rsyslog

Chris Murphy lists at colorremedies.com
Tue Mar 3 05:11:00 UTC 2015 

On Mon, Mar 2, 2015 at 8:46 PM, Dan Irwin <rummymobile at gmail.com> wrote:
> Hi all,
>
> What kind of secret voodoo does one need to use rsyslog on a systemd system?
> Is it even possible?

Yes it happens to be default on Fedora 21 Server and CentOS 7, works there.

systemctl status systemd-journald.socket
systemctl status rsyslog

>
> I have installed it, and I only get kernel boot messages in
> /var/log/messages.

rsyslog reads the journal via an exclusive socket, so as long as the
messages you're after are in the journal they would also be in
/var/log/messages. If not then I'd first wonder if /etc/rsyslog.conf
is present and default.


> I find journalctl to be fundamentally braindead, lacking features which we
> have taken for granted for decades in redhat/rhel/fedora/centos.

Lacking in features, such as?

The journal has all messages from early boot in it, and rsyslog
inherits this capability from journald which it otherwise wouldn't
have because as a service it starts rather late compared to the
journal; plus journalctl is available in early boot if you have to do
troubleshooting before rsyslogd is running.

> (Seriously,
> whats the wisdom of keeping ALL logs around forever?, and in an easily
> corruptible format).

It's fine to not like it for purely subjective reasons, you're not
obligated to say why. But if you do say why and you're wrong, well,
that'd be silly rather than serious.

By default it doesn't keep all logs around forever, they get rotated
and discarded eventually. This is configurable. The format isn't
easily corruptible more so than anything else, it just keeps its own
checksums therefore it knows when an entry is corrupt. Entries are
individually discardable, subsequent entries can still be read. The
format also optionally enables sealing to demonstrate the journal
hasn't been tampered.

I suggest you consider changing #Storage=auto to #Storage=volatile in
/etc/systemd/journald.conf; or you can just delete /var/log/journal
(leaving the setting to auto). Either way this causes the journal to
be written to /run/log/journal instead of to disk, while allowing
rsyslog to manage /var/log/messages like you're used to.


-- 
Chris Murphy

More information about the users mailing list