Looking at systemd-journald-dev-log.socket, it creates /run/systemd/journal/dev-log socket, and that unit specifies Symlink to take over /dev/log. And has been doing so since at least xenial (check in a LXD container).
In journald.conf it has set #ForwardToSyslog=yes, which forwards to this socket:
All appear to be empty. I guess i need to compare this with Trusty, figure out what's wrong, add an autopkgtest which tests for this, and tests things.
All entries have PRIORITY, SYSLOG_FACILITY, SYSLOG_IDENTIFIER set... since journal must set that upon message arrival, in case it will forward these to the real syslog. To view thing that arrived via syslog protocol, one should filter on the _TRANSPORT field instead.
E.g. The below command shows the syslog stuff
$ journalctl _TRANSPORT=syslog
BTW. All options for _TRANSPORT field are shown below
$ journalctl -F _TRANSPORT
stdout
syslog
journal
driver
audit
kernel
One can filter on severity levels, using syslog keywords for them, e.g. 'crit' using the -p option.
$ journalctl -p crit
On my machine that prints a lot of stuff from consolekit.... no idea why i still have consolekit installed. Maybe we should be force purging it these days on upgrades?
It is sad that one cannot specify logical facility names, as listed in syslog(3) under Values for facility LOG_AUTH..LOG_UUCP.
I'm not sure if we are allowed to forward audit & kernel messages.
Looking at systemd- journald- dev-log. socket, it creates /run/systemd/ journal/ dev-log socket, and that unit specifies Symlink to take over /dev/log. And has been doing so since at least xenial (check in a LXD container).
In journald.conf it has set #ForwardToSyslo g=yes, which forwards to this socket:
$ sudo fuser -v /run/systemd/ journal/ syslog
USER PID ACCESS COMMAND journal/ syslog:
root 1 F.... systemd
syslog 2023 F.... rsyslogd
/run/systemd/
Which is owned by rsyslogd. Hence, e.g. my /var/log/syslog is populated.
I see that most things configured in /etc/rsyslog. d/50-default. conf, are not getting populated... which is not good:
/var/log/auth.log
/var/log/kern.log
/var/log/mail.log
/var/log/mail.err
All appear to be empty. I guess i need to compare this with Trusty, figure out what's wrong, add an autopkgtest which tests for this, and tests things.
All entries have PRIORITY, SYSLOG_FACILITY, SYSLOG_IDENTIFIER set... since journal must set that upon message arrival, in case it will forward these to the real syslog. To view thing that arrived via syslog protocol, one should filter on the _TRANSPORT field instead.
E.g. The below command shows the syslog stuff
$ journalctl _TRANSPORT=syslog
BTW. All options for _TRANSPORT field are shown below
$ journalctl -F _TRANSPORT
stdout
syslog
journal
driver
audit
kernel
One can filter on severity levels, using syslog keywords for them, e.g. 'crit' using the -p option.
$ journalctl -p crit
On my machine that prints a lot of stuff from consolekit.... no idea why i still have consolekit installed. Maybe we should be force purging it these days on upgrades?
It is sad that one cannot specify logical facility names, as listed in syslog(3) under Values for facility LOG_AUTH..LOG_UUCP.
I'm not sure if we are allowed to forward audit & kernel messages.