The world is taking systemd by storm and there is no looking back now.
Still, there are some elements that you would expect to be there that are missing. One of them is remote logging!
Another thing missing is a decent crash course [*]. This is frustrating because making init scripts and checking logs is the staple diet of any old sysadmin.
Read on to readjust gently but quickly.
Systemd crash course
Find “unit” – that’s the new name for “init script name” to us oldtimers:
systemctl list-units --type=service # this one is way more verbose systemctl list-units
Start, stop, restart, reload, status:
systemctl start sshd systemctl stop sshd systemctl restart sshd systemctl reload sshd # status, gives some log output too systemctl status sshd
Check ALL the logs, follow the logs, get a log for a service:
journalctl -l journalctl -f journalctl -u sshd
Install a systemd service:
(This is what a systemd service description looks like)
cat > ossec.service << EOF
[Unit]
Description=OSSEC Host-based Intrusion Detection System
[Service]
Type=forking
ExecStart=/var/ossec/bin/ossec-control start
ExecStop=/var/ossec/bin/ossec-control stop
[Install]
WantedBy=basic.target
EOF
# now copy that file into the magic place, /etc/init.d in the old days
install -Dm0644 ossec.service /usr/lib/systemd/system/ossec.service
# now make systemd pick up the changes
systemctl daemon-reload
Enable or disable a service:
systemctl enable ossec systemctl disable ossec
Remote logging
OK so you now know your way around this beast.
Now you want remote logging.
According to the Arch wiki [#], systemd doesn’t actually do remote logging (yet. what else doesn’t it do?) but it will helpfully spew its logs onto the socket /run/systemd/journal/syslog if you knock twice, gently.
To convince systemd to write to this socket, go to /etc/systemd/journald.conf and set
ForwardToSyslog=yes
then issue a journald restart
systemctl restart systemd-journald
You can install syslog-ng and it should pick up the logs. Test it now by making a log entry with
logger -t WARN zool
and check /var/log/syslog.log
If you have a distro running systemd, then hopefully syslog-ng will be recent enough to be aware enough of systemd that things should just work at this point.
If it don’t, syslog-ng.conf’s source src { system(); }; isn’t picking up the socket file. Fix this by adding the socket explicitly by changing the source in /etc/syslog-ng/syslog-ng.conf like so:
source src {
unix-dgram("/run/systemd/journal/syslog");
internal();
};
if you are working with a laptop or desktop then the console_all on tty12 is handy too:
log { source(src); destination(console_all); };
[*] IMHO Fedora’s cheatsheet on systemd is a little too cluttered
[#] Arch has a decent intro to systemd
No sockpuppets were harmed in the making of this blog entry. Any and all images are © whomever made them, and I love you for not sueing me.