I just setup a CENTOS7 machine and had to learn a bit about journald.
This information may be helpful. According to the reading I have done,
journad is only capable of local logging. You can tell journald to send
its logs to rsyslog and at that point, treat everything the same as in
your legacy environment (mostly). A couple of issues cropped up due to
my lack of knowledge of journald, CENTOS7, and how it works with
rsyslog, but In short, this is what works on my box. YMMV
I had to edit journald config, which on CENTOS7 is at
/etc/systemd/journald.conf.
Find the ForwardToSyslog=yes line and remove the comment.
In your /etc/rsyslog.conf make sure that module(load="imuxsock") is the
old style option $ModLoad imuxsock.
I guess the CENTOS rpm added another conf file /etc/rsyslog.d/listen.conf.
The contents of listen.conf are $SyslogLogSocketName
/run/systemd/journal/syslog
Regards,
Brandon
On 01/21/2015 01:32 PM, David Lang wrote:
what do you mean by "getting message from the RELP destination machine
itself"?
do you mean "how do I get the messages generated by the machine that
I'm sending logs to via RELP"? If so, it's just a question of how to
get those logs to rsyslog, and the fact that RELP is being used to
deliver logs from other machines to rsyslog on this machine doesn't
matter.
If you are meaning something else, please try to clarify your question.
David Lang
On Wed, 21 Jan 2015, brendan kearney wrote:
My intention is the path of least resistance, and confusion does seem
to be
a factor. I have RELP working in a legacy environment and my testing
seems
to show that a cutover will work without major issue. But my problem
seems
to be getting messages from the RELP destination machine itself.
I will go through the presentation and see what light it sheds on my
issue. Thank you.
On Jan 21, 2015 2:39 AM, "Rainer Gerhards" <[email protected]>
wrote:
2015-01-21 6:25 GMT+01:00 David Lang <[email protected]>:
you would have to direct your journald questions at the systemd
developers, my expectation is that they won't have answers for you.
Journald isn't designed to deal with more than one machine.
I think the best thing to do is to get the logs out of the journal
into
rsyslog, and then pretend the journal doesn't exist.
I dom't know what you think you will be achieving by outputting the
messages from rsyslog into journald.
I guess Brendan is just confused by the options. If so, this
presentation
may help to clear the mind up:
http://www.slideshare.net/rainergerhards1/rsyslog-vs-systemd-journal-presentation
The module use starts at slide 17, I think. But I'd recommend to
have at
least a glance at the whole presentation.
HTH
Rainer
David Lang
On Tue, 20 Jan 2015, Brendan Kearney wrote:
Date: Tue, 20 Jan 2015 15:45:41 -0500
From: Brendan Kearney <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] rsyslog, journald and phplogcon
hello,
i have an older envirionment that predates journald, where
rsyslog-relp
is used to forward all rsyslog messages to a specific host and then
ommysql puts the messages into a database. i then have phplogcon
attach
to the database and provide a web interface to the logs. this is a
great setup for me and has been working for some time.
i am now in the process of updating many of my systems and
journald is
changing things. it looks like i can use omjournal to send the
journal
messages to a central device, but i am not sure if the reliable
part of
relp is built into omjournal. i would assume not. can omjournal and
omrelp be used together to provide reliable transmission of journald
messages to a central device? i also find that imuxsocks can be
used.
what are other people doing?
once i get messages to the central device, how does one get journald
messages into mysql for phplogcon to be used? currently, i have the
below config, but it does not insert records into the database.
clearly, i am missing something. could you point me in the correct
direction?
module(load="imuxsock")
module(load="imjournal")
module(load="imklog")
#module(load="immark")
# Provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
# Provides RELP reception
module(load="imrelp")
input(type="imrelp" port="20514")
# Load MySQL support
module(load="ommysql")
# MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING
$WorkDirectory /var/spool/rsyslog # default location for work files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName dbq # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
if ( $inputname == 'imudp' or $inputname == 'imtcp' or $inputname ==
'imrelp' )
then
action(type="ommysql" server="server1.bpk2.com" serverport="3306"
db="Syslog" uid="syslog" pwd="syslog")
& stop
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
