[TriLUG] Extracting normal logs from journald
Matt Flyer via TriLUG
trilug at trilug.org
Mon Jun 1 17:03:09 EDT 2020
I recently got a server up and running with a more up to date
distribution than the Centos 7 it had been running.
As with most mainline distributions, it uses systemd, which introduces
the journald logging. In short, most of the conventional logs are
placed into the binary journal, as opposed to the conventional logs
such as auth.log, syslog, etc.
It looks like rsyslogd can be configured to extract a lot of the
conventional files from the journal and create regular log files.
The argument for the journal system seems to be that it's easier to
"index" them and also harder for intruders to cover their tracks.
The downside, as I am currently experiencing, is that I want to run a
host intrusion detection system, like OSSEC that among other things
monitors the log files and it doesn't interface with the binary
journal.
Has anyone used rsyslogd or something else to essentially duplicate the
conventional log files and do you have a recommendation?
To me, this is just another serious gripe I have with the systemd
integration and example of how violating the Unix philosophy of keeping
things textual and instead going binary has a real downside.
More information about the TriLUG
mailing list