I do not really understand the forwarding from Journald to Rsyslog.
Basically I understood it in the way that the 'pipeline' is built up as follows:
Kernel logs through printk() → /proc/kmesg ← rsyslog → writes to log file according to rules in rsyslog.conf
Userspace logs → /dev/log ← rsyslog → writes to log file according to rules in rsyslog.conf
This results in the various log files, such as /var/log/syslog etc.
As in the rsyslog.conf snippet, messages from the facility 'user' are also written to syslog and are therefore stored twice, right?
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
So far so clear, if I've got it right.
However, /dev/log seems to be linked to
$ ls -lah /dev/log
lrwxrwxrwx 1 root root 28 Apr 15 16:30 /dev/log -> /run/systemd/journal/dev-log
Why is that?
To get back to my real question. Where does Journald get the logs? I only know systemd-cat. Or also from /dev/log // /run/systemd/journal/dev-log?
Journald forwards the logs to syslog (standard in Debian according to https://manpages.debian.org/testing/manpages-de/journald.conf.5.de.html). Shouldn't every message be duplicated in syslog?
To close the loop, I am at this point because I am planning a log management environment and am faced with the question of where to get my logs from.
I thank you in advance and hope that you can help me.
If both rsyslog and journald read from /dev/log (or the link and socket provided for syslog) and journald on Debian has ForwardToSyslog enabled by default, why don't all messages duplicate?
– rosaLux161 Apr 15 '20 at 20:42