Logs as My Second Brain

With multiple services (Vault, proxies, apps, agents) running under different Unix users, logs can easily end up scattered:

  • /home/*/containers/.../logs,
  • systemd journal,
  • application-specific files.

I want a single place where I can:

  • see what happened before an incident,
  • correlate events between components,
  • and debug strange behaviour in Vault, proxies, or apps.

The Logging Direction

The picture in my head:

[Vault]          [proxies]         [apps]
  β”‚                β”‚                β”‚
  └─► syslog / file / JSON logs β”€β”€β”€β”€β”˜
                   β”‚
                   β–Ό
           [ loguser stack ]
           (Graylog / other)
  • Each service logs in a structured way (JSON if possible).
  • loguser runs the logging/observability stack with rootless Podman.
  • Access to logs is limited to loguser (and root).

Why This Matters for Security

When something breaks (or someone attacks), I don’t just want an error like:

tls: expired certificate

I want:

  • timestamps,
  • which cert was used,
  • from which reverse proxy,
  • and what Vault did at the same time.

Even a small VPS benefits massively from a half-decent logging story.