Results 1 to 9 of 9

Thread: Syslog and journalctl

  1. #1

    Cool Syslog and journalctl

    Hi everyone here, I've been all day working with this issue and I am not finding a solution.

    I am using syslog-ng to get the system and applications logs into /var/log/messages. I was getting all the logs into /var/log/messages, but someday I found that I was not getting all the logs.

    I've been working with syslog-ng all day trying to find a solution but I had no luck.

    I found that journalctl has all the system logs that I was needing, so, I've done this in syslog-ng:

    Code:
    source src_systemd {unix-dgram("/run/systemd/journal/syslog");};
    But when I choose src_systemd as a source the service does not start, so right now I am using as source:

    Code:
    source src { internal(); unix-dgram("/dev/log"); file ("/proc/kmsg" program_override("kernel"));        };

    I've realized that I was not getting the named service log, the squid log, and the systemd log.

    So.. my question is, Is there any way I could get all this logs (named, systemd, etc) into /var/log/messages?

    Kind Regards,
    Rodrigo

  2. #2

    Default Re: Syslog and journalctl

    Systemd passes all messages on to syslog-ng if that is running. If not, it's a bug.

    But at least rsyslog can filter the messages to different files, so I guess syslog-ng does that too.
    So i'd suggest to check your syslog-ng filter configuration. For rsyslog that's in /etc/rsyslog.conf and /etc/rsyslog.d/, for syslog-ng it should be in a similar location.

  3. #3

    Default Re: Syslog and journalctl

    Quote Originally Posted by wolfi323 View Post
    Systemd passes all messages on to syslog-ng if that is running. If not, it's a bug.

    But at least rsyslog can filter the messages to different files, so I guess syslog-ng does that too.
    So i'd suggest to check your syslog-ng filter configuration. For rsyslog that's in /etc/rsyslog.conf and /etc/rsyslog.d/, for syslog-ng it should be in a similar location.
    Yes, I can filter messages with syslog-ng. And right now as a test, I am not filter anything so I could get all logs.. but still not getting the systemd.

    Everything was working fine when I had rsyslog and syslog-ng both installed. Since I started to use syslog-ng I uninstall rsyslog.. and there is where all the problem started.

    Now If I try to install rsyslog again, I get this problem:
    Code:
    Problem: rsyslog-7.2.7-2.5.1.x86_64 conflicts with namespace:otherproviders(syslog) provided by syslog-ng-3.4.1-1.2.1.x86_64
     Solution 1: deinstallation of syslog-ng-3.4.1-1.2.1.x86_64
     Solution 2: do not install rsyslog-7.2.7-2.5.1.x86_64
    
    Choose from above solutions by number or cancel [1/2/c] (c):
    I am using syslog-ng for network devices, so I can not uninstall syslog-ng.

    So.. do you suggest that systemd should be logging without any problems? Which facility uses? daemon? news? kernel ? I've been logging everything, but still not getting the systemd in /var/log/messages.


    Thanks for your answer,

    Thanks and Regards,
    Rodrigo.

  4. #4

    Default Re: Syslog and journalctl

    Quote Originally Posted by f2607441 View Post
    So.. do you suggest that systemd should be logging without any problems? Which facility uses? daemon? news? kernel ? I've been logging everything, but still not getting the systemd in /var/log/messages.
    Which messages do you mean?
    Those that go to the console on boot like:
    Code:
    Trying manual resume from /dev/sdb2Invoking userspace resume from /dev/sdb2
    resume: libgcrypt version: 1.5.0
    Trying manual resume from /dev/sdb2
    Invoking in-kernel resume from /dev/sdb2
    Waiting for device /dev/root to appear:  ok
    fsck from util-linux 2.21.2
    [/sbin/fsck.reiserfs (1) -- /] fsck.reiserfs -a /dev/sda1 
    Reiserfs super block in block 16 on 0x801 of format 3.6 with standard journal
    Blocks (total/free): 19537040/537181 by 4096 bytes
    Filesystem is clean
    File system has been mounted 31 times without being checked. Checking now.
    Replaying journal: ^MReplaying journal: Done.
    Reiserfs journal '/dev/sda1' in blocks [18..8211]: 0 transactions replayed
    File system has been mounted 31 times without being checked. Checking now.
    Checking internal tree.. finished
    fsck succeeded. Mounting root device read-write.
    Mounting root /dev/root
    mount -o rw,acl,user_xattr -t reiserfs /dev/root /root
    
    
    Welcome to openSUSE 12.3 (Dartmouth) (x86_64)!
    
    
             Starting Replay Read-Ahead Data...
             Starting Collect Read-Ahead Data...
    [  OK  ] Listening on Syslog Socket.
    [  OK  ] Reached target Remote File Systems.
    ...
    [  OK  ] Started LSB: Samba NetBIOS naming service over IP.
             Starting LSB: Samba SMB/CIFS file and print server...
    [  OK  ] Started LSB: Network time protocol daemon (ntpd).
    [  OK  ] Reached target System Time Synchronized.
             Starting LSB: TiMidity++ ALSA midi emulation...
             Starting LSB: X Display Manager...
    [  OK  ] Started LSB: TiMidity++ ALSA midi emulation.
    [  OK  ] Started LSB: Samba SMB/CIFS file and print server.
    [  OK  ] Started LSB: X Display Manager.
    Those go to /var/log/boot.log, AFAIK plymouth writes them because there's no syslog service running yet that early in the boot process...

  5. #5

    Default Re: Syslog and journalctl

    No no, messages like, I've restarted a service, or named issues.

    I usted to see this logs in /var/log/messages, now i do not see it anymore, and I only can find it in journalctl


    Code:
    Jun 20 11:40:01 FW-bleble named[2569]: error (network unreachable) resolving ****
     Jun 20 11:40:01 FW-bleble systemd-logind[893]: New session 2295 of user ****
     Jun 20 11:42:51 FW-bleble systemd[1]: Starting Restore Sound Card State...
     Jun 20 11:42:51 FW-bleble systemd[1]: Started Restore Sound Card State.
    Meanwhile in /var/log/messages I do not see anything.

  6. #6

    Default AW: Re: Syslog and journalctl

    Quote Originally Posted by f2607441 View Post
    No no, messages like, I've restarted a service, or named issues.

    I usted to see this logs in /var/log/messages, now i do not see it anymore, and I only can find it in journalctl


    Code:
    Jun 20 11:40:01 FW-bleble named[2569]: error (network unreachable) resolving ****
     Jun 20 11:40:01 FW-bleble systemd-logind[893]: New session 2295 of user ****
     Jun 20 11:42:51 FW-bleble systemd[1]: Starting Restore Sound Card State...
     Jun 20 11:42:51 FW-bleble systemd[1]: Started Restore Sound Card State.
    Meanwhile in /var/log/messages I do not see anything.
    Well, I have those systemd and systemd-logind messages in /var/log/messages (I don't have named installed).
    But I'm using rsyslog.

    So it must be your syslog-ng config or it's a bug in syslog-ng, maybe this one: https://bugzilla.novell.com/show_bug.cgi?id=815746 ?

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,460
    Blog Entries
    2

    Default Re: Syslog and journalctl

    IMO the approach is likely a circular problem.

    journalctl (actually "the journal") supposedly is a higher level log that is supposed to include everything that is in /var/log/messages, so trying to import import journal entries into the syslog is potentially dangerous.

    Instead, because you're trying to aggregrate so many different logs into storage that can be centrally analyzed, I'd recommend that you consider a more "enterprise" solution like logstash (there are private repo obs builds). Although logstash is designed more for collecting log data from multiple host machines, it should also work fine for collecting multiple logfies on a single machine.

    Running logstash by itself should be OK.
    At the moment I created another Forum Post (currently unanswered) taking logstash to the next level, which is to deploy a mountain of aggregated log data so it can be queried in a highly parallelized way using logstash (for log data collection and shipping), Elasticsearch (for the high performance data indexing and querying), and Kibana (for the easy front end query input and displaying results). But, if the ruby gem issue in my post isn't resolved I may have to consider another platform (just for Kibana).

    HTH,
    TSU

  8. #8

    Default Re: Syslog and journalctl

    Quote Originally Posted by tsu2 View Post
    journalctl (actually "the journal") supposedly is a higher level log that is supposed to include everything that is in /var/log/messages, so trying to import import journal entries into the syslog is potentially dangerous.
    No, actually it is the other way round. The journal is the low level log where everything gets logged to, but systemd-journald automatically passes the messages on as well to another syslog service if one is running.

  9. #9

    Default Re: Syslog and journalctl

    Hey, A partner found the solution.

    Seems to be that in source you should add "system();"

    And that's it.

    the man syslog-ng.conf says:
    Code:
      âsystem()                    â Automatically detects which platform syslog-ng OSE is running on,    â       â                            â and collects the native log messages of that platform.               â
    Thanks for the help and advices.

    Kind Regard,
    Rodrigo

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •