systemd journal vs rsyslog

Issues related to applications and software problems and general support
Post Reply
invade
Posts: 26
Joined: 2020/02/26 14:26:51

systemd journal vs rsyslog

Post by invade » 2021/04/14 12:29:18

Hi.

I've been looking into an issue with log duplication on EL8.

I see that rsyslog is a mandatory package for the "Core" AppStream group, and that the service is enabled by default.

The systemd package contains both:
/etc/systemd/journald.conf (with the "Storage" parameter defaulting to "auto")
/var/log/journal/

which, as I understand it, results in a persistent journal:
https://www.freedesktop.org/software/sy ... l#Storage=

As a result, messages are being logged in both the journal by systemd and in various log files by rsyslog.

Assuming my conclusion above is correct, can anyone tell me why this log duplication appears to be the default for EL8?

Thanks in advance.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: systemd journal vs rsyslog

Post by jlehtone » 2021/04/14 12:50:25

Yes, package 'systemd' formally provides /var/log/journal, but no CentOS Linux 8 install that I have do actually have such directory.
Furthermore, man journald.conf writes:
Storage=
Controls where to store journal data. One of "volatile", "persistent", "auto" and "none". If "volatile", journal log data will be stored only in memory, i.e. below the /run/log/journal hierarchy (which is created if needed). If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable. "auto" is similar to "persistent" but the directory /var/log/journal is not created if needed, so that its existence controls where log data goes. "none" turns off all storage, all log data received will be dropped. Forwarding to other targets, such as the console, the kernel log buffer, or a syslog socket will still work however. Defaults to "auto".
Since /var/log/journal does not actually exists, the 'auto' makes journald write to volatile location.

At least one of my CentOS 8 installs (definitely before 8.3) did not install 'rsyslog' -- either Core was not included or it did not include rsyslog -- which did lead to no persistent log at all.


Why there are duplicate systems, rather than "proper config" for systemd? I have no idea.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: systemd journal vs rsyslog

Post by KernelOops » 2021/04/14 13:53:12

I think the default in centos 8, is to use rsyslog to store logs under /var/log and use systemd's journal for temporary memory storage only. There is no /var/log/journal by default.

Eventually (maybe RHEL 9?) they will follow Fedora and use the journal for all logging.
--
R.I.P. CentOS :cry:
--

invade
Posts: 26
Joined: 2020/02/26 14:26:51

Re: systemd journal vs rsyslog

Post by invade » 2021/04/14 14:48:46

I just had a look at the systemd spec file and the entry for /var/log/journal is a ghost entry:
%ghost %verify (not mode group md5 mtime) %dir /var/log/journal

so it's owned by the package, but not created, and as such the journal will be "volatile".

I guess this explains why rsyslog is included.

Post Reply