[systemd-devel] journald syslog forwarding

[Zbigniew Jędrzejewski-Szmek]

On Thu, Dec 11, 2014 at 02:54:18PM +0000, Holger Winkelmann [TP] wrote:
> HI,
> 
> >> Are there any plans to follow? I.e, having all protocols in a generic gateway,
> >> or having one gateways per protocol? How the should we define which field
> >> form the journal should be forwarded to syslog?
> > IIUC, Lennart wanted to add this funcitonality to systemd-journal-upload or
> > a new tool. I think it might be nicer to add it directly to systemd-journald,
> > even though it would then use the network. The details are fuzzy atm.
> 
> upload sounds a bit of a batch process, but thats just cosmetic wording.
> 
> Having this in systems-journald and extend the forward to syslog config with the target
> host was our expectation anyway. 
The difference is in how the logs are accessed: if journald itself does the jobs,
they would be forwarded "live". If anything else, the uploader would be a client
which reads the files in /var/log/journal/. The are advantages to both solutions:
the first one might be more robust if writing the logs fails or stops for whatever
reason. The second one will probably send more logs, because sending of logs can
be delayed until the network is up. In the second version, the uploader can also
forward logs from other machines (containers). Now that I spelled it out, the second
version seems nicer.

> > Initial plan was to implement the most straighforward syslog forwarding,
> > so only the MESSAGE field would be sent.
>  
> it would be great to have at least the following format to send to syslog:
> 
> "<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
> 
> described as rsyslog configuration. All the meta infos are there IMHO.
Yes. We just wouldn't go into "structured" syslog messages to carry other fields.

> > I think that additional forwarders (e.g. GELF) should stay as separate projects.
> 
> I think so as well.

Zbyszek