Systemd: Add option to forward messages from journald to remote syslog server
Submission type
- Request for enhancement (RFE)
Add option to forward messages from journald to remote syslog server
I am doing bulk deployment of systemd based images and i need central place to read my logs. I already have ELK stack, which listens on tcp and udp syslog ports and can receive syslog messages. I would be happy if i could just specify something like this in journald.conf:
ForwardToSyslogHost=udp:my.syslog.com:514
Without need to run rsync instance along with journald to do the forwarding for me.
I know that journald is not syslogd, but syslog protocol is defacto industry standart, it's relatively simple and i have to use it anyway, since some legacy network equipment can't speak any other protocol. Of course ELK stack can use even different protocols, but i will always need to support syslog protocol, so i guess it's good choice for now.
This way i would be able to completely remove syslog package from my node images and use only the syslog protocol to send logs from journald to ELK logstash.
Harvie
>All comments
Use @ssahani's: netlogd: https://github.com/systemd/systemd-netlogd
Doing this inside of journald is not pretty as journald is started long before the network is up, and would mean we'd have to turn off the sandbox it is living in. By doing this in a separate mini daemon instead, we gain asynchronous behaviour (i.e. as soon as netlogd starts it can "catch up" with what happened in the meantime), and journald doesn't need to be network facing.
poettering
on 23 Oct 2017
Related issues
Stebalien
路
3Comments
anitazha
路
3Comments
shibumi
路
3Comments
xabbu
路
3Comments
okdana
路
3Comments
Most helpful comment
Use @ssahani's: netlogd: https://github.com/systemd/systemd-netlogd
Doing this inside of journald is not pretty as journald is started long before the network is up, and would mean we'd have to turn off the sandbox it is living in. By doing this in a separate mini daemon instead, we gain asynchronous behaviour (i.e. as soon as netlogd starts it can "catch up" with what happened in the meantime), and journald doesn't need to be network facing.