8

I want to log journald logs to a file so I can later on fetch it and send it to Logstash. I thought about running syslog-ng and make it a client of journald, so I'd get syslog files. I'm using Docker containers on a CoreOS machine, so I tried to run syslog-ng as a container in the CoreOS docker host, creating a systemd unit that executes the container. I followed this page to get syslog in systemd, but if I try to make my syslog-ng container directly read from the syslog socket in the host (by mounting it with a docker volume), it complains about "Address already in use". So I have journald logging, a container with syslog-ng running, but I don't know how to get journald logs inside syslog-ng.

My alternative solution to get journald logs in a file is to run a systemd unit that executes journalctl -f --json | tee -a /var/log/systemd, but I'm not sure about the reliability of this solution. Is this a good enough solution?

Jose Armesto
  • 181
  • 1
  • 1
  • 4
  • http://serverfault.com/q/684877/126632 – Michael Hampton Oct 11 '15 at 18:56
  • Thx for your answer, but I don't want to directly connect to Logstash. I dont want Logstash running on every host – Jose Armesto Oct 11 '15 at 18:58
  • Hi, never versions of syslog-ng can natively collect logs from journals, see https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-sources-journal.html – Robert Fekete Oct 12 '15 at 10:09
  • 1
    Yes but since syslog-ng is running inside a container and the journald in the host, I don't know how to get it to "notice" that journald is running on the host. Otherwise, syslog-ng does not know anything about journald. Do you know what I mean? – Jose Armesto Oct 12 '15 at 11:28
  • @fiunchinho I'm going through the same issues, trying to get the journalctl of host in a filebeat container. How did you achieve this? – Foreever Oct 26 '16 at 04:17

1 Answers1

12

I do realize this question is a little dated, but it is one of the first search results on Google. That and the --json option does not seem to work for me and does not show up in the man pages.

I looked at the man page for journalctl and there is an option named: --no-tail which will just output the date directly to std where it can be piped into another application or file.

In my case I wanted my ssh logs from today so executed this: journalctl -u sshd -S today --no-tail > main.log.

Technical explanation: get all logs from today which are from the unit sshd; the > then outputs this to a file.

In your case I believe this is what you are wanting: journalctl --no-tail > test.log.

This was tested in Arch Linux.

boweeb
  • 128
  • 4
Friedmicro
  • 121
  • 1
  • 3