Use systemd/journalctl for all logs

Feature Requests
1

All,

Currently, the pihole-FTL service is using systemd/journalctl for it’s logging.

Is it possible to use systemd/journalct for all logs instead of using “old fashioned” logs in /var/pihole (FTL.log, pihole.log, pihole_updateGravity.log and webserver.log).

By doing so all log info is in one modern facility which will ease system maintenance and debugging :wink:

TIA,

Arjan

3

There is currently just the pihole-FTL.service so there's only one log file associated with that service. Dumping multiple log files to one service would be very chatty and very confusing.

You could try using rsyslog to create the logging pipeline that works for you though.

4

Thanks for your reply @DanSchaper, but maybe I’ve been too unclear. Let me point out, I am referring to the log files in /var/log/pihole. Since they are there at this location I had the impression that they are part of pihole, to be more precise, part of the pihole-FTL service.

pi@vpn:/var/log/pihole $ ls -l
total 78052
-rw-r----- 1 pihole pihole     2622 Jan 16 08:14 FTL.log
-rw-r----- 1 pihole pihole    52659 Jan  7 08:36 pihole_debug.log
-rw-r----- 1 pihole pihole 79859294 Jan 16 09:08 pihole.log
-rw-r----- 1 pihole pihole     1484 Jan 11 04:43 pihole_updateGravity.log
-rw-r----- 1 pihole pihole        0 Jan 13 00:00 webserver.log
pi@vpn:/var/log/pihole $

The most interesting one is pihole.log, let’s dig into this file:

pi@vpn:/var/log/pihole $ sudo lsof ./pihole.log
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
pihole-FT 610 pihole   41w   REG  179,2 79872554 261453 ./pihole.log
pi@vpn:/var/log/pihole $ ps -fp 610
UID        PID  PPID  C STIME TTY          TIME CMD
pihole     610     1  3 Jan12 ?        03:22:29 /usr/bin/pihole-FTL -f
pi@vpn:/var/log/pihole $

I think (at least) this one is part of the pihole-FTL service. So my FR is to have the service write the messages not into pihole.log but into systemd-journal.

Background: I had a serious challenge with the functionality given by pihole-FTL. Has been resolved :slight_smile: , ⁣ but it would have been so much easier if pihole.log was written to the systemd-journal. Next to that I think it’s best practice for Linux processes/daemons to use systemd-journal instead of seperate logfiles.

Are you wiling to reconsider your opinion?

TIA,

Arjan

5

It might be what systemd wishes as best practice on distros making use of it, but it's not linux best practice by any means. There are multiple init systems and Pi-hole supports Alpine linux which does not use systemd.

6

This is also an opinion. I am fine with that.

On my Pi I see that pihole-FTL a systemd service is, it writes to systemd-journalclt and I think I ask a reasonable FR to have all logs which are created by the pihole-FTL service go into systemd-journalctl.

If the developers of Pi-Hole agree is something I leave to their discretion. I understand it is “work” and maybe there are many other things to do on Pi-Hole which are much more important.

I leave the Holy discussion about init systems (but also emacs/vi) to others.

Arjan

7

Nor am I. My main desktop system uses systemd, some of my other systems do not. Each has their place but the different systems and their limitations are an important consideration when writing code.

Here is a shell script that you could run on startup that will duplicate in real time the log information within the systemd journal, tagging by severity and which file they came from. Sadly this approach is necessary because systemd's journal by design does not and as stated policy will never be able to ingest data from log files as is possible with rsyslog.

Execute it as root (or any user of your choice that has access to the pihole log files and authority to write to the system journal) on startup or any other time you would like pi-hole's log contents duplicated within the systemd journal.

#!/bin/bash
#
# Tail Pi-hole log files and forward entries into systemd-journald
# with inferred severity and per-file SYSLOG_IDENTIFIER tags.
#
# This file is copyright under the European Union Public License version 1.2 or newer
#

LOG_FILES="
/var/log/pihole/FTL.log
/var/log/pihole/pihole.log
/var/log/pihole/pihole_debug.log
/var/log/webserver.log
/var/log/pihole_updateGravity.log
"

infer_priority() {
    line="$1"

    case "$(printf '%s\n' "$line" | tr '[:upper:]' '[:lower:]')" in
        *debug*)              echo 7 ;;
        *info*)               echo 6 ;;
        *warn*|*warning*)     echo 4 ;;
        *error*|*err*)        echo 3 ;;
        *fatal*|*critical*)   echo 2 ;;
        *)                    echo 5 ;;
    esac
}

tag_for_file() {
    file="$1"

    case "$file" in
        */FTL.log)                     echo "pihole-FTL" ;;
        */pihole_debug.log)            echo "pihole-debug" ;;
        */webserver.log)               echo "pihole-web" ;;
        */pihole_updateGravity.log)    echo "pihole-updategravity" ;;
        *)                             echo "pihole" ;;
    esac
}

cleanup() {
    echo "Stopping Pi-hole log forwarder."
    exit 0
}

trap cleanup INT TERM HUP

# Ensure all log files exist
for f in $LOG_FILES; do
    [ -e "$f" ] || touch "$f"
done

echo "Forwarding Pi-hole logs to systemd journal (Ctrl+C to stop)..."

tail -F -v $LOG_FILES 2>/dev/null | \
while IFS= read -r line; do
    case "$line" in
        "==>"*"<=="*)
            current_file=$(printf '%s\n' "$line" | sed 's/^==> //; s/ <==$//')
            current_tag=$(tag_for_file "$current_file")
            continue
            ;;
    esac

    prio=$(infer_priority "$line")
    printf '%s\n' "$line" | systemd-cat -t "$current_tag" -p "$prio"
done
8

Thanks @robgill Great workaround for now, but no more than a workaround.

As you can see from my post, the files are created by pifhole-FTL (started as by the systemd service pihole-FTL). I am just asking to make sure that all logs created by pihole-FTL (the systemd service) go into the journal. What’s the problem with this? Is it not a clear and genuine FR which makes sense for systems with systemd?

Cheers,

Arjan

9

Most users probably don't know or care where Pi-hole stores its log files.

From my support point of view, the current advantage of Pi-hole storing log files in a default location -regardless of the distro its running on- is that it allows us to easily request information from and/or point users to the correct location to help them analyse issues, should that be needed.

10

For my use case, once Pi-hole (or most anything else) is set up and humming along I don’t have need of log file inspection. When I do, I like that I canlessthen search in a targeted location/file, without needing to filter out the rest of my system’s activity. This is just my perspective though.

11

@Bucking_Horn normal users will probably never be interested in log files, let alone it’s location. They do get interested once things go “wrong” and they are asked for log info. Since it is Linux it will probably never be completely the same on all hardware/OS. Let’s make use of the appropriate logging facility on each system. I think generally there are two, systemd-journal and separate files.

@tomporter518 I fully agree that if it is bound to one component, e.g. pihole-FTL a single file is good enough. Although very often it is related to something else, or initiated by something else happening on the system. Often you do not know upfront which components come into play.

In that case you need to manually correlate many files, I haven't spoked to anybody how enjoys that. With systemd-journal you do not have to correlate, it’s there already, often root cause and symptom are easily identified.

I think we should take advantage of modern facilities if they are available. The pihole-FTL service does that already, now let’s make the next step and make sure that all logging of the service goes into systemd-journal.

If there is no systemd-journal you have to revert to files.

Cheers,
Arjan

12

I understand the convenience of being able to use journalctl to examine the logs and the desire to have one mechanism for examining logs.

The issue is best use of developers resources. This is a QOL request and thus lower priority. It's not a hard no from me but I wouldn't expect it any time soon.

14

Also have to consider that how the journals are stored can differ between distros:

I'd rather have those logs to be stored reboot persistent instead of "volatile".

16

IMHO that’s a Raspberry Pi OS specific issue because the Raspberry Foundation keeps doing weird and unexpected/unneeded things to it each year again and again…

They are getting very annoying! :frowning:

But I guess it can be fixed by the install script should it be needed ?!

17

Yeah but that means changing a setting thats global to the whole system.
Which seems a bit too much ... but possible.

18

Good documentation + A BIGASS WARNING during the installation should do the trick ?! :rofl:

20

All,

For every solution there is a new problem. We should agree on if the advantages of using systemd for the logs have more weight then the disadvantages. If we agree the advantages outgrow the disadvantages than we should put this on the “enhancement” list of features at the right level.

21

Hello,

I have started initial work for structured logging, including JSON and journald.
They include all three (FTL, dnsmasq and webserver) logs and can easily be filtered via the structured journal field COMPONENT=

My current progress can be seen at structured logging: JSON and journald by darkexplosiveqwx · Pull Request #2897 · pi-hole/FTL · GitHub

The current version for journald requires linking against libsystemd, I may be able to provide some instructions on how to try it out in the upcoming days.

22

Hello,

If you ask for a feature, I think I should help the developer as much as I can. So if there is anything I can do ... let me know.

Currently runing pihole on:

HARDWARE Raspberry Pi 2 Model B Rev 1.1

SOFTWARE
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

MEMORY 944104

ACHITECTUUR: 32 bits

Let me know if I can be of help.

23

If you want you can test the feature, but I wouldn't recommend testing it on your Pi 2. Even though its been running fine for me, there may still be issues. (Don't risk angering your family by breaking the internet).
Compilation could also be an issue, it took 2.5min and needed 1.5GB of RAM on my Pi 5

Install it locally

I am not a member of the Pi-hole team, so there are no pre-compiled binaries availible for use in pihole checkout.
You will need to compile my fork from source.
Follow the guide at Install from source - Pi-hole documentation with some modifications:
clone and checkout my branch:

git clone https://github.com/darkexplosiveqwx/pi-hole-FTL
cd pi-hole-FTL
git checkout log-json

Before compilation you need libsystemd development headers. Install libsystemd-dev on Debian or systemd-devel on Fedora.

Compile and install with: (requires sudo)

./build.sh install

verify that journald support is enabled by looking for

-- Looking for systemd/sd-journal.h
-- Looking for systemd/sd-journal.h - found
-- Building FTL with systemd journal support: YES

during compilation.

change ExecStart=/usr/bin/pihole-FTL -f inside /etc/systemd/system/pihole-FTL.service to ExecStart=/usr/bin/pihole-FTL -f --log-journal

Restart:

sudo systemctl daemon-reload && sudo systemctl restart pihole-FTL.service

Note that if you run sudo pihole updatePihole the custom binary is replaced and you need to re-do the binary install and systemd.service modification.

You can see the combined FTL, webserver and dnsmaq logs with journalctl -u pihole-FTL.service
Currently three structured fields are availible: PRIORITY colors logs and can be filtered with -p [emerg alert crit err warning notice info debug], COMPONENT shows what logfile it is part of: either "FTL", "webserver" or "dnsmasq".
If you only want to see dnsmasq logs, for example, you can filter:

journalctl -u pihole-FTL.service COMPONENT=dnsmasq

DEBUG_FLAG is available for FTL logs only and is for the various debug.* configuration options.

-o verbose shows all fields:

$ journalctl -b -u pihole-FTL.service -o verbose --since 16:00
[...]
Mon 2026-05-25 16:45:07.076139 CEST [s=65f32373262f48cf9b8ec81f55f6f53a;i=3aff98;b=fd295f4332434d5b8042d1fdb259cc73;m=53c8748e0;t=652a56cb3ec4d;x=d7d3e2cfa81ad88d]
    _MACHINE_ID=9743fed77cf54650972aa91ba6f08e87
    _HOSTNAME=frodo-blue
    PRIORITY=6
    _SYSTEMD_SLICE=system.slice
    _TRANSPORT=journal
    _RUNTIME_SCOPE=system
    _SELINUX_CONTEXT=system_u:system_r:unconfined_service_t:s0
    _EXE=/usr/bin/pihole-FTL
    SYSLOG_IDENTIFIER=pihole-FTL
    _UID=969
    _GID=967
    _COMM=pihole-FTL
    _CAP_EFFECTIVE=2803401
    _SYSTEMD_CGROUP=/system.slice/pihole-FTL.service
    _SYSTEMD_UNIT=pihole-FTL.service
    DEBUG_FLAG=DEBUG_ANY
    COMPONENT=FTL
    _CMDLINE=/usr/bin/pihole-FTL -f --log-journal
    _BOOT_ID=fd295f4332434d5b8042d1fdb259cc73
    _PID=95120
    _SYSTEMD_INVOCATION_ID=747d3db881f047e4bdb741269b2fdfdb
    MESSAGE=PID of FTL process: 95120
    _SOURCE_REALTIME_TIMESTAMP=1779720307076139

Is there any other journald fuctionality you had in mind for this Feature Request?

24

I think a better feature request would be to change FTL to NOT use systemd logging. I would much rather have plain text logs than something tied to a specific "init" (I use the term very loosely) system storing binary logs that needs a specific application to recover them.

Using systemd logs would also make porting to (say) BSD (which I know some people have looked into - no idea if it works yet) much more difficult