Initial support for systemd-journal namespaces is available in syslog-ng 3.29. However, only version 4.4.0 allows you to work with multiple namespaces in your syslog-ng configuration.
So, what changed in the latest version of syslog-ng? Previously, you could only configure a single systemd-journal() source in syslog-ng. By default, it collected logs from all namespaces, but you could configure it to collect log messages from a single one exclusively. This means that logs from other namespaces could not be collected by syslog-ng. Version 4.4.0 allows you to use multiple systemd-journal() source drivers in the configuration, as long as each source uses a unique namespace.
Before you begin
You need to install syslog-ng 4.4.0 or later to work with multiple systemd-journal namespaces in syslog-ng. If it is not yet available for your Linux distribution of choice, check our 3rd party download page: https://syslog-ng.org/3rd-party-binaries/
You also need systemd-journal with multiple namespaces. Setting this up is not in the scope of this blog. You can learn more about it from its manual pages:
man systemd-journald.service
Configuring syslog-ng
Create a new configuration snippet under /etc/syslog-ng/conf.d/ or append the following configuration to your syslog-ng.conf file (if the conf.d directory is not supported):
source s_mynamespace {
systemd-journal(
namespace(mynamespace)
);
};
destination d_mynamespace {
file("/var/log/mynamespace");
};
log {
source(s_mynamespace);
destination(d_mynamespace);
};
source s_defnamespace {
systemd-journal(
namespace("")
);
};
destination d_defnamespace {
file("/var/log/defnamespace");
};
log {
source(s_defnamespace);
destination(d_defnamespace);
};
You should also comment out the system() source in syslog-ng.conf while you are testing, as that also includes the systemd-journal() driver.
Replace the parameter of namespace() in the s_mynamespace source to a name available on your system.
Note that you can refer to the default namespace by an empty namespace() definition, as seen in the s_defnamespace source.
Testing
You should send a few test messages. Sending logs to the default namespace is easy, as you can use logger:
logger this is a test message
The test message should show up in /var/log/defnamespace with the aforementioned configuration.
Creating a test message for the other namespace is a bit more tricky. In my test environment I added the following line to a service file:
LogNamespace=mynamespace
Then I reloaded that service. I could see the related log messages showing up in the /var/log/mynamespace file.
Other recent systemd-source() changes
Previous syslog-ng versions read the journal from the beginning during the first start. This is not a problem when you install syslog-ng on first boot, but it could result in processing gigabytes of logs if installed later. The journal was also read from the beginning if the syslog-ng persists file was deleted or damaged. There is now a new option, starting with syslog-ng 4.2.0, which is enabled by default in the system() source: match-boot(yes). With this feature, syslog-ng reads logs starting from the current boot instead of the beginning of times. If you want the old behavior, you should configure the systemd-source() yourself instead of the system() source.
Another new option is the match() filter within the systemd-journal() source. It is best to explain it with a configuration snippet:
source s_journal_systemd_only {
systemd-source(matches(
"_COMM" => "systemd" # filtering on the application name
)
);
};
What is next?
By using systemd-journal namespaces, you can selectively process log messages from various namespaces in syslog-ng. You can skip collecting logs from namespaces with logs you do not want to collect centrally using syslog-ng. You can also easily send logs from different namespaces to different destinations.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.