Ubuntu – Relationship of rsyslog and journald on Ubuntu 16.04

16.04loggingrsyslogserversystemd-journald

I am running what is a vanilla Ubuntu 16.04 server, and I'm trying to wrap my head around how logging is set up by default. I can see that both journald and rsyslog are installed and running, but it's not at all clear to me how log messages are being processed.

Most messages seem to show up both in /var/log/syslog and via journalctl, but I can't see any explicit configuration for forwarding between the two in either /etc/systemd/journald.conf (which is basically all commented out by default), /etc/rsyslog.conf or /etc/rsyslog.d/50-default.conf.
I tried to look for official documentation, or even a blog post explaining how hese two are set up in Ubuntu, but haven't managed to find anything.

~~To further add to my confusion, I have executed logger -p local1.info Test on the host, and found that nothing was written to /var/log/syslog, while the message did show up under journalctl.~~

My questions are:

How exactly do journald and rsyslog work together on Ubuntu 16.04 (by default)?
~~How come messages sent from logger seemingly end up in the journal, but not in syslog?~~

Update: Turns out logger not working as expected was a mistake on my end, so it's not relevant to the main question.

Best Answer

By default rsyslog is using "imuxsock" module, the module provides:

the ability to accept syslog messages via local Unix sockets. Most importantly, this is the mechanism by which the syslog(3) call delivers syslog messages to rsyslogd [1].

It is possible for rsyslog to import structured log messages from systemd-journal using a module named "imjournal" [2].

It can be load like:

module(load="imjournal")

in:

/etc/rsyslog.conf

In the other hand "systemd-journald" captures all data itself:

man systemd-journald

systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources:
   ·   Kernel log messages, via kmsg
   ·   Simple system log messages, via the libc syslog(3) call
   ·   Structured system log messages via the native Journal API, 
       see sd_journal_print(4)
   ·   Standard output and standard error of system services
   ·   Audit records, via the audit subsystem

You can disable rsyslogd while you still have access to system logs using journalctl.

$ sudo systemctl mask rsyslogd
$ sudo systemctl stop syslog.socket
$ sudo systemctl stop rsyslog.service
$ systemctl is-active rsyslog.service 
inactive
$ logger -p mail.info Helllooo
$ journalctl

For example, centos is using "imuxsock" module to capture all "systemd-journald" data via rsyslog while opensuse does not have "syslog" at all.

To find out why your message didn't end up to /var/log/syslog, you should check this file:

less /etc/rsyslog.d/50-default.conf

look for *.info, see where they will be stored, it might be an other file like messages.

For me it show up in both journalctl and syslog.

Message storage locations

journald message storage

When it's time to clean up older messages in journald (I do it monthly) you can see the files where messages are stored:

Deleted archived journal /var/log/journal/1ff17e6df1874fb3b2a75e669fa978f1/system@00059368465fc63c-5ca08f36fa6e6f04.journal~ (32.0M).
Deleted archived journal /var/log/journal/1ff17e6df1874fb3b2a75e669fa978f1/user-1000@0005936848a6d1ec-316ff74be646031e.journal~ (8.0M).

As you can see the file names are very long and cryptic.

syslog message storage

syslog messages are kept in a more traditional filename format:

$ ll /var/log/syslog*
-rw-r----- 1 syslog adm   2161 Nov 29 04:47 /var/log/syslog
-rw-r----- 1 syslog adm 159700 Nov 29 04:32 /var/log/syslog.1
-rw-r----- 1 syslog adm  24466 Nov 28 04:27 /var/log/syslog.2.gz
-rw-r----- 1 syslog adm  23489 Nov 27 04:30 /var/log/syslog.3.gz
-rw-r----- 1 syslog adm  28087 Nov 26 04:28 /var/log/syslog.4.gz
-rw-r----- 1 syslog adm  28300 Nov 25 04:30 /var/log/syslog.5.gz
-rw-r----- 1 syslog adm  27445 Nov 24 05:36 /var/log/syslog.6.gz
-rw-r----- 1 syslog adm  27460 Nov 23 08:25 /var/log/syslog.7.gz

The filenames ending in .gz have compressed data to save space on disk.

Messages recorded are not the same

A quick test reveals the two message logging systems aren't exact duplicates. We'll put a message into the system with logger command and then search for it and display the five lines before it.

$ logger $0 "ygoe to two logs?"

$ cat /var/log/syslog | grep ygoe -a5
Nov 27 20:53:35 alien upowerd[2032]: message repeated 3 times: [ (upowerd:2032): UPower-Linux-WARNING **: treating change event as add on /sys/devices/pci0000:00/0000:00:14.0/usb1/1-9/1-9:1.2/0003:046D:C52B.017E/0003:046D:101A.017F/power_supply/hidpp_battery_63]
Nov 27 20:54:23 alien upowerd[2032]: (upowerd:2032): UPower-Linux-WARNING **: treating change event as add on /sys/devices/pci0000:00/0000:00:14.0/usb1/1-9/1-9:1.2/0003:046D:C52B.017E/0003:046D:2010.0180/power_supply/hidpp_battery_64
Nov 27 20:59:25 alien wpa_supplicant[1591]: wlp60s0: WPA: Group rekeying completed with ae:20:2e:cc:94:50 [GTK=CCMP]
Nov 27 21:00:02 alien CRON[24890]: (root) CMD (/usr/bin/updatedb)
Nov 27 21:07:48 alien upowerd[2032]: (upowerd:2032): UPower-Linux-WARNING **: treating change event as add on /sys/devices/pci0000:00/0000:00:14.0/usb1/1-9/1-9:1.2/0003:046D:C52B.017E/0003:046D:2010.0180/power_supply/hidpp_battery_64
Nov 27 21:08:22 alien rick: bash ygoe to two logs?

$ journalctl -xe | grep ygoe -a5
Nov 27 20:59:25 alien wpa_supplicant[1591]: wlp60s0: WPA: Group rekeying completed with ae:20:2e:cc:94:50 [GTK=CCMP]
Nov 27 21:00:01 alien CRON[24881]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 27 21:00:01 alien CRON[24890]: (root) CMD (/usr/bin/updatedb)
Nov 27 21:00:04 alien CRON[24881]: pam_unix(cron:session): session closed for user root
Nov 27 21:07:48 alien upowerd[2032]: (upowerd:2032): UPower-Linux-WARNING **: treating change event as add on /sys/devices/pci0000:00/0000:00:14.0/usb1/1-9/1-9:1.2/0003:046D:C52B.017E/0003:046D:2010.0180/power_supply/hidpp_battery_64
Nov 27 21:08:22 alien rick[8000]: bash ygoe to two logs?

As you can see journalctl provides more details than syslog. Additionally journalctl:

gives you more control on searches.
Provides quicker multiple boot log access (once you enable it: How to find previous boot log after Ubuntu 16.04+ restarts?)
More options for controlling size of logs: Systemd logs (`journalctl`) are too large and slow

There was debate among developers about duplicating journald and syslog a few years ago however, I couldn't find the link just now.

Best Answer

Related Solutions

Ubuntu – rsyslog server saves logs from remote also in /var/syslog

Ubuntu – Where do log messages go with journald and rsyslog

Message storage locations

journald message storage

syslog message storage

Messages recorded are not the same

Related Question