Skip to main content

Forward systemd journal messages/Collect systemd journal messages [Resolved]

How can I collect systemd journal events (pull) or forward systemd journal events (push)?

I want to have something like forwarded event log (http://windows.tips.net/T012878_What_is_the_Purpose_of_the_Forwarded_Events_Event_Log.html) but under Linux.

I'm using ArchLinux but not sure this matters.

Should I forward journal to syslog and then collect syslog? Will I loose any info by doing so? Can I collect journal messages without syslog daemon?


Question Credit: adontz
Question Reference
Asked October 11, 2017
Posted Under: Network
29 views
3 Answers

Forwarding messages to legacy software like syslog gives you nothing but overhead.

Instead you can implement both models using native journald features.

Push model:

(log source) systemd-journal-upload -> systemd-journal-remote (log collector)

Pull model:

(log source) systemd-journal-gatewayd <- systemd-journal-remote (log collector)

The arrow shows who initiates the connection. HTTPS is used as a transport so it's secure.

The more information can be obtained from:

http://www.freedesktop.org/software/systemd/man/systemd-journal-remote.html

http://www.freedesktop.org/software/systemd/man/systemd-journal-upload.html

and so on.


credit: god
Answered October 11, 2017
 
A note to anyone who arrives here via Google while using Debian 8: If you're running a resource-constrained VPS, test your logging solution (using while true; do echo 'test string' | systemd-cat; done). I was forced to rely on Storage=none and forwarding to inetutils-syslogd because it was the only way to keep systemd-journald from treating memory limits as a loose suggestion. (peaking at 7.7% RSS while the syslog-based solution sits steady at 0.8% (systemd-journald) + 0.7% (syslogd --no-forward --socket=/run/systemd/journal/syslog). You'll also want logrotate in that case. – ssokolow Feb 23 at 12:32
 CanDoerz  2 months ago

Both syslog or rsyslog are a good idea, both can handle local and remote logging. It's usually done using UDP, so yes, messages can be lost. rsyslog can be configured to use TCP and even TLS, though.

You could have a hybrid deployment, e.g. have syslog as sender and rsyslog as receiver.

With syslog you can write something like:

*.*;*.!notice   @192.168.100.220

in /etc/syslog.conf on sender and

$ModLoad imudp.so
$UDPServerRun 514

in /etc/rsyslog.conf on receiver and get all your messages collected on receiver.


credit: dawud
Answered October 11, 2017

How about deploying logstash or fluentd to collect your logs and may be you can forward them later to syslog, splung, appDynamics ...etc or any legacy software


credit: Abdel Hegazi
Answered October 11, 2017
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA