4

I have been investigating about these three logging solutions auditd, syslog, and journald, but still there are thing that unclear to me.

According to the things I read, auditd audits events in the kernel and it has very deep and strong view on the system. On the other hand, syslog collects logs from several sources on the system (services), and manages them and organizing them.

My questions:

  1. What is the difference between journald and auditd?
  2. Should I maintain them all together on my server?
  3. which of these components work together and how?
roaima
  • 107,089
  • 14
  • 139
  • 261
Eran Nahshon
  • 41
  • 1
  • 2

1 Answers1

4

1- As @jordanm stated : "Autitd produces logs, syslog and journald collect them."

2- You should configure them, if you have special needs for logging.

3- Journald is systemd's logging, but it can aggregate logging from other source,syslog /rsyslog/syslog-ng can scrap journald's logs to parse them and apply a local treatment for them and/or forward them to a remote syslog server.

Sure this is not complete answer, because you should look to what each tool is.

Noki
  • 141
  • 4