3

I'm running an application under systemd within CentOS 7. It logs to stdout and systemd is capturing that into journalctl just fine. I'd like to also:

  1. get a rotated text log file also saved to the local filesystem for familiarity to our sysadmins
  2. Get this data cleanly into logstash, ideally just the application logs, not all of syslog which also includes the OS messages, other applications, etc

I was initially researching using multilog from djb's daemontools but given systemd unit files don't like shell pipelines in ExecStart, plus there's no official RPM for daemontools that's part of CentOS, I'm hoping there's a less-cludgey approach.

I currently have logstash-forwarder reading syslog from /var/log/messages and /var/log/secure but I'd rather not include messages other than from this particular application.

Peter Lyons
  • 283
  • 3
  • 12

2 Answers2

3

A third party input plugin for logstash that reads the systemd journal directly is available. Adding support directly to logstash remains an open issue.

Logstash now includes a systemd journal input plugin.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 2
    Thanks for the links. Good info. I'm not willing to install and run ruby on my system to get that input plugin working. I'm hoping there's another viable approach, but I do suspect you may be correct that there's nothing pre-built easily available at the moment, which I find quite surprising. – Peter Lyons Apr 23 '15 at 04:46
  • 2
    @PeterLyons Ruby is just another language; it's not going to tag your servers with graffiti or eat your children. It's even possible that you already have it installed. – Michael Hampton Apr 23 '15 at 05:00
  • 2
    @PeterLyons Run it in a container :p – Sleeper Smith Oct 22 '15 at 09:45
  • 1
    @MichaelHampton can we just assume that if he says "I don't want to" that this is an OK thing and he shouldn't have to just to get back the functionality everyone used to have until journald? – Florian Heigl Dec 15 '16 at 10:29
  • 1
    @FlorianHeigl This is IT. We very often have to do things we shouldn't have to do, though it's more often because of orders from above than for technical reasons. And it's usually _not_ OK to just say "I don't want to". – Michael Hampton Dec 15 '16 at 14:47
0

This would be only your basic solution something like this journalctl -f -o json | tee -a /var/log/systemd

You would need log rotation for that file to take care of the size otherwise it will fill up so quickly

Definitely considering you don't need to deploy stuff like logstash or fluentd

Abdel Hegazi
  • 109
  • 1