<div dir="auto">So what are the cases where syslog forwards logs to journal?<div dir="auto">Is there a case where both journal and syslog end up sending same logs to each other ( like a cycle ) resulting in duplicate logs?<br><div dir="auto"><br></div><div dir="auto">Nishant</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 23 Aug 2021, 14:02 Mantas Mikulėnas, <<a href="mailto:grawity@gmail.com">grawity@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 23, 2021, 11:19 Nishant Nayan <<a href="mailto:nayan.nishant2000@gmail.com" target="_blank" rel="noreferrer">nayan.nishant2000@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I was using logger command to see if the logs goes to journal, and it does, it goes both in /var/log/messages (owned by syslog) and journal, how is it happening? Is it because journal listens to /dev/log ? </div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Journald listens to /dev/log and writes messages to its .journal files. Then a syslog daemon (rsyslogd or syslog-ng) receives the same messages *from* journald, in one of two ways, and writes them to /var/log/messages:</div><div dir="auto"><br></div><div dir="auto">a) The syslog daemon directly reads messages with full metadata from .journal files (e.g. in rsyslogd this is the imjournal module);</div><div dir="auto"><br></div><div dir="auto">or b) The syslog daemon listens on a completely separate socket in /run, and journald forwards all messages to that socket (without metadata) using the traditional syslog protocol.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>The following is from systemd-journald.socket <div>[Socket]<br>ListenStream=/run/systemd/journal/stdout<br>ListenDatagram=/run/systemd/journal/socket<br>ListenDatagram=/dev/log<br></div></div><div><br></div><div>Also can we edit 'systemd-journald.socket ' so as to not listen to /dev/log ? Just for seeing its behaviour.</div><div>I tried by commenting out and removing 'ListenDatagram=/dev/log' and restarted the socket and journal service, but the logger log is still displayed in journal</div><div dir="auto"></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Technically that should work? But don't use it for other reasons except testing, I'd say...</div><div dir="auto"><br></div><div dir="auto">Did you systemctl daemon-reload?</div><div dir="auto"><br></div><div dir="auto">Is /dev/log a real socket or a symlink? (In later systemd versions it's a symlink and the real socket is in /run.)</div><div dir="auto"><br></div><div dir="auto">If it's a real socket, does it get re-created after 'rm'?</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="auto"><br></div></div></blockquote></div></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="auto"><br></div><div><br></div><div>Nishant</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 20 Aug 2021 at 16:43, Mantas Mikulėnas <<a href="mailto:grawity@gmail.com" rel="noreferrer noreferrer" target="_blank">grawity@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Fri, Aug 20, 2021 at 2:11 PM Mantas Mikulėnas <<a href="mailto:grawity@gmail.com" rel="noreferrer noreferrer" target="_blank">grawity@gmail.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Fri, Aug 20, 2021 at 2:10 PM Nishant Nayan <<a href="mailto:nayan.nishant2000@gmail.com" rel="noreferrer noreferrer" target="_blank">nayan.nishant2000@gmail.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Regarding the below point :<div><div>c) The service prints to stdout/stderr, but systemd attaches the service's stdout/stderr to a pipe which is read by journald (using sd_journal_stream_fd(3) from libsystemd). See [Service] StandardOutput= in systemd.service(5).</div><div><br></div></div><div>I did not see StandardOutput field in [Service] sections of a service file, for example sshd.service, but its logs are visible in journalctl.</div><div>Is it by default piped to journal and we need to explicitly mention it (StandardOutput=) only when we want to redirect it somewhere else?</div></div></div></blockquote><div><br></div><div>StandardOutput=journal is the default setting.</div><div></div></div></div></blockquote></div><div><br></div><div>And, actually, sshd doesn't write its messages to stdout anyway – it uses syslog() via /dev/log; most daemons do.</div><div><br></div>-- <br><div dir="ltr"><div dir="ltr">Mantas Mikulėnas</div></div></div>
</blockquote></div>
</blockquote></div></div></div>
</blockquote></div>