Bug 2230348

Hello,

Rsyslog is not responsible for managing content of the journal. By default, rsyslog reads logs from journal and outputs them to diverse destinations, such as /var/log/messages.

Could you compare the output of /var/log/messages with the output of 'journalctl' on both rhel7 and rhel8?
If there is a difference between the two outputs then it's definitely a bug. Otherwise, it needs to be solved somewhere else.

Thank you,
Attila

Hello Attila,
  Thanks for your help on this BUG.

  Right now, it looks like RHEL8 rsyslog haven’t record logs from journal and outputs them to /var/log/messages during reboot/shutdown.  RHEL7 is normal.

>Could you compare the output of /var/log/messages with the output of 'journalctl' on both rhel8?
>>In RHEL8 /var/log/messages cannot record graceful shutdown/reboot

Aug 14 05:30:01 testserver systemd[1]: sysstat-collect.service: Succeeded.
Aug 14 05:30:01 testserver systemd[1]: Started system activity accounting tool.
Aug 14 05:40:01 testserver systemd[1]: Starting system activity accounting tool...
Aug 14 05:40:01 testserver systemd[1]: sysstat-collect.service: Succeeded.
Aug 14 05:40:01 testserver systemd[1]: Started system activity accounting tool.
Aug 14 05:50:01 testserver systemd[1]: Starting system activity accounting tool...
Aug 14 05:50:01 testserver systemd[1]: sysstat-collect.service: Succeeded.
Aug 14 05:50:01 testserver systemd[1]: Started system activity accounting tool.    <———— initial reboot
Aug 14 05:58:54 testserver kernel: Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-193.13.2.el8_2.x86_64

>> journal log also cannot show graceful shutdown/reboot log since journal normally only record log in /run/log/journal and will dispeared once reboot
# journalctl 
-- Logs begin at Mon 2023-08-14 05:58:54 EDT, end at Mon 2023-08-14 07:29:01 EDT. --
8月 14 05:58:54 testserver kernel: Linux version 4.18.0-193.13.2.el8_2.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 8.3.1 20191121 (>
8月 14 05:58:54 testserver kernel: Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-193.13.2.el8_2.x86_64 root=/dev/mapper/rhel_vm250--84-root ro cras>


In RHEL8:
 -if We let journal log save to disk,  then /var/log/messages can record the log which from journal log(save to local such as /var/log/journal
~~~
# mkdir -p /var/log/journal
# systemctl restart systemd-journald.service
# systemctl reboot
~~~
Then from /var/log/message, we know it is a graceful shutdown/reboot
~~~
Jul 31 01:30:23 testserver systemd-logind[974]: System is rebooting.
…
Jul 31 01:30:23 testserver sssd[nss][963]: Shutting down
…
Jul 31 01:30:23 testserver NetworkManager[987]: <info>  [1690781423.5682] caught SIGTERM, shutting down normally.
…
Jul 31 01:30:24 testserver systemd[1]: Shutting down.
~~~
 -if we let journal log keep default setting（save in ring-buffer in /run/log/journal），then /var/log/messages can record the log during the system reboot/shutdown, then rsyslog can not

Hi,

On a clean VM, I can not see a difference in the /var/log/messages file. I've tried RHEL7, RHEL8, RHEL9 as well with the default configurations. I could take a deeper look on the problem if we had a reproducer, however:
If you want to ensure that journal data should be stored persistently, and don't want to create the appropriate folders manually every time after boot, then I suggest to use the Storage="persistent" journald configuration option in /etc/systemd/journald.conf.

From the journald.conf manual page:
Storage=Controls where to store journal data.If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable. The "auto" is similar to "persistent" but the directory /var/log/journal is not created if needed, so that its existence controls where log data goes. Defaults to "auto".