So what are the cases where syslog forwards logs to journal?
Is there a case where both journal and syslog end up sending same logs to each other ( like a cycle ) resulting in duplicate logs?
Nishant
On Mon, 23 Aug 2021, 14:02 Mantas Mikulėnas, <grawity@xxxxxxxxx> wrote:
On Mon, Aug 23, 2021, 11:19 Nishant Nayan <nayan.nishant2000@xxxxxxxxx> wrote:I was using logger command to see if the logs goes to journal, and it does, it goes both in /var/log/messages (owned by syslog) and journal, how is it happening? Is it because journal listens to /dev/log ?Journald listens to /dev/log and writes messages to its .journal files. Then a syslog daemon (rsyslogd or syslog-ng) receives the same messages *from* journald, in one of two ways, and writes them to /var/log/messages:a) The syslog daemon directly reads messages with full metadata from .journal files (e.g. in rsyslogd this is the imjournal module);or b) The syslog daemon listens on a completely separate socket in /run, and journald forwards all messages to that socket (without metadata) using the traditional syslog protocol.The following is from systemd-journald.socket[Socket]
ListenStream=/run/systemd/journal/stdout
ListenDatagram=/run/systemd/journal/socket
ListenDatagram=/dev/logAlso can we edit 'systemd-journald.socket ' so as to not listen to /dev/log ? Just for seeing its behaviour.I tried by commenting out and removing 'ListenDatagram=/dev/log' and restarted the socket and journal service, but the logger log is still displayed in journalTechnically that should work? But don't use it for other reasons except testing, I'd say...Did you systemctl daemon-reload?Is /dev/log a real socket or a symlink? (In later systemd versions it's a symlink and the real socket is in /run.)If it's a real socket, does it get re-created after 'rm'?NishantOn Fri, 20 Aug 2021 at 16:43, Mantas Mikulėnas <grawity@xxxxxxxxx> wrote:On Fri, Aug 20, 2021 at 2:11 PM Mantas Mikulėnas <grawity@xxxxxxxxx> wrote:On Fri, Aug 20, 2021 at 2:10 PM Nishant Nayan <nayan.nishant2000@xxxxxxxxx> wrote:Regarding the below point :c) The service prints to stdout/stderr, but systemd attaches the service's stdout/stderr to a pipe which is read by journald (using sd_journal_stream_fd(3) from libsystemd). See [Service] StandardOutput= in systemd.service(5).I did not see StandardOutput field in [Service] sections of a service file, for example sshd.service, but its logs are visible in journalctl.Is it by default piped to journal and we need to explicitly mention it (StandardOutput=) only when we want to redirect it somewhere else?StandardOutput=journal is the default setting.And, actually, sshd doesn't write its messages to stdout anyway – it uses syslog() via /dev/log; most daemons do.--Mantas Mikulėnas
