1

I am trying to export kernel logs (/var/log/messages) to remote Syslog servers. Till now, most of the system logs are stored in journald currently and rsyslogd is disabled.

So, I am planning to use rsyslogd to export logs (By configuring the rsyslog.conf file). Firstly, I will pass those kernel logs from journald to rsyslogd and then export them.

Can someone suggest if this is the right path to proceed or I can use directly journald to achieve the same?

Tanika Garg
  • 29
  • 5

1 Answers1

1

Systemd can collect and store logs, but it doesn’t have a built-in method of logging to remote locations such as log management systems. Instead, it relies on the device’s syslog service to relay messages between journald and a remote syslog server.

However, syslog is text-based and the journald uses a binary format, so your logs need to be converted before they can be transferred. You can do this by using either systemd’s ForwardToSyslog configuration setting, or by using rsyslog’s imjournal module.

/etc/systemd/journald.conf has a ForwardToSyslog=yes option that would allow you to forward the logs to syslog, which seems like a pretty inelegant way to me.

In rsyslog you can add the module imjournal, to get the journal logs. To use it, add the following to your /etc/rsyslog.conf file. The mmjsonparse module lets ryslog parse journald messages:

module(load="imjournal")
module(load="mmjsonparse")

Kernel messages can be logged with the standard the imklog module. Just add: module(load="imklog") to the configuration file /etc/rsyslog.conf. With the standard rsyslog configuration, this should log kernel messages to /var/log/messages and /var/log/syslog.

The forwarding can be done over UDP or TCP.

Forwarding:

*.* action(type="omfwd" target="10.0.2.1" port="514" protocol="udp")         # UDP
*.* action(type="omfwd" target="10.0.2.1" port="10514" protocol="tcp")       # TCP

Obsolote Legacy Format

*.* @10.0.1.1:514        # UDP
*.* @@10.0.1.1:514       # TCP

After adding this (please not in legacy format), your rsyslog client should start forwarding the messages to your remote syslog server. I only added the legacy format to the answer, because if you'll find a LOT of configurations written like this.

eDonkey
  • 606
  • 2
  • 7
  • 25
  • Hi, thank you for your response! ForwardToSyslog=yes will only enable forwarding logs from journald to rsyslogd? However, my aim is to export them to remote servers so I guess I need to use "imklog" solution only right? – Tanika Garg Dec 22 '21 at 16:41
  • @TanikaGarg I've updated my answer, I hope this answers your questions. – eDonkey Dec 23 '21 at 08:16
  • Hi, do you know how to forward logs using rsyslog according to standards RFC3164, RFC3339 & RFC5124? – Tanika Garg May 24 '22 at 10:44
  • Please post this as a new question so other users can benefit as well. Then I'll be happy to answer it. – eDonkey May 25 '22 at 08:04
  • 1
    https://stackoverflow.com/questions/72389726/export-logs-using-rsyslog-in-various-formats – Tanika Garg May 26 '22 at 09:36
  • Also, for the future.. if an answer answers your question, please make sure to accept it. That way other users can find good answers faster and more easily. – eDonkey May 27 '22 at 07:25