Is rsyslog redundant on when using journald?

linux rsyslog journald

8,149

Solution 1

From Red hat documentation, using the journal

The Journal is a component of systemd that is responsible for viewing and management of log files. It can be used in parallel, or in place of a traditional syslog daemon, such as rsyslogd.

From Red had documentation, rsyslog journal interaction

By default, rsyslogd uses the imjournal module as a default input mode for journal files.

From Red hat documentation, journal storage

With persistent logging enabled, journal files are stored in /var/log/journal which means they persist after reboot. Journal can then replace rsyslog for some users (but see the chapter introduction).

Based on this I would say that rsyslog is redundant if journald persistent storage is enabled and there are no applications that depend on the specific files and format produced by rsyslog, the content is the same.

Solution 2

We solved this by not creating /var/log/journal (so that journalctl stuff is ephemeral) and setting up rsyslog to store everything from journald in a new logfile. We often have to debug our deployments post-mortem, and grepping through logfiles is (for us old-timers) much easier than learning a new obscure command language.

:syslogtag, startswith, "systemd" /var/log/systemd.log

We also learned that the "/etc/rsyslog.d/listen.conf" that systemd installs is an essential part of the glue; one of our components inadvertently wiped out the

$IncludeConfig /etc/rsyslog.d/*.conf

and we got nothing from journald.

8,149

joaerl

Updated on September 18, 2022

Comments

joaerl almost 2 years
I have noticed log messages are duplicated in journald and /var/log/messages on my CentOS 7 system. At first I thought it was the journald option ForwardToSyslog (which defaults to 'yes' in the installed version) which caused this behavior, but setting it to 'no' did not make a difference.

Obviously if I stop the rsyslog service the logging to /var/log/messages (and probably some other logs stop, but what I worry about when I do this if rsyslog is logging things that journald are not.

Is rsyslog only logging whatever it reads from journald or is it logging other things as well?

Extract from /etc/rsyslog.conf:
```
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

...

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
```
stolenmoment almost 4 years

Those links are all dead.
Michael Hampton almost 4 years

@stolenmoment Anybody could just edit the post and fix them. Even you.
sixty4bit over 3 years

I thought half the point of rsyslog was not just ingestion but transformation and output/forwarding of logs to other places. Does journald do that stuff?