[systemd-devel] Both volatile and persistent journald logs

[Cam Hutchison]

Lennart Poettering <lennart at poettering.net> writes:

>On Thu, 23.04.15 06:58, Cam Hutchison (camh at xdna.net) wrote:

>> The specifics of my logging that is temporarily volatile is captured in
>> these rsyslog configs:
>> 
>> local1.*                        /tmp/log/dnsmasq.log
>> local4.*                        /tmp/log/ldap.log
>> if $syslogfacility-text == 'kern' and $msg contains 'firewall:' then
>> /tmp/log/firewall.log

>journald does not allow seperate log files or filter expressions,
>please use rsyslog or another syslog daemon for things like this.

I've got no real use for directing logs to files via these filter
expressions in a journald world. I'm happy with the filtering being
done on read-out instead of ingestion. These only go to separate
files because that's how syslog works.

But if I want to discriminate in order to direct logs to a volatile vs
persistent store then I would need some sort of pre-filtering and I can
see how that does not fit with journald's design.

However, even if I continue to use rsyslog with these filters, I don't
believe I will achieve what I want because the logs will first pass
through journald which will happily write them to its journal on
/var/log, creating the SSD write activity I'm trying to avoid.

For now I guess I'll just reduce the amount of logging. I should be able
to use NFLOG and ulogd2 to capture the firewall logs outside of
syslog/journald.

Thanks for your quick response.