[TriLUG] Extracting normal logs from journald

Kevin Faulkner via TriLUG trilug at trilug.org
Tue Jun 2 09:03:21 EDT 2020


On Mon, 01 Jun 2020 17:03:09 -0400
Matt Flyer via TriLUG <trilug at trilug.org> wrote:

> I recently got a server up and running with a more up to date
> distribution than the Centos 7 it had been running.
> 
> As with most mainline distributions, it uses systemd, which introduces
> the journald logging.  In short, most of the conventional logs are
> placed into the binary journal, as opposed to the conventional logs
> such as auth.log, syslog, etc.
> 
Minor clarification, I believe that journald mostly takes the stdout and stderr of the managed process and logs it to the journal. It really isn't really taking the place of logging, but it could if you configure your services to use stdout/stderr instead of syslog facilities. Haproxy only got the ability to use stdout/stderr fd's as recently as version 2.0, so some processes can't use the journald of all logging.

> It looks like rsyslogd can be configured to extract a lot of the
> conventional files from the journal and create regular log files.
> 
Yes, you can use rsyslog's imjournal (input module journal) or have journald write them to a file and then use imfile to consume them.

> The argument for the journal system seems to be that it's easier to
> "index" them and also harder for intruders to cover their tracks.
> 
> The downside, as I am currently experiencing, is that I want to run a
> host intrusion detection system, like OSSEC that among other things
> monitors the log files and it doesn't interface with the binary
> journal.
> 
> Has anyone used rsyslogd or something else to essentially duplicate the
> conventional log files and do you have a recommendation?
> 
At my workplace, there was a contractor who did this, because Splunk (at the time of the implementation) only had the ability to consume logs from a file. So, there is a process that calls bash to write journald logs out continuously to a file. This has proven to be less than ideal, as I wrote above there is the ability to have rsyslog do this. There's just something jaring about seeing `/bin/bash -c 'journalctl -f > /var/log/journald.out'` constantly running.
But yeah, what you're experiencing isn't very uncommon.

> To me, this is just another serious gripe I have with the systemd
> integration and example of how violating the Unix philosophy of keeping
> things textual and instead going binary has a real downside.
> 
Yeah, I can understand, and I also think it didn't help that systemd was more or less "forced" (since udev is needed for the kernel and systemd "part" of that). But there are a lot of cool things it can do, and it certainly has brought many improvements, and it can also bring a consistent interface to managing a system's services. I really have enjoyed some of the networkd features (networkctl, however lacks a lot of control-ability). But I still have some complaints, mostly around features and their documentation. I'm not really trying to make this about for or against systemd, mostly just wanted to let you know that I understand your point of view, and I wanted to share some optimism? I don't know, I might regret writing this later haha. 
> -- 
> This message was sent to: Kevin Faulkner <kondor6c at lazytree.us>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: https://www.trilug.org/mailman/options/trilug/kondor6c%40lazytree.us
> Welcome to TriLUG: https://trilug.org/welcome

-- 
Kevin Faulkner <kondor6c at lazytree.us>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20200602/51e12531/attachment.pgp>


More information about the TriLUG mailing list