Journald

Example Configuration

Sample Output

Config
Input
Output
1[sources.my_source_id]

2type = "journald"

1"2019-07-26 20:30:27 reply from 192.168.1.2: offset -0.001791 delay 0.000176, next query 1500s"

1[

2  {

3    "log": {

4      "timestamp": "2020-10-10T17:07:36.452332Z",

5      "message": "reply from 192.168.1.2: offset -0.001791 delay 0.000176, next query 1500s",

6      "host": "my-host.local",

7      "__REALTIME_TIMESTAMP": "1564173027000443",

8      "__MONOTONIC_TIMESTAMP": "98694000446",

9      "_BOOT_ID": "124c781146e841ae8d9b4590df8b9231",

10      "SYSLOG_FACILITY": "3",

11      "_UID": "0",

12      "_GID": "0",

13      "_CAP_EFFECTIVE": "3fffffffff",

14      "_MACHINE_ID": "c36e9ea52800a19d214cb71b53263a28",

15      "PRIORITY": "6",

16      "_TRANSPORT": "stdout",

17      "_STREAM_ID": "92c79f4b45c4457490ebdefece29995e",

18      "SYSLOG_IDENTIFIER": "ntpd",

19      "_PID": "2156",

20      "_COMM": "ntpd",

21      "_EXE": "/usr/sbin/ntpd",

22      "_CMDLINE": "ntpd: [priv]",

23      "_SYSTEMD_CGROUP": "/system.slice/ntpd.service",

24      "_SYSTEMD_UNIT": "ntpd.service",

25      "_SYSTEMD_SLICE": "system.slice",

26      "_SYSTEMD_INVOCATION_ID": "496ad5cd046d48e29f37f559a6d176f8"

27    }

28  }

29]

Configuration Options

Required Options

type(required)

The component type. This is a required field for all components and tells Vector which component to use.

TypeSyntaxDefaultExample
stringliteral["journald"]

Advanced Options

batch_size(optional)

The systemd journal is read in batches, and a checkpoint is set at the end of each batch. This option limits the size of the batch.

TypeSyntaxDefaultExample
uint16
current_boot_only(optional)

Include only entries from the current boot.

TypeSyntaxDefaultExample
bool
exclude_units(optional)

The list of unit names to exclude from monitoring. Unit names lacking a "." will have ".service" appended to make them a valid service unit name.

TypeSyntaxDefaultExample
arrayliteral["badservice","sysinit.target"]
include_units(optional)

The list of unit names to monitor. If empty or not present, all units are accepted. Unit names lacking a "." will have ".service" appended to make them a valid service unit name.

TypeSyntaxDefaultExample
arrayliteral["ntpd","sysinit.target"]
journalctl_path(optional)

The full path of the journalctl executable. If not set, Vector will search the path for journalctl.

TypeSyntaxDefaultExample
stringliteraljournalctl["/usr/local/bin/journalctl"]
data_dir(optional)

The directory used to persist file checkpoint positions. By default, the global data_dir option is used. Please make sure the Vector project has write permissions to this dir.

TypeSyntaxDefaultExample
stringfile_system_path["/var/lib/vector"]
journal_directory(optional)

The full path of the journal directory. If not set, journalctl will use the default system journal paths

TypeSyntaxDefaultExample
stringliteral["/run/log/journal"]

How it Works

Communication Strategy

To ensure the journald source works across all platforms, Vector interacts with the Systemd journal via the journalctl command. This is accomplished by spawning a subprocess that Vector interacts with. If the journalctl command is not in the environment path you can specify the exact location via the journalctl_path option. For more information on this communication strategy please see issue #1473.

State

This component is stateless, meaning its behavior is consistent across each input.

Checkpointing

Vector checkpoints the current read position after each successful read. This ensures that Vector resumes where it left off if restarted, preventing data from being read twice. The checkpoint positions are stored in the data directory which is specified via the global data_dir option, but can be overridden via the data_dir option in the file source directly.

Non-ASCII Messages

When journald has stored a message that is not strict ASCII, journalctl will output it in an alternate format to prevent data loss. Vector handles this alternate format by translating such messages into UTF-8 in "lossy" mode, where characters that are not valid UTF-8 are replaced with the Unicode replacement character, .

Context

By default, the journald source augments events with helpful context keys.