So what are the cases where syslog forwards logs to journal? Is there a case where both journal and syslog end up sending same logs to each other ( like a cycle ) resulting in duplicate logs?
Nishant On Mon, 23 Aug 2021, 14:02 Mantas Mikulėnas, <graw...@gmail.com> wrote: > On Mon, Aug 23, 2021, 11:19 Nishant Nayan <nayan.nishant2...@gmail.com> > wrote: > >> I was using logger command to see if the logs goes to journal, and it >> does, it goes both in /var/log/messages (owned by syslog) and journal, how >> is it happening? Is it because journal listens to /dev/log ? >> > > Journald listens to /dev/log and writes messages to its .journal files. > Then a syslog daemon (rsyslogd or syslog-ng) receives the same messages > *from* journald, in one of two ways, and writes them to /var/log/messages: > > a) The syslog daemon directly reads messages with full metadata from > .journal files (e.g. in rsyslogd this is the imjournal module); > > or b) The syslog daemon listens on a completely separate socket in /run, > and journald forwards all messages to that socket (without metadata) using > the traditional syslog protocol. > > The following is from systemd-journald.socket >> [Socket] >> ListenStream=/run/systemd/journal/stdout >> ListenDatagram=/run/systemd/journal/socket >> ListenDatagram=/dev/log >> >> Also can we edit 'systemd-journald.socket ' so as to not listen to >> /dev/log ? Just for seeing its behaviour. >> I tried by commenting out and removing 'ListenDatagram=/dev/log' and >> restarted the socket and journal service, but the logger log is still >> displayed in journal >> > > Technically that should work? But don't use it for other reasons except > testing, I'd say... > > Did you systemctl daemon-reload? > > Is /dev/log a real socket or a symlink? (In later systemd versions it's a > symlink and the real socket is in /run.) > > If it's a real socket, does it get re-created after 'rm'? > > >> >> >> Nishant >> >> On Fri, 20 Aug 2021 at 16:43, Mantas Mikulėnas <graw...@gmail.com> wrote: >> >>> On Fri, Aug 20, 2021 at 2:11 PM Mantas Mikulėnas <graw...@gmail.com> >>> wrote: >>> >>>> On Fri, Aug 20, 2021 at 2:10 PM Nishant Nayan < >>>> nayan.nishant2...@gmail.com> wrote: >>>> >>>>> Regarding the below point : >>>>> c) The service prints to stdout/stderr, but systemd attaches the >>>>> service's stdout/stderr to a pipe which is read by journald (using >>>>> sd_journal_stream_fd(3) from libsystemd). See [Service] StandardOutput= in >>>>> systemd.service(5). >>>>> >>>>> I did not see StandardOutput field in [Service] sections of a service >>>>> file, for example sshd.service, but its logs are visible in journalctl. >>>>> Is it by default piped to journal and we need to explicitly mention it >>>>> (StandardOutput=) only when we want to redirect it somewhere else? >>>>> >>>> >>>> StandardOutput=journal is the default setting. >>>> >>> >>> And, actually, sshd doesn't write its messages to stdout anyway – it >>> uses syslog() via /dev/log; most daemons do. >>> >>> -- >>> Mantas Mikulėnas >>> >>
