Syslogs from guest

Hi,

How do you get logs out of containers on a continious basis?
I have a VPS host (ubuntu) where I run a container (ubuntu) and I have a directory file mounted into it. /data
But I want to have the /var/logs from inside of the container saved outside so If I replace the container, I still have the previous logs on the VPS.

I want to be able to run backups on the VPS.
The container is basically an “execution environment”

After a complex journey with rsyslog streaming, I ended with bind mounting /data/logs to /var/log
My /data directory is mounted from the host into the guest. That means I can replace the container without loosing the logs.

mkdir /data/logs
chown root.syslog /data/logs
chmod 775 /data/logs
echo "/data/logs     /var/log        none defaults,bind 0 0" >> /etc/fstab

service apache2 stop
service postgresql stop
service postfix stop
service rsyslog stop

mv /var/log/* /data/logs

mount /var/log
reboot

Hi!

Another option is to use one of the output plugins of rsyslog.
In your case, the closest solution would be to use the fwd output plugin, where you send the container syslog entries to the host’s rsyslog service.

The rsyslog people have a post about this, at https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/

For this to work, you would need to

  1. make the host’s rsyslog to listen on the lxdbr0 interface.
  2. configure the containers to send their syslog to a remote rsyslog server, i.e. the host.

Note that there is also the option to designate a separate container as the rsyslog container, and have that collect all syslog messages.

Configure the rsyslog service to receive syslog messages over the network

To configure rsyslog to receive syslog messages over the network, edit the file /etc/rsyslog.conf and change the following from

# provides UDP syslog reception
# module(load="imudp")
# input(type="imudp" port="514")

to

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" server="10.10.10.1" port="514")

Finally, restart the rsyslog service for the changes to take effect.

sudo systemctl restart rsyslog

Configure the rsyslog service to send syslog messages over the network to some other rsyslog server

To change a container so that it sends its syslog messages remotely over the network to another rsyslog service, you can use the built-in omfwd rsyslog module as follows.

*.* action(type="omfwd" target="10.10.10.1" port="514" protocol="udp")

In any case, see the rsyslog post on this (https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/) which talks about further configuration, using tcp with or instead of udp, keeping messages in case the rsyslog server is not responding and so on.

Finally, a last touch would be to setup cloud-init configuration in your LXD container profile so that it configures automatically any newly created container to send the syslog messages to the server.

1 Like

Hi Simon,
Yeah. I actually had the Rsyslog streaming working. But with some applications, such as apache2, writing directly to /var/log, I just realized that mounting the log directory was far simpler and robust method for me to get the logs out of the container.