I have 5 physical computers, 3 dedicated to a single task and 2 that run various VMs. I have 4 VMs that always run locally to run network services and a VM in Iceland to get around Comcrash not allowing port 25 inbound to CPE and for remote testing. Most of the systems are up to date on F36, except the firewall, a Raspberry Pi model B serving static web pages and public DNS, and the remote VM. The Raspberry and remote VM are on Debian.
I have rsyslog configured throughout to one of my local physical machines. As all the OSs (except the firewall) use journald for on-host logging, is there any significant value to be gained by retaining the journald log files in addition to the rsyslog data? I can’t for the life of me come up with anything that I’d need from an ancient journald log that the most important of that data is not in the rsyslog transferred data.
The securiity posture on all my machines is rather high. To successfully log into any machine, you’d need to guess both my SSH key passphrase and the password on the given machine. As I really only use my notebook for interactive sessions, all other machines send an email to a remote server very early in the login process. I can’t image anyone getting that far, but I’ll know if they do.
All of that to repeat the subject: how much added value is in the journald logs that isn’t in rsyslog? I’m transferring most everything with rsyslog already. I’m deciding between archiving them onto a machine here or deleting them for space, as needed.