I also like persistent logs, but journald is too crude for anything serious. The main issue is that journal puts all logs in one place: /var/log/journal. This dir grows A LOT. For instance, after a week of uptime, I have ~ 5MiB in syslog-ng logs, but ~50MiB in journal.
Moreover, I don't need all logs persistent: some can go to RAM (logs from hostap, cron, iptables), but some must stay on disk (kernel, auth). Firewall logs can grow very fast (~4K lines/day) which will kill my HDDs. How do you configure this in journal? Also, this problem with corrupted journal files just scares me...
Finally, I find fail2ban/sshguard/... quite stupid. My philosophy is not to change firewall rules on the fly, but to make them adaptive. One example was provided by Strike0 in the above link. Another one is using port knocking with the "-m recent" iptables module.
@Strike0:
No problem I like you earlier firewall config for dynamic blocking of IPs, although I use plain iptables, not UFW.
To your problem of journald not logging _anything_, I dont have any additional pointers currently. I will add again, if I have an idea.
]]>@Strike0
Thanks for the welcome! I don't think that the link you posted is quite applicable. I understand that ordinarily sshguard looks in /var/log/auth.log for log messages. The sshguard package works around this by piping the output of 'journalctl SYSLOG_FACILITY=4 SYSLOG_FACILITY=10' (with some other flags) into sshguard (sshguard can read log messages from stdin). It's my understanding (perhaps I'm wrong) that this should get the log messages to sshguard even without writing them to /var/log/auth.log. So sshguard doesn't actually need /var/log/auth.log to be present on the system if systemd is installed. But that's beside the point.
My problem isn't that sshguard isn't working. That's a symptom of the problem. The problem is that journald doesn't get *any* log messages. In the interim, I've pointed sshguard to /var/log/auth.log with syslog-ng installed. That works fine and I get messages that sshguard is doing its job. I'm trying to debug the more troubling problem of journald not doing its job.
]]>@strike0:
There is no such thing as "journal ready". If a program logs, its output will be captured by journald.
Journald doesn't get any log messages. When I do `sudo logger -p auth.info test`, the log message shows up in /var/log/auth.log (I have syslog-ng installed), but not in the output of `sudo journalctl SYSLOG_FACILITY=4 SYSLOG_FACILITY=10` or in the output of `sudo journalctl`. The last log messages in my journal are from a few weeks ago. I checked that syslog was not binding to /dev/log. It's only bound to /run/systemd/journal/syslog. systemd-journalctl and systemd are the only processes bound to /dev/log.
I'm at a total loss as to what could be happening. Obviously, I don't have any logs to go along with this problem.
I apologize if this is the wrong forum for this question.
]]>