New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-journal() source vs syslog forwarding #314
Comments
One idea there was that if journald gains support for If that does not happen, then the best course of action would be to prefer the forwarder and emit a warning, so the admin can turn forwarding off. |
I would still prefer the journal and dumping forwarder events to the floor.
|
Works for me. I'll amend the patch. (Still need to test whether the unit file needs updates too, though, but that will likely have to be Debian specific) |
#315 updated, it now adds the journald source unconditionally (when under systemd), but if forwarding is enabled, drops those on the floor after displaying a warning. As noted there, this is only lightly tested at the moment, and other changes may be required. |
Please, check #316. If we don't say to systemd, that we need the compatibility socket, it won't create it so we won't get these kinds of messages. |
#316 fixes this. |
With syslog-ng 3.6, the default for the
system()
source is to use thesystemd-journal()
source when running under systemd. This works beautifully, except for one thing:If syslog forwarding is enabled (on Debian, it is by default), then the Journal expects something to read from
/run/systemd/journal/syslog
, and will spam the log with messages like the one above if there's no reader.One option would be to prefer the forwarded socket over the journal if both are present (easy to do, but we loose the nice things the journal collects for us), another would be to make it configurable, so Debian could opt for the forwarded socket, while others may choose something else. This would be a tad complicated, though.
A third option would be to have something like the following generated, when both journal and forwarding is detected:
This would consume the forwarded socket, and drop it on the floor. But that looks terrible in stats, and is a gross hack anyway. But this'd get us the nice things from the journal, and would get rid of the spam too.
I have asked systemd upstream for hints on how to solve this issue, but I'm documenting the problem here too. You can follow the thread for answers.
The text was updated successfully, but these errors were encountered: