systemd plugin for Fluentd
systemd input plugin reads logs from the systemd journal
systemd filter plugin allows for basic manipulation of systemd journal entries
Join the #plugin-systemd channel on the Fluentd Slack
| fluent-plugin-systemd | fluentd | td-agent | ruby |
|---|---|---|---|
| > 0.1.0 | >= 0.14.11, < 2 | 3 | >= 2.1 |
| 0.0.x | ~> 0.12.0 | 2 | >= 1.9 |
- The 0.x.x series is developed from this branch (master)
- The 0.0.x series (compatible with fluentd v0.12, and td-agent 2) is developed on the 0.0.x branch
Simply use RubyGems:
gem install fluent-plugin-systemd -v 0.3.0
or
td-agent-gem install fluent-plugin-systemd -v 0.3.0
<source>
@type systemd
tag kube-proxy
path /var/log/journal
filters [{ "_SYSTEMD_UNIT": "kube-proxy.service" }]
read_from_head true
<storage>
@type local
persistent true
path kube-proxy.pos
</storage>
<entry>
field_map {"MESSAGE": "log", "_PID": ["process", "pid"], "_CMDLINE": "process", "_COMM": "cmd"}
fields_strip_underscores true
fields_lowercase true
</entry>
</source>
<match kube-proxy>
@type stdout
</match>
path
Path to the systemd journal, defaults to /var/log/journal
filters
Array of filters, see here for further documentation, defaults to no filtering.
pos_file
This parameter is deprecated and will be removed in favour of storage in v1.0.
Path to pos file, stores the journald cursor. File is created if does not exist.
storage
Configuration for a storage plugin used to store the journald cursor.
Upgrading from pos_file
If pos_file is specified in addition to a storage plugin with persistent set to true, the cursor will be
copied from the pos_file on startup, and the old pos_file removed.
read_from_head
If true reads all available journal from head, otherwise starts reading from tail, ignored if pos file exists (and is valid). Defaults to false.
strip_underscores
This parameter is deprecated and will be removed in favour of entry in v1.0.
If true strips underscores from the beginning of systemd field names. May be useful if outputting to kibana, as underscore prefixed fields are unindexed there.
entry
Optional configuration for an embeded systemd entry filter. See the Filter Plugin Configuration for config reference.
tag
Required
A tag that will be added to events generated by this input.
For an example of a full working setup including the plugin, take a look at
<filter kube-proxy>
@type systemd_entry
field_map {"MESSAGE": "log", "_PID": ["process", "pid"], "_CMDLINE": "process", "_COMM": "cmd"}
field_map_strict false
fields_lowercase true
fields_strip_underscores true
</filter>
field_map
Object / hash defining a mapping of source fields to destination fields. Destination fields may be existing or new user-defined fields. If multiple source fields are mapped to the same destination field, the contents of the fields will be appended to the destination field in the order defined in the mapping. A field map declaration takes the form of:
{
"<src_field1>": "<dst_field1>",
"<src_field2>": ["<dst_field1>", "<dst_field2>"],
...
}
Defaults to an empty map.
field_map_strict
If true, only destination fields from field_map are included in the result. Defaults to false.
fields_lowercase
If true, lowercase all non-mapped fields. Defaults to false.
fields_strip_underscores
If true, strip leading underscores from all non-mapped fields. Defaults to false.
Given a systemd journal source entry:
{
"_MACHINE_ID": "bb9d0a52a41243829ecd729b40ac0bce"
"_HOSTNAME": "arch"
"MESSAGE": "this is a log message",
"_PID": "123"
"_CMDLINE": "login -- root"
"_COMM": "login"
}
The resulting entry using the above sample configuration:
{
"machine_id": "bb9d0a52a41243829ecd729b40ac0bce"
"hostname": "arch",
"msg": "this is a log message",
"pid": "123"
"cmd": "login"
"process": "123 login -- root"
}
This plugin depends on libsystemd
To run the tests with docker on several distros simply run rake
For systems with systemd installed you can run the tests against your installed libsystemd with rake test
Issues and pull requests are very welcome.
If you want to make a contribution but need some help or advice feel free to message me @errm on the Fluentd Slack, or send me an email ed@reevoo.com.
We have adopted the Contributor Covenant and thus expect anyone interacting with contributors, maintainers and users of this project to abide by it.
Many thanks to our fantastic contributors