On Sat, 2015-01-24 at 15:41 -0600, Brandon wrote: > I just setup a CENTOS7 machine and had to learn a bit about journald. > This information may be helpful. According to the reading I have done, > journad is only capable of local logging. You can tell journald to send > its logs to rsyslog and at that point, treat everything the same as in > your legacy environment (mostly). A couple of issues cropped up due to > my lack of knowledge of journald, CENTOS7, and how it works with > rsyslog, but In short, this is what works on my box. YMMV > > I had to edit journald config, which on CENTOS7 is at > /etc/systemd/journald.conf. > Find the ForwardToSyslog=yes line and remove the comment. > In your /etc/rsyslog.conf make sure that module(load="imuxsock") is the > old style option $ModLoad imuxsock. > I guess the CENTOS rpm added another conf file /etc/rsyslog.d/listen.conf. > The contents of listen.conf are $SyslogLogSocketName > /run/systemd/journal/syslog > > Regards, > Brandon > > On 01/21/2015 01:32 PM, David Lang wrote: > > what do you mean by "getting message from the RELP destination machine > > itself"? > > > > do you mean "how do I get the messages generated by the machine that > > I'm sending logs to via RELP"? If so, it's just a question of how to > > get those logs to rsyslog, and the fact that RELP is being used to > > deliver logs from other machines to rsyslog on this machine doesn't > > matter. > > > > If you are meaning something else, please try to clarify your question. > > > > David Lang > > > > > > On Wed, 21 Jan 2015, brendan kearney wrote: > > > >> My intention is the path of least resistance, and confusion does seem > >> to be > >> a factor. I have RELP working in a legacy environment and my testing > >> seems > >> to show that a cutover will work without major issue. But my problem > >> seems > >> to be getting messages from the RELP destination machine itself. > >> > >> I will go through the presentation and see what light it sheds on my > >> issue. Thank you. > >> On Jan 21, 2015 2:39 AM, "Rainer Gerhards" <[email protected]> > >> wrote: > >> > >>> 2015-01-21 6:25 GMT+01:00 David Lang <[email protected]>: > >>> > >>>> you would have to direct your journald questions at the systemd > >>>> developers, my expectation is that they won't have answers for you. > >>>> Journald isn't designed to deal with more than one machine. > >>>> > >>>> I think the best thing to do is to get the logs out of the journal > >>>> into > >>>> rsyslog, and then pretend the journal doesn't exist. > >>>> > >>>> I dom't know what you think you will be achieving by outputting the > >>>> messages from rsyslog into journald. > >>>> > >>>> > >>> I guess Brendan is just confused by the options. If so, this > >>> presentation > >>> may help to clear the mind up: > >>> > >>> > >>> http://www.slideshare.net/rainergerhards1/rsyslog-vs-systemd-journal-presentation > >>> > >>> > >>> > >>> The module use starts at slide 17, I think. But I'd recommend to > >>> have at > >>> least a glance at the whole presentation. > >>> > >>> HTH > >>> Rainer > >>> > >>>> David Lang > >>>> > >>>> On Tue, 20 Jan 2015, Brendan Kearney wrote: > >>>> > >>>> Date: Tue, 20 Jan 2015 15:45:41 -0500 > >>>>> From: Brendan Kearney <[email protected]> > >>>>> Reply-To: rsyslog-users <[email protected]> > >>>>> To: [email protected] > >>>>> Subject: [rsyslog] rsyslog, journald and phplogcon > >>>>> > >>>>> > >>>>> hello, > >>>>> > >>>>> i have an older envirionment that predates journald, where > >>>>> rsyslog-relp > >>>>> is used to forward all rsyslog messages to a specific host and then > >>>>> ommysql puts the messages into a database. i then have phplogcon > >>>>> attach > >>>>> to the database and provide a web interface to the logs. this is a > >>>>> great setup for me and has been working for some time. > >>>>> > >>>>> i am now in the process of updating many of my systems and > >>>>> journald is > >>>>> changing things. it looks like i can use omjournal to send the > >>>>> journal > >>>>> messages to a central device, but i am not sure if the reliable > >>>>> part of > >>>>> relp is built into omjournal. i would assume not. can omjournal and > >>>>> omrelp be used together to provide reliable transmission of journald > >>>>> messages to a central device? i also find that imuxsocks can be > >>>>> used. > >>>>> what are other people doing? > >>>>> > >>>>> once i get messages to the central device, how does one get journald > >>>>> messages into mysql for phplogcon to be used? currently, i have the > >>>>> below config, but it does not insert records into the database. > >>>>> clearly, i am missing something. could you point me in the correct > >>>>> direction? > >>>>> > >>>>> module(load="imuxsock") > >>>>> module(load="imjournal") > >>>>> module(load="imklog") > >>>>> #module(load="immark") > >>>>> > >>>>> # Provides UDP syslog reception > >>>>> module(load="imudp") > >>>>> input(type="imudp" port="514") > >>>>> > >>>>> # Provides TCP syslog reception > >>>>> module(load="imtcp") > >>>>> input(type="imtcp" port="514") > >>>>> > >>>>> # Provides RELP reception > >>>>> module(load="imrelp") > >>>>> input(type="imrelp" port="20514") > >>>>> > >>>>> # Load MySQL support > >>>>> module(load="ommysql") > >>>>> > >>>>> # MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING > >>>>> $WorkDirectory /var/spool/rsyslog # default location for work files > >>>>> $ActionQueueType LinkedList # use asynchronous processing > >>>>> $ActionQueueFileName dbq # set file name, also enables disk mode > >>>>> $ActionResumeRetryCount -1 # infinite retries on insert failure > >>>>> > >>>>> # Use default timestamp format > >>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >>>>> > >>>>> # File to store the position in the journal > >>>>> $IMJournalStateFile imjournal.state > >>>>> > >>>>> #### RULES #### > >>>>> > >>>>> if ( $inputname == 'imudp' or $inputname == 'imtcp' or $inputname == > >>>>> 'imrelp' ) > >>>>> then > >>>>> action(type="ommysql" server="server1.bpk2.com" serverport="3306" > >>>>> db="Syslog" uid="syslog" pwd="syslog") > >>>>> & stop > >>>>>
@rainer - it seems slide 18 "Integrating journal data into syslog" is where i am looking to go. with that, it seems i need to install the rsyslog-mmjsonparse package. if i am reading the slide correctly, all messages are sent through mmjsonparse, and then written out to /var/log/ceelog using the CEETemplate format. if i want to send the messages via RELP to a different box, would i replace the second line with something like: *.* :omrelp:192.168.1.1:20514;RSYSLOG_ForwardFormat @david - yes, i am looking for logs generated from the machine that all other devices are sending their logs to. my question is exactly as you state, how to get those logs to rsyslog. given the effort to get journal data into syslog, i am not sure what i need to be doing. @brandon - it seems that fedora uses different mechanisms than RHEL/CentOS. i tried your suggestions and did not get any improvement. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
