journald source

Ingests data through log records from journald and outputs `log` events.

The journald source is in beta. Please see the current enhancements and bugs for known issues. We kindly ask that you add any missing issues as it will help shape the roadmap of this component.

The journald source ingests data through log records from journald and outputs log events.

Config File

vector.toml (simple)
vector.toml (advanced)
[sources.my_source_id]
# REQUIRED
type = "journald" # must be: "journald"
# OPTIONAL
units = ["ntpd", "sysinit.target"]
# For a complete list of options see the "advanced" tab above.
[sources.journald_source]
# The component type
#
# * required
# * no default
# * must be: "journald"
type = "journald"
# Include only entries from the current runtime (boot)
#
# * optional
# * default: true
current_runtime_only = true
# The directory used to persist the journal checkpoint position. By default,
# the global `data_dir` is used. Please make sure the Vector project has write
# permissions to this dir.
#
# * optional
# * no default
data_dir = "/var/lib/vector"
# Include only entries from the local system
#
# * optional
# * default: true
local_only = true
# The list of units names to monitor. If empty or not present, all units are
# accepted. Unit names lacking a `"."` will have `".service"` appended to make
# them a valid service unit name.
#
# * optional
# * no default
units = ["ntpd", "sysinit.target"]

Examples

Given the following journald record:

journald record
__REALTIME_TIMESTAMP=1564173027000443
__MONOTONIC_TIMESTAMP=98694000446
_BOOT_ID=124c781146e841ae8d9b4590df8b9231
SYSLOG_FACILITY=3
_UID=0
_GID=0
_CAP_EFFECTIVE=3fffffffff
_MACHINE_ID=c36e9ea52800a19d214cb71b53263a28
_HOSTNAME=lorien.example.com
PRIORITY=6
_TRANSPORT=stdout
_STREAM_ID=92c79f4b45c4457490ebdefece29995e
SYSLOG_IDENTIFIER=ntpd
_PID=2156
_COMM=ntpd
_EXE=/usr/sbin/ntpd
_CMDLINE=ntpd: [priv]
_SYSTEMD_CGROUP=/system.slice/ntpd.service
_SYSTEMD_UNIT=ntpd.service
_SYSTEMD_SLICE=system.slice
_SYSTEMD_INVOCATION_ID=496ad5cd046d48e29f37f559a6d176f8
MESSAGE=reply from 192.168.1.2: offset -0.001791 delay 0.000176, next query 1500s

A log event will be emitted with the following structure:

log
{
"timestamp": <2019-07-26T20:30:27.000443Z>,
"message": "reply from 192.168.1.2: offset -0.001791 delay 0.000176, next query 1500s",
"host": "lorien.example.com",
"__REALTIME_TIMESTAMP": "1564173027000443",
"__MONOTONIC_TIMESTAMP": "98694000446",
"_BOOT_ID": "124c781146e841ae8d9b4590df8b9231",
"SYSLOG_FACILITY": "3",
"_UID": "0",
"_GID": "0",
"_CAP_EFFECTIVE": "3fffffffff",
"_MACHINE_ID": "c36e9ea52800a19d214cb71b53263a28",
"PRIORITY": "6",
"_TRANSPORT": "stdout",
"_STREAM_ID": "92c79f4b45c4457490ebdefece29995e",
"SYSLOG_IDENTIFIER": "ntpd",
"_PID": "2156",
"_COMM": "ntpd",
"_EXE": "/usr/sbin/ntpd",
"_CMDLINE": "ntpd: [priv]",
"_SYSTEMD_CGROUP": "/system.slice/ntpd.service",
"_SYSTEMD_UNIT": "ntpd.service",
"_SYSTEMD_SLICE": "system.slice",
"_SYSTEMD_INVOCATION_ID": "496ad5cd046d48e29f37f559a6d176f8"
}

How It Works

Delivery Guarantee

Due to the nature of this component, it offers a best effort delivery guarantee.

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.

Troubleshooting

The best place to start with troubleshooting is to check the Vector logs. This is typically located at /var/log/vector.log, then proceed to follow the Troubleshooting Guide.

If the Troubleshooting Guide does not resolve your issue, please:

  1. If encountered a bug, please file a bug report.

  2. If encountered a missing feature, please file a feature request.

  3. If you need help, join our chat/forum community. You can post a question and search previous questions.

Resources