[systemd-devel] Native Journal source vs syslog forwarding
Lennart Poettering
lennart at poettering.net
Sun Nov 30 15:20:05 PST 2014
On Wed, 26.11.14 11:04, Gergely Nagy (algernon at madhouse-project.org) wrote:
> Hi!
>
> I have an interesting situation here, which I'm trying to wrap my head
> around and solve. The problem is that I have a syslog daemon (syslog-ng
> 3.6.1) that has a native Journal source, meaning it can pull entries
> from the Journal directly, and does not need the syslog forwarding
> socket - and this is the default when running on a systemd-enabled
> machine.
>
> This works beautifully, except there's one problem:
>
> Nov 26 10:41:05 eowyn systemd-journal[14843]: Forwarding to syslog missed 1343 messages.
>
> On Debian, syslog forwarding is enabled by default, and since syslog-ng
> reads from the journal, there's nothing listening on
> /run/systemd/journal/syslog, and I get spammed with messages like the
> one above.
Hmmm, we only increase the counter when we get EAGAIN from the
socket. Normally, if nobody is listening on the other side we
shouldn't get EAGAIN, we should get ECONNREFUSED or so.
Most likely for some reason "syslog.socket" gets started (which
establishes the socket), but nothing is then started behind it? That
sounds wrong.
Note that in systemd upstream we don't do forward-to-syslog anymore,
simply because it turned out to be really slow when nobody is
listening on the socket, and rsyslog didn't use it anymore. Does
Debian turn this on after all?
> 3) Disable syslog forwarding if syslog-ng is installed
>
> Not sure how this could be achieved, because journald.conf does not
> belong to the syslog-ng package, therefore I can't fiddle its
> settings from there. (Technically, I could, but I won't, that'd be
> extremely rude.)
We really should figure out why journald gets EAGAIN when writing to
that socket. Is syslog.socket started? If so, why?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list