case study - journalctl - where is logger output

Fri Sep 19 15:46:04 UTC 2014

On Wed, Sep 17, 2014 at 10:26 PM, Chris Murphy <lists at colorremedies.com> wrote:
> On Sep 17, 2014, at 9:33 AM, Tom H <tomh0665 at gmail.com> wrote:
>>
>> AIUI, imjournal needs a file for rsyslog to read journald logs so it
>> won't work with "Storage=none".
>>
>> To forward to rsyslog you have to:
>>
>> - use "Storage=volatile" (if you don't want to use auto/persistent) in
>> "/etc/systemd/journald.conf" so journald will log to
>> "/run/systemd/journal/" and imjournal will pick up logs from there
>>
>> or
>>
>> - use "$AddUnixListenSocket /run/systemd/journal/syslog" in
>> "/etc/rsyslog.d/sd-socket.conf" so journald will log to
>> "/run/systemd/journal/syslog" and imuxsocket will pick up logs from
>> there (untested)
>
> My understanding is the current versions (Fedora 19+) of rsyslog and systemd
> "just work" - rsyslog connects to systemd-journald.socket. I only skimmed
> this thread but thought I saw something about a socket being disabled with
> systemctl, and if it was the systemd-journald.socket well then that'd be a
> reason why rsyslog isn't getting messages.

By default, as long as "Storage=none" isn't set, the forward to rsyslog works.

> But I'm not sure what all Balint has changed from the Fedora 20 defaults,
> but my test VM is pristine so either Balint has changed something I haven't
> changed and he hasn't changed it back to the default. Or maybe he's run into
> a bug where he changed something, changed it back but it's not taking. Or
> other…
>
> My test was strictly two things. The first was:
> 1. dnf install rsyslog ### because it's not installed by default
> 2. edited journald.conf changing Storage=auto to none
> 3. Reboot
>
> There is no persistence at all in either /run/log/journal or /var/log/journal,
> yet there are entries in both journalctl and /var/log/messages, and the logger
> command inserts whatever I type after it into both.
>
> And the other test following this was:
>
> 4. change journald.conf Storage=auto again, i.e. back to default.
> 5. delete /var/log/journal
> 6. reboot
>
> And now I get a journal stored in /run/log/journal; from prior testing a while
> ago this is the same behavior I get when Storage=volatile
>
> I didn't extensively test the difference between Storage=none and Storage=auto
> or volatile (with /run/log/journal and /var/log/journal deleted). And I can't
> really tell from the documentation or the resulting logs; but I'm going to
> guess that none means it's using some limited amount of RAM (?) whereas =auto
> or volatile using /run/log/journal is on tmpfs and after it uses up the
> <handwaive> 50% RAM limit it starts to swap to disk. In either case they're
> toast at the next reboot.

I've just done the same two tests with the same results.

>From "man journald.conf: "none" turns off all storage, all log data
received will be dropped. Forwarding to other targets, such as the
console, the kernel log buffer or a syslog daemon will still work
however.

What it doesn't say is whether "imjournal" will work or not. In both
our tests, imjournal (the default rsyslog module for journald) doesn't
work when "Storage=none" is set so you need to use imuxsocket.

I've also tested "$AddUnixListenSocket /run/systemd/journal/syslog"
and logs are forwarded to rsyslog.