which server to connect it to), and your initial onboarding/out-of-the-box experience will be ready for a very wide audience! :-)
replies(1): >>43824974 #
4. dimonomid ◴[28 Apr 25 19:21 UTC] No.43824974{3}[source]
Yeah, I agree. Gonna try and get it done on some weekend.

Thanks for trying it out, and for all the suggestions, very helpful!

replies(1): >>43828343 #
5. lenova ◴[29 Apr 25 03:02 UTC] No.43828343{4}[source]
And thank you again for being so receptive to feedback!