[systemd-devel] Direct systemd-journald event-logs tranmssion to Zabbix\Cacti

Sat Oct 24 09:01:54 PDT 2015

Hello!

There is one more question I try to get a clearness for myself -- direct
systemd-journald event-logs tranmssion to Zabbix\Cacti\other log-collector.

As I understand nowadays we have such event-logs tranmssion schemas:

Windows OS system:

| Win System | -->|EventLog-To-Syslog Service| --> {UDP 514} -->

--> |Log-collector|.

Unix-like system:

1) Non-systemd:
+---------+    +----------------+                  +-------------+
| System  | -->|(r-)syslog(-ng) | --> {UDP 514} -->|Log-collector|
+---------+    +----------------+                  +-------------+

2) Systemd-based Linux:
+---------+    +----------------+                  +-------------+
| System  | -->|(r-)syslog(-ng) | --> {UDP 514} -->|Log-collector|
+---------+    +----------------+                  +-------------+
    |                  A
    |                  |
    |                  | {/etc/systemd/journald.conf:
Store=volatile,ForwardToSyslog=yes}
    |                  |
    |          +-----------------+               +-------------+
    ---------> |systemd-journald | --> {???} --> |Log-collector|
               +-----------------+               +-------------+

If we want to send systemd-journald logs to remote log-collector system,
we have to set up forwarding to (r-)syslog(-ng) service.

Systemd's native tools -- systemd-journal-gatewayd\-upload\-remote --
are designed to transmit logs between only homogeneous (systemd-based)
systems.

So systemd-based Linux system cannot transmit their event-logs to
log-collectors _directly_ (key word in this topic!) via systemd-journald
-- it's need to install one more eventlog-system ((r-)syslog(-ng)) to
transmit logs to log-collector. That's redundacy again, as for me --
just like the same to which I mentioned in "SSH -H key topic".

I tried to find out the plugins for Cacti to have a dedicated
systemd-journald tab compared to syslog (like here, for example:
http://s16.postimg.org/e76umnxb9/pic2.jpg), but have no success on it.

The problem is, I suppose, that systemd has no documented specification
(RFC) on its own outgoing logs-transmission transport (in open and
secure ways), instead of syslog:

'grep 514 < /etc/services':
=============================
syslog             514/udp
...
syslog-tls         6514/tcp     # Syslog over TLS  [RFC5425]
syslog-tls         6514/udp     # syslog over DTLS  [RFC6012]
syslog-tls         6514/dccp    # syslog over DTLS  [RFC6012]
=============================

'grep systemd < /etc/services' and 'grep journal < /etc/services' didn't
give any result.

Resume:
========

1. Because systemd-journald has NO a documented specification on
logs-transmission transport, admins have to install other log-system in
parallel to systemd-journald and set up systemd-journald in right way to
have possibility to send event-logs to log-collector system (Redundancy,
because two event-log services are in use).

2. To avoid the redundancy mentioned above, admins can stop and disable
systemd-journald.socket and systemd-journald.service and use only
(r-)syslog(-ng) service (one service in use).

3. If systemd-journald has a documented specification (RFC) on
logs-transmission transport, admins will have pretty good choice
(technically and/or ideologically) to use systemd-journald and\or
(r-)syslog(-ng) at the same time or separately to send event-logs to
Zabbix\Cacti\other log-collector.
========

Which thing do I understand right and which wrong?

Thanks and sorry for a long text - I'll really be glad to understand the
current (and possibly, future) situation with systemd-journald event-log
tranmission to Zabbix\Cacti\other log-collector _directly_.