systemd-journald
systemdに付属する一枚岩のログ管理デーモン。
journalctl(1)
https://unix.stackexchange.com/questions/205883
systemd has a single monolithic log management program, systemd-journald. This runs as a service managed by systemd.
It reads /dev/kmsg for kernel log data.
It reads /dev/log (a symbolic link to /run/systemd/journal/dev-log) for application log data from the GNU C library's syslog() function.
It listens on the AF_LOCAL stream socket at /run/systemd/journal/stdout for log data coming from systemd-managed services.
It listens on the AF_LOCAL datagram socket at /run/systemd/journal/socket for log data coming from programs that speak the systemd-specific journal protocol (i.e. sd_journal_sendv() et al.).
It mixes these all together.
It writes to a set of system-wide and per-user journal files, in /run/log/journal/ or /var/log/journal/.
If it can connect (as a client) to an AF_LOCAL datagram socket at /run/systemd/journal/syslog it writes journal data there, if forwarding to syslog is configured.
If configured, it writes journal data to the kernel buffer using the writable /dev/kmsg mechanism.
If configured, it writes journal data to terminals and the console device as well.
Bad things happen system-wide if this program crashes, or the service is stopped.
systemd itself arranges for the standard outputs and errors of (some) services to be attached to the /run/systemd/journal/stdout socket. So dæmons that log to standard error in the normal fashion have their output sent to the journal.
This completely supplants klogd, syslogd, syslog-ng, and rsyslogd.
These are now required to be systemd-specific. On a systemd system they don't get to be the server end of /dev/log. Instead, they take one of two approaches:
They get to be the server end of /run/systemd/journal/syslog, which (if you remember) systemd-journald attempts to connect and write journal data to. A couple of years ago, one would have configured rsyslogd's imuxsock input method to do this.
They read directly from the systemd journal, using a systemd-specific library that understands the binary journal format and that can monitor the journal files and directory for new entries being added. Nowadays, one configures rsyslogd's imjournal input method to do this.
Native Journal Protocol
systemd-journaldがログをリッスンする経路
/dev/log
RFC3164
service fileでStandardOutput=journal,StandardError=journalが指定されたアプリ(デフォルトでこの設定)
/dev/kmsgデバイスノードを通じたカーネルログ
監査ログ
journaldネイティブのプロトコルを通じた構造的なログメッセージ