I'm having a hard time understanding how logging works on linux.
Since the inclusion of systemd, it seems a bit easier, but I still have a couple of concepts that still can't fully understand.
Given a system with journalctl, I want to send some log messages to a remote host.
For this purpose, I installed rsyslog and configured freeradius so it outputs its logs to local3, and then configured rsyslog to forward those messages under local3 to the remote syslog server.
Now, are the system logs shared between rsyslog and journalctl? Can this cause a conflict of any kind?
Aside from this: Who controls what is being ritten to /var/log/messages? and how can a certain app output their logs to this file? Is it managed by rsyslog? By systemd?
If anyone can help me understand the whole linux logging service, it would be nice.
Best Answer
The link(s) between journald and rsyslog is controlled on the rsyslog side through the use of its input and output modules; there is an
imjournalandomjournalfor reading from and writing to the journal respectively.So if you write something to rsyslog, it will only appear in journald if you've configured the
omjournalmodule.rsyslog "owns"
/var/log/messages, the usual syslog API will allow applications to write to it. Journal messages can also end up there, if theimjournalmodule is configured.This short RHEL guide explains things in pretty much the same way.