Hello everybody,
I am trying to receive journald messages by forwarding them to syslog. My Linux is a systemd-system (OpenSUSE Leap 42.2) with no syslog daemon installed and I would like to avoid installing one.
The Syslog input plugin does not work because journald sends the messages to the unix domain socket /run/systemd/journal/syslog. So I am using the Unix input plugin.
For testing my pipeline is configured as follows:
input {
unix {
path => "/run/systemd/journal/syslog"
force_unlink => true
mode => "server"
}
}
output {
file {
path => "/var/log/logstash/unix.log"
}
}
Testing the socket with 'nc -U /run/systemd/journal/syslog' works fine. Each entered line is dropped into unix.log. But no journald messages are received.
Then I checked was journald is doing with the socket by 'strace -p -yy -s 500 |& grep /run/systemd/journal/syslog'. The sendmsg call failed with "EPROTOTYPE (Protocol wrong type for socket)".
I guess that the protocol types used by journald and logstash are different. As I found out journald expects a datagram socket. With my netcat I cannot specify the protcol type for domain sockets but I suppose that the default is streaming and that the unix plugin creates a streaming socket.
I cannot find any setting for the protocol type in the unix input plugin. Maybe there there is a workaround?
Many thanks,
Michael