Comment 3 for bug 1761630

Looking at systemd-journald-dev-log.socket, it creates /run/systemd/journal/dev-log socket, and that unit specifies Symlink to take over /dev/log. And has been doing so since at least xenial (check in a LXD container).

In journald.conf it has set #ForwardToSyslog=yes, which forwards to this socket:

$ sudo fuser -v /run/systemd/journal/syslog
                     USER PID ACCESS COMMAND
/run/systemd/journal/syslog:
                     root 1 F.... systemd
                     syslog 2023 F.... rsyslogd

Which is owned by rsyslogd. Hence, e.g. my /var/log/syslog is populated.

I see that most things configured in /etc/rsyslog.d/50-default.conf, are not getting populated... which is not good:

/var/log/auth.log
/var/log/kern.log
/var/log/mail.log
/var/log/mail.err

All appear to be empty. I guess i need to compare this with Trusty, figure out what's wrong, add an autopkgtest which tests for this, and tests things.

All entries have PRIORITY, SYSLOG_FACILITY, SYSLOG_IDENTIFIER set... since journal must set that upon message arrival, in case it will forward these to the real syslog. To view thing that arrived via syslog protocol, one should filter on the _TRANSPORT field instead.

E.g. The below command shows the syslog stuff
$ journalctl _TRANSPORT=syslog

BTW. All options for _TRANSPORT field are shown below
$ journalctl -F _TRANSPORT
stdout
syslog
journal
driver
audit
kernel

One can filter on severity levels, using syslog keywords for them, e.g. 'crit' using the -p option.

$ journalctl -p crit

On my machine that prints a lot of stuff from consolekit.... no idea why i still have consolekit installed. Maybe we should be force purging it these days on upgrades?

It is sad that one cannot specify logical facility names, as listed in syslog(3) under Values for facility LOG_AUTH..LOG_UUCP.

I'm not sure if we are allowed to forward audit & kernel messages.