[snip: about "journalctl -b -1 -p err"]
You are cherry-picking the one thing that isn't logged by most syslog daemons by default,, in a disingenious attempt to show that syslog is "worse", even though it is off by default because it is of little use. If we cared AT ALL to have the "log level" information, it would be logged.
I chose the example because it has proven really useful to me. The example will quickly show any serious error that may have cause a system to fail. Being able to filter out all boot-sessions that aren't relevant is really useful. Being able to see all serious errors on a system at a glance is really useful too. Being able to easily combine such queries into one is pure gold.
But there is so much more that syslog doesn't log. This brings on another fundamental problem with text logs; they are hard to parse for machines due to their lack of structures, and they become hard to parse for humans too if they contain too much information.
Monotonic and micro-precision timestamps are great, but they foul up the readability of syslog textfiles simply because they make the lines longer. So basically syslog can't put the same amount of logging info in the log files, not for direct technical reasons, but because the log file format is inadequate.
The systemd journal on the other hand, can easily be extended with ever more fields as needs arise. And it can do so without breaking userland!
Because another problem with the unstructured syslog text logs are that they have no programmatic API or even "labels" for each part of a logging entry. That means the very structure of the log entries has become a sort of API, so changing that structure by adding more information, and thousands of userland log-watcher scripts that rely on "cut" simply breaks down.
The discussions of the many limitations of syslog,
Fine. Then solve the problem where it should be solved, and add this to /etc/syslog. You systemd apparatchik like editing non-script-based config files, right?
Many of the problems can't be solved by adding features to syslog. If you want "metal-to-metal" logging you just got to design something like journald for so many technical reasons, including that the Linux kernel only accept one owner of /dev/log.
But as said, the most fundamental problems are the total lack of coordination between stuff in Linux. It is almost impossible to improve some things because of that. The Rsyslog team have fought valiantly over the years, but the sheer lethargy and no formal coordination means changes are hard to impossible.
The systemd team solved this problem in the most elegant way possible; they made a new logger that were 100% backwards compatible with syslog, but at the same time introduced radical new features. The end-users could user whatever option that suited them best, and userland didn't have to change a line of code, while still benefiting from the new features.
This way all the systemd Linux distros and userland programs can slowly migrate to using the new journald logging API. No "flag day" problems!
# probably already in the config
source src { system(); internal(); }
# here's your damn filter
filter f_err_only { level( "error"}; };
# pre-filtered log output
destination err_only_log { file("/var/log/err_only_messages"); };
# link the filter to a destination
log { source(src); filter(f_err_only); destination(err_only_log); };
Now you can read those messages only using "less". You DID know that syslog has very flexible log routing and filtering capabilities, right?
I think the above examples greatly illustrate several problems with syslog text-files.
But first; despite spanning several lines, it isn't even remotely close to what "journalctl -b -1 -p err" does. It isn't an ad hoc query either, so it doesn't have any useful information from before it was set up.
It doesn't filter the errors to a particular boot, nor does it (AFAIK) show errors above "error".
It also introduce yet another log-file. On some systems you will find perhaps +20 such log files scattered all over the system. Madness I say. The reason for the splitting is of course, that it is damn hard to extract similar information with ad hoc queries. Especially newbies doesn't stand a chance.
With systemd's journal, you get a single view of _all_ log files on the entire system, including that pesky ".xsession-errors" that hides in /~user and only grows since it isn't log rotated.
And is so trivial to extract the information you want that no splitting is needed.
claiming that regular expressions are easy is laughable.
If regex is too hard, you might as well give up now. Regex is only hard if you abuse it badly, which is true for any programming language. This is just trolling at this point.
regex _is_ hard. This is partly because it is so powerful and generic. But using it is also hard because there are both regular _and_ extended regular expressions, _and_ maddening variations of both in awk/grep besides the Posix ones etc.
If it was easy to use regex on syslog text files there would never be a need to split them up.
Most Linux users these days don't know regex, so they use vi/less to read the logs and perhaps use grep if they are advanced users.
Oh, and thanks for admitting you are an inexperience n00b. You may have been using linux since the early slackware days, but didn't seem to learn much.
No, read again. What I said was that it should be easy to replicate the "journalctl -b -1 -p err" query since you claim it was n00b stuff. You utterly failed to do so.
As for your "challenge", I have yet to see any systemd apparatchik rise to the challenge to prove that systemd isn't an unmaintainable monolithic mess, by showing how to replace (NOT CHAIN) journald with syslog-ng or indeed run any of the systemd components in isolation.
You see, the genial thing about journald is that it is totally compatible with syslog-ng and all other syslog(3) implementations, and it actually enhances them by getting early boot logging info they can't obtain otherwise. All legacy userland logwatcher and log-analysing software still work when using journald that way.
It is possible to replace journald with a similar implementation, so in theory the syslog-ng could do that. But the functionality would have to be extremely similar (API etc). So they would basically just have another journald replica, and what would be the purpose of that?
Also, remember that journald isn't a log-sink while syslog-ng and Rsyslog are. So while Rsyslog isn't needed as a local system logger on ordinary machines, it still have a good purpose.
Regarding the monolithic claims. First, many parts of systemd are actually designed to have independent implementations with stable API's and what not. Here is a table of which parts and some known alternative implementations:
http://www.freedesktop.org/wik...
Also, a lot of the systemd stuff is in shared libraries so it is trivial to make alternative implementations, or in case of the networking stack, use it on non-systemd distros too. (it is basically "connman" turned into a library for many functions).
Finally, there are very few core dependencies for systemd; basically: the systemd daemon, udev and journald. And even the latter two can be ripped out (see minimal builds) for use in embedded systems.
Everything else is optional and can be substituted with any other Linux solution.
That some of the tools like "journalctl" should work outside a systemd context is a crazy requirement. They are systemd specific tools, just like the ext4 file system tools are ext4 specific.
The whole "monolithic" claim is hugely overblown and all stems from some people that felt entitled to leach parts of the systemd code so they didn't have to do the work themselves.