Journalctl and syslog: How does it actually work?

Question

I'm having a hard time understanding how logging works on linux.

Since the inclusion of systemd, it seems a bit easier, but I still have a couple of concepts that still can't fully understand.

Given a system with journalctl, I want to send some log messages to a remote host. For this purpose, I installed rsyslog and configured freeradius so it outputs its logs to local3, and then configured rsyslog to forward those messages under local3 to the remote syslog server. Now, are the system logs shared between rsyslog and journalctl? Can this cause a conflict of any kind?

Aside from this: Who controls what is being ritten to /var/log/messages? and how can a certain app output their logs to this file? Is it managed by rsyslog? By systemd?

If anyone can help me understand the whole linux logging service, it would be nice.

Answer 1

The link(s) between journald and rsyslog is controlled on the rsyslog side through the use of its input and output modules; there is an imjournal and omjournal for reading from and writing to the journal respectively.

So if you write something to rsyslog, it will only appear in journald if you've configured the omjournal module.

rsyslog "owns" /var/log/messages, the usual syslog API will allow applications to write to it. Journal messages can also end up there, if the imjournal module is configured.

This short RHEL guide explains things in pretty much the same way.

Answer 2

Systems with journalctl are journalling systems, which means that they used journal to work with all syslog entries. Default, this systems don't write logs to /var/log/secure, /var/log/maillog/ /var/log/messages...

Systems with rsyslog writes syslog entries to specific files in /var/log directive. Settings about this entries (which logs to which files) are written in /etc/rsyslog.conf

Both use syslog protocol, but can share. So it will be OK if you use rsyslog and journalctl in the same machine without any problems.