Hi, The Wanderer: > What is the log flow here? Specifically, does the logged information > flow from source - that is, from the process generating the message > which gets logged - to journald and also, separately, from source to > syslog (presumably in the form of rsyslogd), or does it flow from source > to journald to syslog? (Or something else? Or am I missing / making an > assumption that turns this into a stupid question?) > Systemd owns the syslog socket and will read+buffer syslog messages. When journald is started, it'll inherit the /dev/log socket (standard "socket activation" method), read from that, and forward any messages to rsyslog-or-whatever. Systemd will also forward any stdout+err file descriptors to journald by way of sendmsg(), but without keeping them open itself.
The fact that PID-1 is not in this loop is good because you can't DoS systemd that way, but on the other hand it does cause a race condition: syslog messages which are emitted immediately before a process exits may not be attributed correctly, because journald can't read the extended credentials (like the cgroup the process is in) from /proc any more. Disclaimer: this is from observation of systemd-204 on current Debian. -- -- Matthias Urlichs
signature.asc
Description: Digital signature
