Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

systemd-journal() source vs syslog forwarding #314

Closed
algernon opened this issue Nov 26, 2014 · 6 comments
Closed

systemd-journal() source vs syslog forwarding #314

algernon opened this issue Nov 26, 2014 · 6 comments

Comments

@algernon
Copy link
Contributor

With syslog-ng 3.6, the default for the system() source is to use the systemd-journal() source when running under systemd. This works beautifully, except for one thing:

Nov 26 10:41:05 eowyn systemd-journal[14843]: Forwarding to syslog missed 1343 messages.

If syslog forwarding is enabled (on Debian, it is by default), then the Journal expects something to read from /run/systemd/journal/syslog, and will spam the log with messages like the one above if there's no reader.

One option would be to prefer the forwarded socket over the journal if both are present (easy to do, but we loose the nice things the journal collects for us), another would be to make it configurable, so Debian could opt for the forwarded socket, while others may choose something else. This would be a tad complicated, though.

A third option would be to have something like the following generated, when both journal and forwarding is detected:

channel { 
  source { unix-dgram("/run/systemd/journal/syslog" flags(no-parse)); }; 
  destination { }; 
};

This would consume the forwarded socket, and drop it on the floor. But that looks terrible in stats, and is a gross hack anyway. But this'd get us the nice things from the journal, and would get rid of the spam too.

I have asked systemd upstream for hints on how to solve this issue, but I'm documenting the problem here too. You can follow the thread for answers.

@algernon
Copy link
Contributor Author

One idea there was that if journald gains support for journald.conf.d/ directories, we can just drop an override there. A patch doing that was proposed on October 29, but got no replies yet (I bumped it).

If that does not happen, then the best course of action would be to prefer the forwarder and emit a warning, so the admin can turn forwarding off.

@bazsi
Copy link
Collaborator

bazsi commented Nov 27, 2014

I would still prefer the journal and dumping forwarder events to the floor.
On Nov 26, 2014 1:28 PM, "Gergely Nagy" notifications@github.com wrote:

One idea there was that if journald gains support for journald.conf.d/
directories, we can just drop an override there. A patch doing that was
proposed on October 29, but got no replies yet (I bumped it).

If that does not happen, then the best course of action would be to prefer
the forwarder and emit a warning, so the admin can turn forwarding off.


Reply to this email directly or view it on GitHub
#314 (comment).

@algernon
Copy link
Contributor Author

Works for me. I'll amend the patch. (Still need to test whether the unit file needs updates too, though, but that will likely have to be Debian specific)

@algernon
Copy link
Contributor Author

#315 updated, it now adds the journald source unconditionally (when under systemd), but if forwarding is enabled, drops those on the floor after displaying a warning.

As noted there, this is only lightly tested at the moment, and other changes may be required.

@ihrwein
Copy link
Contributor

ihrwein commented Nov 27, 2014

Please, check #316.

If we don't say to systemd, that we need the compatibility socket, it won't create it so we won't get these kinds of messages.

@algernon
Copy link
Contributor Author

#316 fixes this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants