Reputation: 29
Exporting logs using journald / rsyslogd
I am trying to export kernel logs (/var/log/messages) to remote Syslog servers. Till now, most of the system logs are stored in journald currently and rsyslogd is disabled.
So, I am planning to use rsyslogd to export logs (By configuring the rsyslog.conf file). Firstly, I will pass those kernel logs from journald to rsyslogd and then export them.
Can someone suggest if this is the right path to proceed or I can use directly journald to achieve the same?
Upvotes: 1
Views: 4782
Answers (1)
Reputation: 697
Systemd can collect and store logs, but it doesn’t have a built-in method of logging to remote locations such as log management systems. Instead, it relies on the device’s syslog service to relay messages between journald and a remote syslog server.
However, syslog is text-based and the journald uses a binary format, so your logs need to be converted before they can be transferred. You can do this by using either systemd’s ForwardToSyslog configuration setting, or by using rsyslog’s imjournal module.
/etc/systemd/journald.conf has a ForwardToSyslog=yes option that would allow you to forward the logs to syslog, which seems like a pretty inelegant way to me.
In rsyslog you can add the module imjournal, to get the journal logs. To use it, add the following to your /etc/rsyslog.conf file. The mmjsonparse module lets ryslog parse journald messages:
module(load="imjournal")
module(load="mmjsonparse")
Kernel messages can be logged with the standard the imklog module. Just add: module(load="imklog") to the configuration file /etc/rsyslog.conf. With the standard rsyslog configuration, this should log kernel messages to /var/log/messages and /var/log/syslog.
The forwarding can be done over UDP or TCP.
Forwarding:
*.* action(type="omfwd" target="10.0.2.1" port="514" protocol="udp") # UDP
*.* action(type="omfwd" target="10.0.2.1" port="10514" protocol="tcp") # TCP
Obsolete Legacy Format
*.* @10.0.1.1:514 # UDP -> one @
*.* @@10.0.1.1:514 # TCP -> two @s
After adding this, your rsyslog client should start forwarding the messages to your remote syslog server.
Upvotes: 3
Related Questions
- apache2 log to journald
- How to log to journald (systemd) via Python?
- Systemd Journal log from command line to specific namespace
- How to redirect log file content to systemd journal?
- Systemd service and structured logging
- Logs in journald and syslog
- Forwarding logs from file to journald
- Write journald metadata to rsyslog
- How to send logs to Journalctl when default is sent to syslog?
- using systemd without journal