Configuring system logging without journald

Red Hat Enterprise Linux offers two logging solutions - systemd-journald and rsyslog - which can coexist in default configurations. For performance-critical use cases, data throughput and memory consumption of this setup are not optimal.

You can choose to run rsyslog in the socket-only mode to mitigate this. This way has performance benefits, however, it includes losing journald formatting as log messages are in plain text. For this reason, if you need to have access to structured systemd logs and you use their metadata, this is not a solution for your scenario.

DISCLAIMER: The configuration outlined in this article differs greatly from the default configuration provided in RHEL. While the imuxsock rsyslog module is shipped and supported in RHEL and can indeed be used as the default log input method in rsyslog as outlined here, Red Hat's recommendation is to use the default configuration whenever possible. If performance issues are experienced, a support case should be opened to determine first if this configuration is really the best way to move forward.

• Edit the /etc/rsyslog.conf rsyslog configuration file; turn on use of imuxsock local messages, comment out the loading of the imjournal module and uncomment the loading of the imklog module:

  module(load="imuxsock"                 # provides support for local system logging (e.g. via the logger command)
  SysSock.Use="on")
  # module(load="imjournal"             # provides access to the systemd journal
  # StateFile="imjournal.state")        # file to store the position in the journal
  module(load="imklog") # reads kernel messages (the same are read from journald)
  

• Edit the journald configuration at /etc/systemd/journald.conf; switch journal to in-memory only mode and enable forwarding:

  [Journal]
  Storage=none
  ForwardToSyslog=yes
  

• Create drop-in for the rsyslog unit configuration file at /etc/systemd/system/rsyslog.service.d/logging.conf with the following content to ensure socket creation and linking:

  # https://access.redhat.com/articles/4058681
  [Unit]
  Requires=syslog.socket
  
  [Install]
  Alias=syslog.service
  

• Load the drop-in file, and restart services:

  # systemctl daemon-reload
  # systemctl enable rsyslog.service
  # systemctl restart rsyslog.service
  # systemctl restart systemd-journald.service