systemd-journal() source options

The systemd-journal() driver has the following options:

default-facility()

Description: The default facility value if the SYSLOG_FACILITY entry does not exist.

default-level()

Description: The default level value if the PRIORITY entry does not exist.

hook-commands()

Description: This option makes it possible to execute external programs when the relevant driver is initialized or torn down. The hook-commands() can be used with all source and destination drivers with the exception of the usertty() and internal() drivers.

Using hook-commands() when AxoSyslog starts or stops

To execute an external program when AxoSyslog starts or stops, use the following options:

startup()

Description: Defines the external program that is executed as AxoSyslog starts.

shutdown()

Description: Defines the external program that is executed as AxoSyslog stops.

Using the hook-commands() when AxoSyslog reloads

To execute an external program when the AxoSyslog configuration is initiated or torn down, for example, on startup/shutdown or during a AxoSyslog reload, use the following options:

setup()

Description: Defines an external program that is executed when the AxoSyslog configuration is initiated, for example, on startup or during a AxoSyslog reload.

teardown()

Description: Defines an external program that is executed when the AxoSyslog configuration is stopped or torn down, for example, on shutdown or during a AxoSyslog reload.

Example: Using the hook-commands() with a network source

In the following example, the hook-commands() is used with the network() driver and it opens an iptables port automatically as AxoSyslog is started/stopped.

The assumption in this example is that the LOGCHAIN chain is part of a larger ruleset that routes traffic to it. Whenever the AxoSyslog created rule is there, packets can flow, otherwise the port is closed.

   source {
       network(transport(udp)
        hook-commands(
              startup("iptables -I LOGCHAIN 1 -p udp --dport 514 -j ACCEPT")
              shutdown("iptables -D LOGCHAIN 1")
            )
         );
    };

host-override()

Description: Replaces the ${HOST} part of the message with the parameter string.

keep-hostname()

Description: Enable or disable hostname rewriting.

• If enabled (keep-hostname(yes)), AxoSyslog will retain the hostname information read from the systemd journal messages.

• If disabled (keep-hostname(no)), AxoSyslog will use the hostname that has been set up for the operating system instance that AxoSyslog is running on. To query or set this value, use the hostnamectl command.

This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

match-boot()

Available in AxoSyslog 4.1 and later.

Description: If set to yes, AxoSyslog fetches only journal messages that relate to the current boot, and to ignores messages generated in previous boots.

matches()

Available in AxoSyslog 4.1 and later.

Description: Specifies one or more filters to apply on the journal fields, similarly how you can use journalctl. For example:

matches(
    "_COMM" => "systemd"
    )

max-field-size()

Description: The maximum length of a field’s value.

namespace()

Description: The namespace() option works exactly the same way as the respective option of the Journalctl command line tool.

The following modes of operation are available:

• If you do not specify the namespace() option in your configuration, or if you specify an empty string, the systemd-journal() source reads and displays log data from all namespaces.
• If you specify the namespace() option as namespace("*"), the systemd-journal() source reads and displays log data from all namespaces, interleaved.
• If namespace(<specific-namespace>) is specified, the systemd-journal() source only reads and displays log data from the specified namespace.
• If the namespace identifier is prefixed with "+" when you specify your namespace() option, the systemd-journal() source only reads and displays log data from the specified namespace and the default namespace, interleaved.

Starting with AxoSyslog 4.4, you can use multiple systemd-journal() sources in your configuration. In this case, each source must use unique systemd namespaces.

Syntax: namespace(string)

Example: configuration examples for using the namespace() option

The following configuration example uses the default value for the namespace() option:

   source s_journal
    { 
      systemd-journal(namespace("*"));
    };

The following configuration example uses a prefixed namespace identifier in the namespace() option:

   source s_journal
    { 
      systemd-journal(namespace("+foobar"));
    };

prefix()

Description: If this option is set, every non-built-in mapped names get a prefix (for example: ".SDATA.journald."). By default, AxoSyslog adds the .journald. prefix to every value.

read-old-records()

Description: If set to yes, AxoSyslog will start reading the records from the beginning of the journal, if the journal has not been read yet. If set to no, AxoSyslog will read only the new records. If the source has a state in the persist file, this option will have no effect.

time-zone()

Description: The default timezone for messages read from the source. Applies only if no timezone is specified within the message itself.

The timezone can be specified by using the name, for example, time-zone("Europe/Budapest")), or as the timezone offset in +/-HH:MM format, for example, +01:00). On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.

use-fqdn()

Description: Use this option to add a Fully Qualified Domain Name (FQDN) instead of a short hostname. You can specify this option either globally or per-source. The local setting of the source overrides the global option if available.