[systemd-devel] journal: question regarding retention options by priority/identifier/unit
Lukáš Nykrýn
lnykryn at redhat.com
Mon Aug 12 08:17:24 UTC 2024
Hello!
I only briefly tested this, but I believe you can use journal namespaces.
I tweaked the Service stanza in systemd-journald-audit.socket to
"systemd-journald at audit.service" restarted everything and now I have audit
messages separated
in /var/log/journal/4339da6539564b07a62c1604525309ff.audit
And since the instance can have separate configuration file
(/etc/systemd/journald at audit.conf) you could set a different retention
policy there. Check the journald.conf manpage.
Lukas
ne 11. 8. 2024 v 23:52 odesílatel SCOTT FIELDS <Scott.Fields at kyndryl.com>
napsal:
> In the syslogd configuration, you can arrange to have specific retention
> factors for a given class of information.
>
> AKA, I can have all kernel messages go to a specific file and that file
> can have a retention/rotation specified by size or date
>
> For example, I can ensure I have 90 days of data for 'authpriv' level
> syslog data, if audit requires it. And that data would ONLY include
> 'authpriv' level data.
>
> I don't see any options in journald to limit the scope for 'system'
> journal data, when configured to be persistent.
>
> Are there any configuration options (or options in plan for the future)
> that will allow me to split this level of data into different managed
> storage with its own retention polices, much like how syslogd currently
> allows?
>
> The long term goal in this case is to deprecate syslogd for audit record
> retention (among other uses).
>
> Scott Fields
>
> Kyndryl
>
> Senior Lead SRE – BNSF
>
> 817-593-5038 (BNSF)
>
> scott.fields at kyndryl.com
>
> scott.fields at bnsf.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240812/db25e005/attachment.htm>
More information about the systemd-devel
mailing list