systemd-journal: Collect messages from the systemd-journal system log storage

• 1: systemd-journal() source options

   systemd-journal(options);

   @version: 4.25
    
    source s_journald {
        systemd-journal(prefix(".SDATA.journald."));
    };
    
    destination d_network {
        syslog("server.host");
    };
    
    log {
        source(s_journald);
        destination(d_network);
    };

   @version: 4.25
    
    source s_journald {
        systemd-journal(prefix(".SDATA.journald."));
    };
    
    filter f_uid {"${.SDATA.journald._UID}" eq "1000"};
    
    destination d_network {
        syslog("server.host");
    };
    
    log {
        source(s_journald);
        filter(f_uid);
        destination(d_network);
    };

   @version: 4.25
    
    source s_local {
        systemd-journal(prefix("journald."));
    };
    
    destination d_network {
        network("server.host" template("$(format_json --scope rfc5424 --key journald.*)\n"));
    };
    
    log {
        source(s_local);
        destination(d_network);
    };

1 - systemd-journal() source options

The systemd-journal() driver has the following options:

chain-hostnames()

Description: Enable or disable the chained hostname format. For details, see the chain-hostnames() global option.

default-facility()

Description: The default facility value if the SYSLOG_FACILITY entry does not exist.

default-level()

Description: The default level value if the PRIORITY entry does not exist.

default-priority()

Description: This parameter assigns an emergency level to the messages received from the file source if the message does not specify one. For example, default-priority(warning).

default-severity()

Description: Assigns a default severity to messages received from this source when the message doesn’t specify one. Accepts the standard syslog severity keywords (for example, emerg, alert, crit, err, warning, notice, info, debug). Combined with default-facility() to compute the message priority.

dns-cache()

Description: Enable or disable DNS cache usage.

hook-commands()

Description: This option makes it possible to execute external programs when the relevant driver is initialized or torn down. The hook-commands() can be used with all source and destination drivers with the exception of the usertty() and internal() drivers.

Using hook-commands() when AxoSyslog starts or stops

To execute an external program when AxoSyslog starts or stops, use the following options:

startup()

Description: Defines the external program that is executed as AxoSyslog starts.

shutdown()

Description: Defines the external program that is executed as AxoSyslog stops.

Using the hook-commands() when AxoSyslog reloads

To execute an external program when the AxoSyslog configuration is initiated or torn down, for example, on startup/shutdown or during a AxoSyslog reload, use the following options:

setup()

Description: Defines an external program that is executed when the AxoSyslog configuration is initiated, for example, on startup or during a AxoSyslog reload.

teardown()

Description: Defines an external program that is executed when the AxoSyslog configuration is stopped or torn down, for example, on shutdown or during a AxoSyslog reload.

Example: Using hook-commands() with a network source

In the following example, the hook-commands() is used with the network() driver and it opens an iptables port automatically as AxoSyslog is started/stopped.

The assumption in this example is that the LOGCHAIN chain is part of a larger ruleset that routes traffic to it. Whenever the AxoSyslog created rule is there, packets can flow, otherwise the port is closed.

source {
    network(transport(udp)
    hook-commands(
          startup("iptables -I LOGCHAIN 1 -p udp --dport 514 -j ACCEPT")
          shutdown("iptables -D LOGCHAIN 1")
        )
     );
};

host-override()

Description: Replaces the ${HOST} part of the message with the parameter string.

internal()

Description: Marks this pipeline element as internal. Elements marked as internal() are treated as an implementation detail, so for example statistics of the given pipe are available only on higher stats level. This option is mainly useful for developers or when writing SCL blocks and integrations.

keep-hostname()

Description: Enable or disable hostname rewriting.

• If enabled (keep-hostname(yes)), AxoSyslog will retain the hostname information read from the systemd journal messages.

• If disabled (keep-hostname(no)), AxoSyslog will use the hostname that has been set up for the operating system instance that AxoSyslog is running on. To query or set this value, use the hostnamectl command.

This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

keep-timestamp()

Description: Specifies whether AxoSyslog should accept the timestamp received from the sending application or client. If disabled, the time of reception will be used instead. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

log-fetch-limit()

Description: The maximum number of messages fetched from a source during a single poll loop. The destination queues might fill up before flow-control could stop reading if log-fetch-limit() is too high.

log-iw-size()

Description: Specifies the source window size - the maximum number of in-flight messages permitted by the source before flow control is enforced. This only applies when flow-control is enabled.

<p>If you change the value of <code>log-iw-size()</code> and <code>keep-alive()</code> is enabled, the change will affect only new connections, the <code>log-iw-size()</code> of kept-alive connections will not change. To apply the new <code>log-iw-size()</code> value to every connection, <a href="/docs/axosyslog-core/quickstart/managing-and-checking-linux/#restart-axosyslog">restart the <code>syslog-ng</code> service</a>. A simple configuration reload is <em>NOT</em> sufficient.</p>

Note that when using disk-buffer(), the messages stored on disk are not included in the window size calculation. For details about the effects of this parameter, see Managing incoming and outgoing messages with flow-control.

log-prefix() (DEPRECATED)

Description: A string added to the beginning of every log message. It can be used to add an arbitrary string to any log source, though it is most commonly used for adding kernel: to the kernel messages on Linux.

long-hostnames()

Obsolete alias for chain-hostnames().

–>

match-boot()

Available in AxoSyslog 4.1 and later.

Description: If set to yes, AxoSyslog fetches only journal messages that relate to the current boot, and to ignores messages generated in previous boots.

matches()

Available in AxoSyslog 4.1 and later.

Description: Specifies one or more filters to apply on the journal fields, similarly how you can use journalctl. For example:

matches(
    "_COMM" => "systemd"
    )

max-field-size()

Description: The maximum length of a field’s value.

namespace()

Description: The namespace() option works exactly the same way as the respective option of the Journalctl command line tool.

The following modes of operation are available:

• If you do not specify the namespace() option in your configuration, or if you specify an empty string, the systemd-journal() source reads and displays log data from all namespaces.
• If you specify the namespace() option as namespace("*"), the systemd-journal() source reads and displays log data from all namespaces, interleaved.
• If namespace(<specific-namespace>) is specified, the systemd-journal() source only reads and displays log data from the specified namespace.
• If the namespace identifier is prefixed with "+" when you specify your namespace() option, the systemd-journal() source only reads and displays log data from the specified namespace and the default namespace, interleaved.

Starting with AxoSyslog 4.4, you can use multiple systemd-journal() sources in your configuration. In this case, each source must use unique systemd namespaces.

Syntax: namespace(string)

Example: configuration examples for using the namespace() option

The following configuration example uses the default value for the namespace() option:

   source s_journal
    { 
      systemd-journal(namespace("*"));
    };

The following configuration example uses a prefixed namespace identifier in the namespace() option:

   source s_journal
    { 
      systemd-journal(namespace("+foobar"));
    };

normalize-hostnames()

Description: If enabled (normalize-hostnames(yes)), AxoSyslog converts the hostnames to lowercase.

This setting applies only to hostnames resolved from DNS. It has no effect if the <code>keep-hostname()</code> option is enabled, and the message contains a hostname.

persist-name()

Description: If you receive the following error message during AxoSyslog startup, set the persist-name() option of the duplicate drivers:

Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.

This error happens if you use identical drivers in multiple sources, for example, if you configure two file sources to read from the same file. In this case, set the persist-name() of the drivers to a custom string, for example, persist-name("example-persist-name1").

prefix()

Description: If this option is set, every non-built-in mapped names get a prefix (for example: ".SDATA.journald."). By default, AxoSyslog adds the .journald. prefix to every value.

program-override()

Description: Replaces the ${PROGRAM} part of the message with the parameter string. For example, to mark every message coming from the kernel, include the program-override("kernel") option in the source containing /proc/kmsg.

read-old-records()

Description: If set to yes, AxoSyslog will start reading the records from the beginning of the file/journal, if the file/journal has not been read yet. If set to no, AxoSyslog will read only the new records. If the source has a state in the persist file, this option will have no effect.

tags()

Description: Label the messages received from the source with custom tags. Tags must be unique, and enclosed between double quotes. When adding multiple tags, separate them with comma, for example, tags("dmz", "router"). This option is available only in version 3.1 and later.

time-zone()

Description: The default timezone for messages read from the source. Applies only if no timezone is specified within the message itself.

The timezone can be specified by using the name, for example, time-zone("Europe/Budapest")), or as the timezone offset in +/-HH:MM format, for example, +01:00). On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.

use-dns()

Description: Enable or disable DNS usage. The persist_only option attempts to resolve hostnames locally from file (for example, from /etc/hosts). The AxoSyslog application blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack. To prevent DoS, protect your AxoSyslog network endpoint with firewall rules, and make sure that all hosts which may get to AxoSyslog are resolvable. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

This option has no effect if the <code>keep-hostname()</code> option is enabled (<code>keep-hostname(yes)</code>) and the message contains a hostname.

use-fqdn()

Description: Use this option to add a Fully Qualified Domain Name (FQDN) instead of a short hostname. You can specify this option either globally or per-source. The local setting of the source overrides the global option if available.

use-syslogng-pid()

Description: When enabled, AxoSyslog overrides the PID from the original message with the PID of the syslog-ng process.