README
¶
Journald Receiver
| Status | |
|---|---|
| Stability | alpha: logs |
| Unsupported Platforms | darwin, windows |
| Distributions | contrib, k8s |
| Issues | |
| Code coverage |  |
| Code Owners | @belimawr, @namco1992 |
| Emeritus | @djaglowski, @sumo-drosiek |
Parses Journald events from systemd journal. Journald receiver requires that:
- the
journalctlbinary is present in the $PATH of the agent, or is present atjournalctl_pathif configured; and - the collector's user has sufficient permissions to access the journal through
journalctl.
Configuration
| Field | Default | Description |
|---|---|---|
directory |
/run/log/journal or /run/journal |
A directory containing journal files to read entries from. Relative to root_path. |
files |
A list of journal files to read entries from. Relative to root_path. |
|
start_at |
end |
At startup, where to start reading logs from the file. Options are beginning or end |
units |
A list of units to read entries from. See Multiple filtering options examples. | |
identifiers |
Filter output by message identifiers (SYSTEMD_IDENTIFIER). See Multiple filtering options examples. |
|
matches |
A list of matches to read entries from. See Matches and Multiple filtering options examples. | |
priority |
info |
Filter output by message priorities or priority ranges. See Multiple filtering options examples. |
grep |
Filter output to entries where the MESSAGE= field matches the specified regular expression. See Multiple filtering options examples. | |
dmesg |
'false' | Show only kernel messages. This shows logs from current boot and adds the match _TRANSPORT=kernel. See Multiple filtering options examples. |
storage |
none | The ID of a storage extension to be used to store cursors. Cursors allow the receiver to pick up where it left off in the case of a collector restart. If no storage extension is used, the receiver will manage cursors in memory only. |
all |
'false' | If true, very long logs and logs with unprintable characters will also be included. |
namespace |
Will query the given namespace. See man page systemd-journald.service(8) for details. |
|
convert_message_bytes |
'false' | If true and if the MESSAGE field is read as an array of bytes, the array will be converted to string. |
merge |
'false' | If true, read from all available journals, including remote ones. |
retry_on_failure.enabled |
false |
If true, the receiver will pause reading a file and attempt to resend the current batch of logs if it encounters an error from downstream components. |
retry_on_failure.initial_interval |
1 second |
Time to wait after the first failure before retrying. |
retry_on_failure.max_interval |
30 seconds |
Upper bound on retry backoff interval. Once this value is reached the delay between consecutive retries will remain constant at the specified value. |
retry_on_failure.max_elapsed_time |
5 minutes |
Maximum amount of time (including retries) spent trying to send a logs batch to a downstream consumer. Once this value is reached, the data is discarded. Retrying never stops if set to 0. |
root_path |
Chroot to use when executing the journalctl command. Must be an absolute path or empty. When empty (default), no chroot is used when executing journalctl. | |
journalctl_path |
journalctl |
journalctl command to execute. Relative to root_path. Must be an absolute path if root_path is non-empty. See below for more details |
operators |
[] | An array of operators. See below for more details |
Operators
Each operator performs a simple responsibility, such as parsing a timestamp or JSON. Chain together operators to process logs into a desired format.
- Every operator has a
type. - Every operator can be given a unique
id. If you use the same type of operator more than once in a pipeline, you must specify anid. Otherwise, theiddefaults to the value oftype. - Operators will output to the next operator in the pipeline. The last operator in the pipeline will emit from the receiver. Optionally, the
outputparameter can be used to specify theidof another operator to which logs will be passed directly. - Only parsers and general purpose operators should be used.
Example Configurations
Minimal configuration
The following configuration is the minimal configuration to read journald logs:
receivers:
journald:
will be passed to journalctl as the following arguments: journalctl ... --priority info. This will read the 10 most recent entries and
any subsequent entry. --priority info is the default priority, the
following examples will omit it for simplicity.
Cursor tracking
receivers:
journald:
storage: file_storage/journald
extensions:
file_storage/journald:
directory: .
service:
extensions: [file_storage/journald]
If you stop and start the otel collector, only new entries will be read.
Reading from the beginning
receivers:
journald:
start_at: beginning
will be passed to journalctl as the following arguments: journalctl ... --no-tail. This will read all messages from the current boot.
Units
receivers:
journald:
directory: /run/log/journal
units:
- ssh
- kubelet
- docker
- containerd
priority: info
Matches
The following configuration:
- type: journald_input
matches:
- _SYSTEMD_UNIT: ssh
- _SYSTEMD_UNIT: kubelet
_UID: "1000"
will be passed to journalctl as the following arguments: journalctl ... _SYSTEMD_UNIT=ssh + _SYSTEMD_UNIT=kubelet _UID=1000,
which is going to retrieve all entries which match at least one of the following rules:
_SYSTEMD_UNITisssh_SYSTEMD_UNITiskubeletand_UIDis1000
Multiple filtering options
In case of using multiple following options, conditions between them are logically ANDed and within them are logically ORed:
( dmesg )
AND
( priority )
AND
( units[0] OR units[1] OR units[2] OR ... units[U] )
AND
( identifier[0] OR identifier[1] OR identifier[2] OR ... identifier[I] )
AND
( matches[0] OR matches[1] OR matches[2] OR ... matches[M] )
AND
( grep )
Consider the following example:
- type: journald_input
matches:
- _SYSTEMD_UNIT: ssh
- _SYSTEMD_UNIT: kubelet
_UID: "1000"
units:
- kubelet
- systemd
priority: info
identifiers:
- systemd
The above configuration will be passed to journalctl as the following arguments
journalctl ... --priority=info --unit=kubelet --unit=systemd --identifier=systemd _SYSTEMD_UNIT=ssh + _SYSTEMD_UNIT=kubelet _UID=1000,
which is going to effectively retrieve all entries which matches the following set of rules:
-
_PRIORITYis6, and -
_SYSTEMD_UNITiskubeletorsystemd, and -
SYSLOG_IDENTIFIERsystemd, and -
entry matches at least one of the following rules:
_SYSTEMD_UNITisssh_SYSTEMD_UNITiskubeletand_UIDis1000
Setup and deployment
The user running the collector must have enough permissions to access the journal; not granting them will lead to issues.
Docker & Kubernetes
When running otelcol in a container, note that:
- the container must run as a user that has permission to access the logs
- the path to the log directory (
/run/log/journal,/var/log/journal...) must be mounted in the container - depending on your guest system, you might need to explicitly set the log directory in the configuration
- differences in the systemd version running on the host and on the container may prevent access to logs due to different features and configurations (e.g. zstd compression, keyed hash etc)
Please note that the official otelcol images do not contain the journalctl binary. The next two sections describe two approaches for providing a journalctl binary to the collector when running in a container.
Bundling journalctl with the collector
If the container only needs to run on a limited set of hosts for which there is a common compatible version of journalctl, then you can build a collector container that includes journalctl. There is a simple example with a step-by-step, including a Dockerfile in examples/container.
Invoking journalctl from a mounted chroot
Some collector containers need to work across a variety of arbitrary hosts that may be running mutually incompatible versions of journalctl, making it difficult to select a single version of journalctl to bundle into the container.
One way to solve this problem is to ensure that the collector running in the container invokes the exact same journalctl that was used to write the logs in the first place. To achieve this, you can mount the host's rootfs to the container and then configure the receiver to run the host's journalctl in a chroot for that mount.
You can pass -v /:/host to docker run to mount the host's rootfs:
docker run -v /:/host otel/opentelemetry-collector-contrib
Then, you can configure the receiver with root_path to use that mount as a chroot for journalctl. Due to a Go issue, running executables from $PATH does not work well in a chroot, so you must also use journalctl_path to configure a full path to journalctl inside of the chroot:
receivers:
journald:
root_path: /host
journalctl_path: /usr/bin/journalctl
You also need to ensure the user running the collector can run the journalctl from the chroot, one way to do this is to run the collector as root:
docker run -v /:/host --user 0 otel/opentelemetry-collector-contrib
Linux packaging
When installing otelcol as a linux package, you will most likely need to add the otelcol-contrib or otel user to the systemd-journal group. The exact user and group might vary depending on your package and linux distribution of choice.
You can test if the user has sufficient permissions by running something like (you might need to adjust according to available shell and opentelemetry user)
sudo su -s /bin/bash -c 'journalctl --lines 5' otelcol-contrib
if the permissions are set correctly you will see some logs, otherwise a clear error message.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewFactory ¶
NewFactory creates a factory for journald receiver
Types ¶
type JournaldConfig ¶
type JournaldConfig struct {
adapter.BaseConfig `mapstructure:",squash"`
InputConfig journald.Config `mapstructure:",squash"`
// contains filtered or unexported fields
}
JournaldConfig defines configuration for the journald receiver
Source Files
Directories