[Feature request] Journal forwarding from remote instances

Question

[Feature request] Journal forwarding from remote instances

Opened this issue 6 years ago · 4 comments

It would be great to have such a feature, when netlogd forwards /var/log/journal/remote messages.

Answer 1 · 2019-04-09T11:57:14.000Z

What is the use case of this ?

Answer 2 · 2019-04-11T08:15:34.000Z

Let's assume we want to create some centralised log collection from multiple docker-enabled hosts. For convenience we have to use journald logging driver on every docker host (or docker logs won't work locally). So, now we have multiple options: to send journald logs to some journald-enabled host, to pass journald to local syslog and send them via syslog proto or to install (build on every host as no distributions provide corresponding package atm) netlogd on every machine. For me the best option is to pass all the logs as is to centralised journald and, from there to pass them on for analysis via standard syslog (netlogd is extremely helpful here). So if it's possible pass all collected logs from all the hosts via syslog/netlogd, it would be great!

Answer 3 · 2019-04-12T06:09:50.000Z

/var/log/journal/remote is created by systemd-journal-remote which is a extra package. If I get this right

H1 --------------------------->---------|
H2 ------------------------->-----------| CH---------------------- centralised syslog
H3---------------------->----------------|

why not directly store and eliminate the centralised journald. In that way you don;t need a centralized
journald-remote.

H1 --------------------------->---------
H2 ------------------------->----------- centralised syslog
H3---------------------->----------------

Answer 4 · 2019-04-12T07:43:33.000Z

It's mostly about protocols. In my case, all the analytics are bound to syslog... So it's either netlogd on every machine (additional build-time deps, build is slightly distro-dependent) or local forwarding docker journald driver->journald->syslog->syslog-remote. Centralized storage with journald seems a little bit more convenient for me-almost no setup on each node, journald-remote is in every distro's repo, http transport. There is no doubt, there are other options to achieve what I'm looking for, but it would be easier imo with a nice little tool like netlogd. Thanks!