[systemd-devel] Native Journal source vs syslog forwarding

"Jóhann B. Guðmundsson" johannbg at gmail.com
Wed Nov 26 03:21:58 PST 2014 

On 11/26/2014 10:04 AM, Gergely Nagy wrote:
> Hi!
>
> I have an interesting situation here, which I'm trying to wrap my head
> around and solve. The problem is that I have a syslog daemon (syslog-ng
> 3.6.1) that has a native Journal source, meaning it can pull entries
> from the Journal directly, and does not need the syslog forwarding
> socket - and this is the default when running on a systemd-enabled
> machine.
>
> This works beautifully, except there's one problem:
>
> Nov 26 10:41:05 eowyn systemd-journal[14843]: Forwarding to syslog missed 1343 messages.

This happens when the socket buffer is full for the syslogd which is 
being forwarding to.
( try tweaking those settings )

>
> On Debian, syslog forwarding is enabled by default, and since syslog-ng
> reads from the journal, there's nothing listening on
> /run/systemd/journal/syslog, and I get spammed with messages like the
> one above.
>
> I'm not sure how to solve this problem. As far as I see, I have the
> following options:
>
> 1) Drop the native journal source and use syslog forwarding.
>
>     This is trivial to do, but I loose the extra fields and info the
>     Journal collects. I'd rather not do this.
>
> 2) Have a dummy listener on /run/systemd/journal/syslog, that just reads
>     everything and drops it on the floor.
>
>     This sounds fishy, and is a bit awkward to implement in the config.
>     This would also be an ugly hack, not a real solution.
>
> 3) Disable syslog forwarding if syslog-ng is installed
>
>     Not sure how this could be achieved, because journald.conf does not
>     belong to the syslog-ng package, therefore I can't fiddle its
>     settings from there. (Technically, I could, but I won't, that'd be
>     extremely rude.)

As of systemd 216 forwarding to another syslogd has been disabled by 
default so no need to fiddle with this setting.

>
> I'd appreciate any hints. (Disabling syslog forwarding by default is not
> an option.)
>

Why is that not an option since there is nothing by your own account 
listening to /run/systemd/journal/syslog?

JBG

More information about the systemd-devel mailing list