[Spivak]

> I mounted the disk and tried to read off the log, but couldn't.

I mean yes, you need something to parse the logs and turn them into human readable text, but the logs are perfectly readable.

journalctl --file /mnt/var/log/journal/`</mnt/etc/machine-id`/system.journal | my-favorite-log-reader

A lot, dare I say most, of the parts of systemd actually are optional or do nothing until you use them like systemd-machined.

[structural]

The assumption here is that the machine you're using to do the log analysis is also a Linux machine that uses systemd (and thus has a journalctl binary). This is not necessarily true.

A lot of the annoyance that some people have with the systemd crowd is that these kind of assumptions are made all over the place. The actual software is not bad (I really do prefer dealing with systemd units than writing shell scripts for each service) but it can be hard to get past.

[mises]

Exactly. I was doing a competition that required me to run windows with a linux vm on top of it. This means I couldn't easily do it. Ended up having to use WSL, which is much more hassle than I ought to have to go through.

I agree as well with the unit comment; they're great. But I just can't get past the plans for world domination.

[viraptor]

I'm not sure I see the problem. At scale, you're logging into an aggregator anyway. If part of your job is log recovery/analysis then you need to get the right tools working (docker works almost everywhere now, so that should solve it). In a small environment, I'm you can find a way to run a VM somewhere temporarily.

[mises]

I was doing security on a VM image. I wasn't doing anything at scale, and wasn't doing the initial deployment. Log recovery/analysis wasn't the job, it was a necessary component thereof. Docker makes no sense when I'm doing OS-level hardening on a VM.