I want to log journald logs to a file so I can later on fetch it and send it to Logstash. I thought about running syslog-ng and make it a client of journald, so I'd get syslog files.
I'm using Docker containers on a CoreOS machine, so I tried to run syslog-ng as a container in the CoreOS docker host, creating a systemd unit that executes the container.
I followed this page to get syslog in systemd, but if I try to make my syslog-ng container directly read from the syslog socket in the host (by mounting it with a docker volume), it complains about "Address already in use".
So I have journald logging, a container with syslog-ng running, but I don't know how to get journald logs inside syslog-ng.
My alternative solution to get journald logs in a file is to run a systemd unit that executes journalctl -f --json | tee -a /var/log/systemd, but I'm not sure about the reliability of this solution. Is this a good enough solution?
Best Answer
I do realize this question is a little dated, but it is one of the first search results on Google. That and the --json option does not seem to work for me and does not show up in the man pages.
I looked at the man page for journalctl and there is an option named: --no-tail which will just output the date directly to std where it can be piped into another application or file.
In my case I wanted my ssh logs from today so executed this:
journalctl -u sshd -S today --no-tail > main.log.Technical explanation: get all logs from today which are from the unit
sshd; the>then outputs this to a file.In your case I believe this is what you are wanting:
journalctl --no-tail > test.log.This was tested in Arch Linux.