systemd-journal: Collect messages from the systemd-journal system log storage
The systemd-journal() source is used on various Linux distributions, such as RHEL (from RHEL7) and CentOS. The systemd-journal() source driver can read the structured name-value format of the journald system service, making it easier to reach the custom fields in the message. By default, AxoSyslog adds the .journald. prefix to the name of every parsed value. For a list and description of name-value pairs that journald provides, see the documentation of journald for your platform (for example, man systemd.journal-fields).
The systemd-journal() source driver is designed to read only local messages through the systemd-journal API. It is not possible to set the location of the journal files, or the directories.
Note
The
log-msg-size() option is not applicable for this source. Use the max-field-size() option instead.
Note
This source will not handle the following cases:
- Corrupted journal file
- Incorrect journal configuration
- Any other journald-related bugs
Note
If you are using RHEL-7, the default source in the configuration is
systemd-journal() instead of unix-dgram("/dev/log") and file("/proc/kmsg"). If you are using unix-dgram("/dev/log") or unix-stream("/dev/log") in your configuration as a source, AxoSyslog will revert to using systemd-journal() instead.
Warning
Only one
systemd-journal() source can be configured in the configuration file. If there is more than one systemd-journal() source configured, AxoSyslog will not start.
Declaration:
systemd-journal(options);
If you want to use multiple systemd-journal() sources in your configuration, the sources must use unique systemd namespaces. For details, see the namespace() option.
Example: Send all fields through syslog protocol
To send all fields through the syslog protocol, enter the prefix in the following format: “.SDATA.<name>”.
@version: 4.9.0
source s_journald {
systemd-journal(prefix(".SDATA.journald."));
};
destination d_network {
syslog("server.host");
};
log {
source(s_journald);
destination(d_network);
};
Example: Filter for a specific field
@version: 4.9.0
source s_journald {
systemd-journal(prefix(".SDATA.journald."));
};
filter f_uid {"${.SDATA.journald._UID}" eq "1000"};
destination d_network {
syslog("server.host");
};
log {
source(s_journald);
filter(f_uid);
destination(d_network);
};
Example: Send all fields in value-pairs
@version: 4.9.0
source s_local {
systemd-journal(prefix("journald."));
};
destination d_network {
network("server.host" template("$(format_json --scope rfc5424 --key journald.*)\n"));
};
log {
source(s_local);
destination(d_network);
};
The journal contains credential information about the process that sent the log message. The AxoSyslog application makes this information available in the following macros:
Journald fields as macros
| Journald field | AxoSyslog predefined macro |
|---|---|
| MESSAGE | $MESSAGE |
| _HOSTNAME | $HOST |
| _PID | $PID |
| _COMM or SYSLOG_IDENTIFIER | $PROGRAM If both _COMM and SYSLOG_IDENTIFIER exists, AxoSyslog uses SYSLOG_IDENTIFIER |
| SYSLOG_FACILITY | $FACILITY_NUM |
| PRIORITY | $LEVEL_NUM |
Last modified December 18, 2024: Merge pull request #90 from axoflow/minor-fixes-241218 (68cd7df)