Logstash with journald instead of rsyslog

Question

I'm used to sending my logs from a server to a remote Logstash using rsyslog, with a configuration file roughly as follows (usually more specific to prevent too many logs from being sent):

*.* @192.168.5.5:5000

I'm now starting work on a server that does not have syslog running but instead uses journald. Is there a similar way to send the logs to Logstash with journald as is done with Syslog, or does it require more work? I can't find much information online regarding the use of Logstash with journald.

score 4 · Accepted Answer · answered Feb 04 '16 at 22:58

4

There is no official support, but there is an open issue to get it added. It turns out there are a few plugins that shim in this support, notably logstash-input-journald.

answered Feb 04 '16 at 22:58

sysadmin1138

133,124
18
176
300

1

Thanks, I'll probably stick to using journald forwarding messages to rsyslog for now. This is probably still what most logstash user do to this date? – Loic Duros Feb 05 '16 at 14:04

score 0 · Answer 2 · answered Jul 05 '20 at 08:21

0

There's journalbeat now to parse journald logs directly and send them to logstash

answered Jul 05 '20 at 08:21

aardbol

1,473
4
17
26

score 0 · Answer 3 · answered Jul 05 '20 at 09:48

0

You can tell journal to send messages to rsyslog by adding ForwardToSyslog=yes into /etc/systemd/journald.conf

answered Jul 05 '20 at 09:48

kofemann

4,626
1
25
30

Logstash with journald instead of rsyslog

3 Answers3