1

I'm seeing an issue on a Ubuntu 16.04 box where the copying/forwarding of journal messages to /var/log/syslog seems to be delayed:

theuser@host:/etc/systemd$ sudo journalctl -n 1 && sudo tail -n 1 /var/log/syslog

-- Logs begin at Wed 2018-12-12 09:52:03 CST, end at Fri 2018-12-14 08:41:20 CST. --

Dec 14 08:41:20 host sudo[26760]: pam_unix(sudo:session): session opened for user root by theuser(uid=0)
Dec 14 07:40:12 host sudo[2574]: *log message snipped*

I've confirmed that /etc/systemd/journald.conf has not set ForwardToSyslog=no (the default value of yes is presumably being used).

The problem appears sporadically, and usually seems to be resolved by rebooting, but I was hoping to maybe get some suggestions on what I should check into / what might be causing this so I could poke around on a system currently experiencing the issue.

One other piece of probably-relevant information is that I'm using rsyslog to forward logs from /var/log/syslog to an external log aggregation service.

Any tips on what I should check into?

Jordan0Day
  • 111
  • 2
  • 2
    I can't tell from from the example how long the lag is. Are you talking about seconds, minutes, hours or days? – Mark Stosberg Dec 17 '18 at 15:51
  • 1
    Sorry I didn't make it clearer. At the point I took those logs, the latest journald entry was from 8:41:20, while the latest syslog entry was from 7:40:12, so the lag is about an hour. – Jordan0Day Dec 17 '18 at 16:08

0 Answers0