How to Send Journald Logs From CoreOS to Remote Logging Server ?
https://cloudshift.co/gnu-linux/coreos/how-to-send-journald-logs-from-coreos-to-remote-logging-server/
How to Send Journald Logs From CoreOS to Remote Logging Server ?
CoreOS is an operating system that goes beyond the ordinary. When you need to send the journald logs to remote server, it will not be so simple but it is not too hard too.
First of all you can configure the rsyslogd but it will not send the journald logs. Journald daemon logs the events and outputs as binary file. Only solution is to be able to read that journald via journalctl command line utility. So this means we can not configure rsyslogd for sending journald logs to the remote logging server( Elasticsearch, Splunk, Graylog, etc… )
First of all we need to create a systemd configuration file for sending the logs to the remote.
# vi /etc/systemd/system/sentjournaldlogs.service Description=Sent Journald Logs to Remote Logging Service After=systemd-journald.service Requires=systemd-journald.service [Service] ExecStart=/bin/sh -c "journalctl -f | ncat -u RemoteServerIP RemotePort" TimeoutStartSec=0 Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target
You need to change RemoteServerIP and RemotePort with your remote logging server’s IP address and service port.
If you are using or the remote logging server is listening on standard ports that will be 514. If you look closely to the ncat command there is -u argument which specifies that the connection will use UDP. If you want to use TCP then please delete -u argument.
# systemctl daemon-reload # systemctl enable sentjournaldlogs.service # systemctl start sentjournaldlogs.service # systemctl status sentjournaldlogs.service
We need to reload systemd daemon and start the service. That’s all.