I wonder if systemd-journald is a new implementation of syslog protocol, or rather, it uses syslog implementations, such as rsyslog, syslog-ng
I've googled a bit, but I didn't find nothing convincing about it.
Asked
Active
Viewed 1.9k times
36
-
You might want to to clarify if by "syslog protocol" you mean receiving syslog on tcp|udp 514, or sending, or both. – Alex Stragies Dec 22 '16 at 23:27
-
also see possible dupe: http://unix.stackexchange.com/questions/83173/receiving-syslog-messages-with-a-systemd-arch-linux – Alex Stragies Dec 22 '16 at 23:29
1 Answers
54
As far as protocols are concerned, systemd-journald …
- … is the listener on a stream socket named
/run/systemd/journal/stdout. systemd connects the raw standard outputs and errors of services (that have defaulted to or that explicitly haveStandardOutput=journal/StandardError=journal) to this socket. It thus receives the protocol of variable length free-format records terminated with linefeeds. - … is the listener on datagram sockets named
/run/systemd/journal/dev-log, which is symbolically linked from/dev/log. This receives the protocol that thesyslog()library function in the GNU C library, linked into applications, speaks. - … tries to be a client of another service listening on a datagram socket named
/run/systemd/journal/syslog. This also receives the protocol that thesyslog()library function in the GNU C library speaks (althoughsystemd-journaldactually uses another library and another function to speak it). - … is a reader from a character device named
/dev/kmsg. This receives the protocol that the Linux kernel speaks, which is a protocol of variable length, largely free-format, records terminated with linefeeds. - … is the listener on a datagram socket named
/run/systemd/journal/socket. This is analogous to the GNU C library case in that applications link to a library that speaks a certain protocol to this socket; except that the function issd_journal_sendv(), it is in a systemd C library that applications link to, and the protocol is not standardized but is a systemd-only protocol comprising an array of key=value pairs, and optionally a readable file descriptor, in each datagram.
The protocol spoken by the syslog() function in the GNU C library is neither RFC 5424 nor RFC 3164, and is effectively its own de facto standard. It isn't RFC 5424 because it does not have the correct amount of whitespace and the dashes designating optional fields with NIL values. It is not RFC 3164 because it has a PROCID field instead of a HOSTNAME.
A couple of years ago, your systemd operating system would have had:
systemd-journalddoing all of the above (and some things which are irrelevant when it comes to protocols) and being the server that the GNU C library and the systemd C library talk to using their respective protocols- a optional syslog or rsyslog or syslog-ng program invoked, either
xinetd/inetd-style when something attempts to send messages to/run/systemd/journal/syslogand receiving the socket as an open file descriptor, or as a straight service configured to open and listen on/run/systemd/journal/syslogwith its (equivalent of the rsyslog)imuxsockmodule; and speaking the GNU C library protocol - a optional syslog or rsyslog or syslog-ng or udp-syslog-read service listening for RFC 5426 traffic
Nowadays, your systemd operating system has:
systemd-journaldagain doing all of the above and being the server that the GNU C library and the systemd C library talk to- an optional rsyslog program invoked as a straight service rather than via a socket, which directly reads things out of the systemd journal files using its
imjournalmodule - a optional syslog or rsyslog or syslog-ng or udp-syslog-read service listening for RFC 5426 traffic
