Receiving router log information in journald?

hello.
After reading this thread :
Receiving router log information in rsyslog? http://forums.opensuse.org/showthread.php/494959

On router side you just configure “the IP adress of a remote syslog server”

Is there a way to do that with journald ?
If yes, can you give me some direction.

Should journald understand syslog format ?
If not, I suppose that I have to install rsyslog on the server to catch router information ?
In that case how to resend logs to journald ?

Any help is welcome.

On 2015-07-10 18:46, jcdole wrote:
>
> hello.
> After reading this thread :
> Receiving router log information in rsyslog?
> http://forums.opensuse.org/showthread.php/494959
>
> On router side you just configure “the IP adress of a remote syslog
> server”

Yes. IP, and sometimes the port, if it is not the standard one.

> Is there a way to do that with journald ?

You mean, receive the log entries in journald, instead of in a syslog
daemon service? I’m not aware that it is possible at all. But I might be
mistaken.

> If not, I suppose that I have to install rsyslog on the server to catch
> router information ?

I guess so, yes. You can use rsyslog, syslog-ng, and maybe another one I
forget. You have some choices.

> In that case how to resend logs to journald ?

I wouldn’t have the foggiest idea… If I wanted to do that, I’d
starting reading journal manuals :wink:


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

I don’t know if anyone has published all the sources that pass data to the journal (at least I can’t find anything), but in general <everything> is in the journal.

So, you should be able to query for router log events directly from the journal. To some degree, it should be easier to query for specific data with the capabilities of journalctl.
The online link to the journalctl MAN pages is at
http://www.freedesktop.org/software/systemd/man/journalctl.html
Note the examples at the end which suggest how you can query for router log data if it’s in there.

And, if you prefer another format or a store that contains only specific data, then you can extract that information using any of many tools including what has already been described.

TSU

On 2015-07-12 02:56, tsu2 wrote:
>
> I don’t know if anyone has published all the sources that pass data to
> the journal (at least I can’t find anything), but in general
> <everything> is in the journal.
>
> So, you should be able to query for router log events directly from the
> journal. To some degree, it should be easier to query for specific data
> with the capabilities of journalctl.
> The online link to the journalctl MAN pages is at
> http://www.freedesktop.org/software/systemd/man/journalctl.html
> Note the examples at the end which suggest how you can query for router
> log data if it’s in there.

But you need the messages from the external host, a router in this case,
to gets its messages included in the journal first. Sure that you can
query the data if it is there, but you have to put it there first,
somehow…

I would have a look at these:

journal-remote.conf(5) – Journal remote service configuration files
journal-remote.conf.d(5) – Journal remote service configuration files
journald.conf(5) – Journal service configuration files
journald.conf.d(5) – Journal service configuration files

In particular, this one:

systemd-journal-remote — Receive journal messages over the network

It says: «systemd-journal-remote is a command to receive serialized
journal events and store them to the journal. Input streams are in the
Journal Export Format , i.e. like the output from journalctl
–output=export. For transport over the network, this serialized stream
is usually carried over an HTTPS connection.»

That doesn’t look to me like syslog messages, which is what the router
will send :-?


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

The OP needs to clarify if the log data is from the openSUSE machine itself configured as a router or a remote device.

TSU

On 2015-07-13 03:16, tsu2 wrote:
>
> The OP needs to clarify if the log data is from the openSUSE machine
> itself configured as a router or a remote device.

I assumed it is a stand alone router machine, that sends the log entries
to an openSUSE machine over the network, using the standard syslog
method, same as in the thread he linked to.

But he wants the entries stored in systemd journal, not in syslog files.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

I see I was mistaken and overlooked the OP was describing logs from a remote routing device.

Initially, I’d probably ask… Why?
The system’s own logging database (journald) would be the last place I’d consider, and just to verify I did a quick search whether anyone had described doing this and didn’t get any hits.

But,
There are plenty of “enterprise” systems that do set up a “Log Server” on the network, and for that you deploy just about any kind of database you prefer depending on your skillset and objectives. This is because for most major types of databases there are off the shelf importing and if necessary conversion tools that support common log formats. Once logs have been collected in your Log Server, you can even consider purging logfiles to save space.

Popular choices include MySQL (because so many people know how to query in SQL) and noSQL databases (because of their extreme flexibility in supporting new datatypes, unlimited store limit and non-fixed data relationships). There should also be complete off the shelf solutions which might include a User frontend.

TSU

On 2015-07-13 17:56, tsu2 wrote:

> But,
> There are plenty of “enterprise” systems that do set up a “Log Server”
> on the network, and for that you deploy just about any kind of database
> you prefer depending on your skillset and objectives. This is because

At least one, probably more, of the available syslog daemons in Linux
can write to a database if you wish. The default is plain text, but
that’s not the only method.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))