Discussion:
[rsyslog] can rsyslog replace and eliminate journald?
Franta Hanzlik
2016-11-17 22:21:26 UTC
Permalink
For those of us who must use and especially manage Linux systems with
systemd init, is there any way to use only rsyslog instead with journald
logger?
E.g. an rsyslog input module, which would (probably) in addition to
/dev/log receive messages from the systemd init. Perhaps it assumes
that there is (reasonably described and stable) interfaces between
systemd and journald.
Binary logs I do not need and want, so there is no reason to run journald.
--
Thanks, Franta Hanzlik
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
David Lang
2016-11-17 22:31:28 UTC
Permalink
Post by Franta Hanzlik
For those of us who must use and especially manage Linux systems with
systemd init, is there any way to use only rsyslog instead with journald
logger?
E.g. an rsyslog input module, which would (probably) in addition to
/dev/log receive messages from the systemd init. Perhaps it assumes
that there is (reasonably described and stable) interfaces between
systemd and journald.
Binary logs I do not need and want, so there is no reason to run journald.
I am told that there is a way to configure journald to not grab /dev/log, but
I'm not finding my link to it at the moment.

That being said, jouirnald is a non-optional part of systemd, there is no stable
API defined between journald and the rest of systemd, they claim that they need
to do this so that they can change it at will.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Brendan Kearney
2016-11-17 22:33:48 UTC
Permalink
Post by Franta Hanzlik
For those of us who must use and especially manage Linux systems with
systemd init, is there any way to use only rsyslog instead with journald
logger?
E.g. an rsyslog input module, which would (probably) in addition to
/dev/log receive messages from the systemd init. Perhaps it assumes
that there is (reasonably described and stable) interfaces between
systemd and journald.
Binary logs I do not need and want, so there is no reason to run journald.
in /etc/systemd/journald.conf, change:

ForwardToSyslog=no
to
ForwardToSyslog=yes

and optionally:

Storage=auto
to
Storage=none

then configure /etc/rsyslog.conf to your liking. restart
systemd-journald. enable and start syslog. you will have syslog
working and optionally no systemd journal logging. i use rsyslog with
RELP and OMMySQL to push all my logs into mariadb.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
David Lang
2016-11-17 22:57:46 UTC
Permalink
Post by Brendan Kearney
Post by Franta Hanzlik
For those of us who must use and especially manage Linux systems with
systemd init, is there any way to use only rsyslog instead with journald
logger?
E.g. an rsyslog input module, which would (probably) in addition to
/dev/log receive messages from the systemd init. Perhaps it assumes
that there is (reasonably described and stable) interfaces between
systemd and journald.
Binary logs I do not need and want, so there is no reason to run journald.
ForwardToSyslog=no
to
ForwardToSyslog=yes
ForwardToSyslog tells systemd to still process the logs, but then to forward
them to rsyslog.

There is some other option available that tells it to not create /dev/log at all
and let the programs log directly to rsyslog

David Lang
Post by Brendan Kearney
Storage=auto
to
Storage=none
then configure /etc/rsyslog.conf to your liking. restart systemd-journald.
enable and start syslog. you will have syslog working and optionally no
systemd journal logging. i use rsyslog with RELP and OMMySQL to push all my
logs into mariadb.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Franta Hanzlík
2016-11-17 23:52:30 UTC
Permalink
On Thu, 17 Nov 2016 14:57:46 -0800 (PST)
Post by David Lang
Post by Brendan Kearney
Post by Franta Hanzlik
For those of us who must use and especially manage Linux systems with
systemd init, is there any way to use only rsyslog instead with journald
logger?
E.g. an rsyslog input module, which would (probably) in addition to
/dev/log receive messages from the systemd init. Perhaps it assumes
that there is (reasonably described and stable) interfaces between
systemd and journald.
Binary logs I do not need and want, so there is no reason to run journald.
ForwardToSyslog=no
to
ForwardToSyslog=yes
ForwardToSyslog tells systemd to still process the logs, but then to forward
them to rsyslog.
There is some other option available that tells it to not create /dev/log at all
and let the programs log directly to rsyslog
I'm not expert there, but IMO there must be /dev/log as programs which
want log to syslog use it (syslog() call use this?!).

There is another problem - it is a need to log messages from systemd, as
systemd itself produce them. And maybe also forward services stdout/stderr,
as systemd capture it (and services under systemd are now often configured
to run in foreground. But maybe this can be solved by
"--default-standard-output=syslog" and "--default-standard-error=syslog"
systemd option, this possibility is still there.
Post by David Lang
David Lang
Post by Brendan Kearney
Storage=auto
to
Storage=none
then configure /etc/rsyslog.conf to your liking. restart systemd-journald.
enable and start syslog. you will have syslog working and optionally no
systemd journal logging. i use rsyslog with RELP and OMMySQL to push all my
logs into mariadb.
That's how I do it now. But there still run journald (perhaps only as
forwarder to syslog). I want eliminate it, when possible.
--
Franta Hanzlik
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
David Lang
2016-11-18 00:05:12 UTC
Permalink
Post by Franta Hanzlík
On Thu, 17 Nov 2016 14:57:46 -0800 (PST)
Post by David Lang
Post by Brendan Kearney
Post by Franta Hanzlik
For those of us who must use and especially manage Linux systems with
systemd init, is there any way to use only rsyslog instead with journald
logger?
E.g. an rsyslog input module, which would (probably) in addition to
/dev/log receive messages from the systemd init. Perhaps it assumes
that there is (reasonably described and stable) interfaces between
systemd and journald.
Binary logs I do not need and want, so there is no reason to run journald.
ForwardToSyslog=no
to
ForwardToSyslog=yes
ForwardToSyslog tells systemd to still process the logs, but then to forward
them to rsyslog.
There is some other option available that tells it to not create /dev/log at all
and let the programs log directly to rsyslog
I'm not expert there, but IMO there must be /dev/log as programs which
want log to syslog use it (syslog() call use this?!).
traditionally, /dev/log is created by the syslog daemon. jounrald creates one
itself, so rsyslog cannot create it and so cannot get the logs directly.
Post by Franta Hanzlík
There is another problem - it is a need to log messages from systemd, as
systemd itself produce them. And maybe also forward services stdout/stderr,
as systemd capture it (and services under systemd are now often configured
to run in foreground. But maybe this can be solved by
"--default-standard-output=syslog" and "--default-standard-error=syslog"
systemd option, this possibility is still there.
Yes, there are two issues here

1. how to get logs out of journald that go there no matter what you do

A. have journald write them to a log and periodically query for new messages
(this is what imjournal does in rsyslog)

This has had several problems historically, due to bugs in the ability to
query journald logs (there is one outstanding now that causes log delivery
to stop if time goes backwards)

B. have journald deliver the logs to rsyslog

This has the problem that journald will not pass along all the info it has
about the log when delivering it to /dev/log. They insist on not using
RFC5424 structured data format, and not delivering the logs as JSON, either
of which would allow all the data to be delivered. They insist on only
delivering traditionally formatted log message data without the metadata
"because it's not standard" and have said that they will refuse to accept
patches that would deliver all the metadata.

2. how to get logs without them going through systemd

The reason for wanting to do this is to avoid the overhead of journald
processing all the logs. If that isn't a problem for you, then you let
journald gather all the logs and then look at the options above for getting
the logs out of journald.

Loading...