1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<meta http-equiv="Content-Language" content="en">
<title>Linux Journal Output Module (omjournal)</title></head>
<body>
<a href="rsyslog_conf_modules.html">back</a>
<h1>Linux Journal Output Module (omjournal)</h1>
<p><b>Module Name: omjournal</b></p>
<p><b>Author: </b>Rainer Gerhards <rgerhards@adiscon.com></p>
<p><b>Available since</b>: 7.3.7</p>
<p><b>Description</b>:</p>
<p>The omjournal output module provides an interface to the Linux journal.
It is meant to be used in those cases where the Linux journal is being used
as the sole system log database. With omjournal, messages from various
sources (e.g. files and remote devices) can also be written to the journal
and processed by its tools.
<p>A typical use case we had on our mind is a SOHO environment, where the
user wants to include syslog data obtained from the local router to be
part of the journal data.
<p> </p>
<p><b>Module Configuration Parameters</b>:</p>
<p>Currently none.
<p> </p>
<p><b>Action Confguration Parameters</b>:</p>
<p>Currently none.
<p><b>Caveats/Known Bugs:</b>
<ul>
<li>One needs to be careful that no message routing loop is created. The
systemd journal forwards messages it receives to the traditional syslog
system (if present). That means rsyslog will receive the same message that
it just wrote as new input on imuxsock. If not handled specially and assuming
all messages be written to the journal, the message would be emitted to the
journal again and a deadly loop is started.
<p>To prevent that, imuxsock by default does not accept messages originating
from its own process ID, aka it ignores messages from the current instance of
rsyslogd. However, this setting can be changed, and if so the problem may occur.
</ul>
<p><b>Sample:</b></p>
<p>We assume we have a DSL router inside the network and would like to
receive its syslog message into the journal. Note that this configuration can be
used without havoing any other syslog functionality at all (most importantly, there
is no need to write any file to /var/log!). We assume syslog over UDP, as this
is the most probable choice for the SOHO environment that this use case reflects.
To log to syslog data to the journal, add the following snippet to rsyslog.conf:
<textarea rows="20" cols="60">/* first, we make sure all necessary
* modules are present:
*/
module(load="imudp") # input module for UDP syslog
module(load="omjournal") # output module for journal
/* then, define the actual server that listens to the
* router. Note that 514 is the default port for UDP
* syslog and that we use a dedicated ruleset to
* avoid mixing messages with the local log stream
* (if there is any).
*/
input(type="imudp" port="514" ruleset="writeToJournal")
/* inside that ruleset, we just write data to the journal: */
ruleset(name="writeToJournal") {
action(type="omjournal")
}
</textarea>
<p>Note that this can be your sole rsyslog.conf if you do not use rsyslog
for anything else than receving the router syslog messages.
<p>If you do not receive messages, <b>you probably need to enable inbound UDP
syslog traffic in your firewall</b>.
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual
index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
Copyright © 2008-2013 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 3 or higher.</font></p>
</body></html>
|