Is it possible to reconfigure journald.conf without rebuilding bottlerocket? #2847
-
Hello, we are using bottlerocket as nodes for EKS. and there is no any issue with getting logs from pods/containers, but system logs are not working as expected. Splunk docs saying that it is possible to read journald files, but there is no way to point where to read it. or, in other way, am i understand correctly, that there is no way to affect on how things are being logged? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
Hi @iaroslav-nakonechnikov. According to the Splunk documentation, it should be able to read directly from the journal. There are some troubleshooting tips in their docs that might be able to help diagnose what is happening. Running It really would be more efficient, storage space and processing-wise, for it to read directly from the journal rather than having things written out somewhere. Perhaps Splunk support can provide some insight? I mention this only as a possible workaround or maybe for some insights by comparing it, but there was a write up on using fluent-bit that gets systemd logs. That maybe has some more configuration options for systemd, and can forward logs to Splunk. |
Beta Was this translation helpful? Give feedback.
Hi @iaroslav-nakonechnikov.
journald.conf
is not a file you can modify with any settings at runtime. Its contents can be seen here.According to the Splunk documentation, it should be able to read directly from the journal. There are some troubleshooting tips in their docs that might be able to help diagnose what is happening. Running
ps aux | grep journalctl
to see if it is actually able to stream the logs would be an interesting check.It really would be more efficient, storage space and processing-wise, for it to read directly from the journal rather than having things written out somewhere. Perhaps Splunk support can provide some insight?
I mention this only as a possible workaround o…