Pulling log messages for a particular log in systemd journal

cjournalingsystemd

I was wondering if it is possible to pull log messages for a particular log with systemd's journal logging. For example, when I open a log in C, openlog('slog', LOG_CONS | LOG_PID, LOG_LOCAL1), to pull just messages logged under 'slog' or LOCAL1?

When I do something like journalctl -u slog or journalctl -u LOG_LOCAL1, it just tells me when the log begins and ends, not the actual log messages.

Best Answer

Yes, it is possible, but you passed the wrong switch to journalctl.

According to journalctl(1) man page:

To read messages with a given syslog identifier (say, "foo"), issue journalctl -t foo or journalctl SYSLOG_IDENTIFIER=foo;
To read messages with a given syslog facility, issue journalctl SYSLOG_FACILITY=1 (note that facilities are stored and matched using their numeric values).

More generally, the syslog identifier and facility are stored in the journal as separate fields (SYSLOG_IDENTIFIER and SYSLOG_FACILITY). If you ever need to access the journal from, say, the C API, you will have to add matches on these fields directly.

The journalctl -u switch is used to add a match on the name of a systemd unit which owned the process which has generated the message. So this is the wrong switch to use.

Related Solutions

Fedora – How to get access to the root journal for systemd

The systemd-journald man page explains how journal access control is done:

Journal files are, by default, owned and readable by the "systemd-journal"
system group but are not writable. Adding a user to this group thus enables
her/him to read the journal files.

By default, each logged in user will get her/his own set of journal files in
/var/log/journal/. These files will not be owned by the user, however, in order
to avoid that the user can write to them directly. Instead, file system ACLs
are used to ensure the user gets read access only.

Additional users and groups may be granted access to journal files via file
system access control lists (ACL).

Fedora 20 uses ACLs to give users in the adm and wheel groups read access to all the journals.

how to give a normal user also access to the root journal?

Run setfacl -n -m u:username:r /var/log/journal/*/system.journal .

how to get list which journals are available for a given user?

You can su to the user and run journalctl --header|grep '^File Path' to see the names of the journals he or she has access to.

getfacl can be used to see which groups and users have access to journal files. I don't know of a simple way to list the files that are readable by a specific user.

Centos – How to get the standard output/error of a service, controlled by systemd on EL7, to go somewhere other than /var/log/messages

That article looks like nonsense, putting the blame on other software for problems caused by systemd's hostile takeover of logging functions. It even mentions the solution (syslog) but only as a means to suggesting massive overkill like logstash.

You don't need logstash to log a handful of daemons on a single host.

From the article:

And by default when it does this, stdout is redirected to the journal. The journal in turn is sent to syslog by default, which on RedHat 7 compatible distros will end up in /var/log/messages.

It then completely ignores the obvious and sensible option of configuring rsyslogd and implies that logstash and elasticsearch are the only options if you want to do something that journald can't do.

Modern syslog daemons, such as rsyslog and syslog-ng can be configured to filter syslog messages by all sorts of criteria, including daemon name and regex pattern match. The default may be /var/log/messages, but it is trivially easy to change the default.

So what you need are some rsyslog rules for filtering syslog messages from your service.

Take whatever systemd advocates say about logging with a huge grain of salt - they like to pretend that journald was necessary because logging before that was primitive and inflexible, that they were solving a problem nobody had even thought about before let alone solved several times over.

Also, BTW, the correct way for a program to do logging is neither stdout nor stderr, it's by using the syslog functions that are available in most languages.

Best Answer

Related Solutions

Fedora – How to get access to the root journal for systemd

Centos – How to get the standard output/error of a service, controlled by systemd on EL7, to go somewhere other than /var/log/messages

Related Question