How much value in journald logs when rsyslog is used?

Greetings all,

I have 5 physical computers, 3 dedicated to a single task and 2 that run various VMs. I have 4 VMs that always run locally to run network services and a VM in Iceland to get around Comcrash not allowing port 25 inbound to CPE and for remote testing. Most of the systems are up to date on F36, except the firewall, a Raspberry Pi model B serving static web pages and public DNS, and the remote VM. The Raspberry and remote VM are on Debian.

I have rsyslog configured throughout to one of my local physical machines. As all the OSs (except the firewall) use journald for on-host logging, is there any significant value to be gained by retaining the journald log files in addition to the rsyslog data? I can’t for the life of me come up with anything that I’d need from an ancient journald log that the most important of that data is not in the rsyslog transferred data.

The securiity posture on all my machines is rather high. To successfully log into any machine, you’d need to guess both my SSH key passphrase and the password on the given machine. As I really only use my notebook for interactive sessions, all other machines send an email to a remote server very early in the login process. I can’t image anyone getting that far, but I’ll know if they do.

All of that to repeat the subject: how much added value is in the journald logs that isn’t in rsyslog? I’m transferring most everything with rsyslog already. I’m deciding between archiving them onto a machine here or deleting them for space, as needed.

Best regards,
Eric

At that point can I take the deafening silence here as a validation of my position?

Best regards,
Eric

For what it’s worth, it’s amazingly easy to ship existing journald logs remotely over syslog with fluentbit. That’s how I normally set it up.

Hi Scott,

While this is interesting information, it is unrelated to the question I posed. In the presence of all logs ALREADY begin archived with rsyslog, is there anything of import I’ll loose by deleting old journald logs on the originating hosts.

I’ve already confirmed that the few processes I run on the original hosts to test for certain conditions produce the same results when executed against the archived logs on the archive host instead. Therefore, I know I’m already sending sufficient data for conditions for which I test.

Best regards,
Eric