Journald logs to logstash

opethdisciple · 27 Jun 2019 at 12:23

Trying to get journald logs to be sent to logstash.

Issue is journald saves in binary format so cant access the data inside the file even if I enable writing to disk.

What we want ideally is to filter for certain things and sent to rsyslog which can then write to a file which can be shipped off to logstash.

Anyway have any idea?

There is an experimental journald plug-in by elasticsearch but it's unreliable so not an option.

Centos7 boxes

Buffalo2102 · 27 Jun 2019 at 23:49

Syslog-ng? If I'm understanding correctly, this chap seems to have found a solution;

https://robsears.com/tracking-system-events-with-logstash/

SMN · 28 Jun 2019 at 15:00

I'd just use journalbeat (presuming this is the experimental plugin your talking about)?

opethdisciple · 29 Jun 2019 at 21:20

SMN said:
I'd just use journalbeat (presuming this is the experimental plugin your talking about)?

Tha'ts been ruled out by management.

There are a few ways to do it this. Cron job to run journalctl and pipe to file, systemd unit file to do the same and as I found out there is a systemd directive to tell it to output to file.