Skip to content

Instantly share code, notes, and snippets.

@flaf

flaf/custom-syslog-forwarding-in-journald.md

Last active October 12, 2021 17:09
Show Gist options
  • Save flaf/e924d06949a9962fd039eb2043d14aac to your computer and use it in GitHub Desktop.
Save flaf/e924d06949a9962fd039eb2043d14aac to your computer and use it in GitHub Desktop.
Download ZIP
custom syslog forwarding in journald?
Raw
custom-syslog-forwarding-in-journald.md

Here is a typicall event/message from journald (via journalctl -f -o json | jq for readability):

{
  "_AUDIT_LOGINUID": "0",
  "SYSLOG_IDENTIFIER": "conmon",
  "__REALTIME_TIMESTAMP": "1634057819962204",
  "_GID": "0",
  "_CAP_EFFECTIVE": "1ffffffffff",
  "_SYSTEMD_SLICE": "machine.slice",
  "_SYSTEMD_INVOCATION_ID": "d549eaf2a3b64a0082fae57c762d6bf8",
  "_SOURCE_REALTIME_TIMESTAMP": "1634057819962176",
  "_MACHINE_ID": "db32039497a14274947d80a243d569b9",
  "_COMM": "conmon",
  "__CURSOR": "s=53db53c5cbb348559a4cfe7615223f25;i=6b4;b=0f256d6dc32a455f8b3b584124c5443b;m=df353cf;t=5ce2abbe6bb5c;x=ec4e41d4dfc9ff3e",
  "CODE_FILE": "src/ctr_logging.c",
  "CONTAINER_ID": "739283a51578",
  "CONTAINER_ID_FULL": "739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842",
  "_TRANSPORT": "journal",
  "_EXE": "/usr/bin/conmon",
  "CONTAINER_NAME": "nginx",
  "PRIORITY": "6",
  "_CMDLINE": "/usr/bin/conmon --api-version 1 -c 739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842 -u 739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata -p /run/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata/pidfile -n nginx --exit-dir /run/libpod/exits --socket-dir-path /run/libpod/socket -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842",
  "_SELINUX_CONTEXT": "unconfined\n",
  "CODE_LINE": "264",
  "_SYSTEMD_CGROUP": "/machine.slice/libpod-conmon-739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842.scope",
  "_PID": "7823",
  "_UID": "0",
  "_BOOT_ID": "0f256d6dc32a455f8b3b584124c5443b",
  "MESSAGE": "10.111.222.1 - - [12/Oct/2021:16:56:59 +0000] \"GET / HTTP/1.1\" 200 615 \"-\" \"curl/7.58.0\" \"-\"\n",
  "_SYSTEMD_UNIT": "libpod-conmon-739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842.scope",
  "CODE_FUNC": "write_journald",
  "__MONOTONIC_TIMESTAMP": "234050511",
  "_AUDIT_SESSION": "1",
  "_HOSTNAME": "bullseye-vbox"
}

Here is the associated line in /var/log/syslog because ForwardToSyslog is set to true by default:

Oct 12 18:56:59 bullseye-vbox conmon[7823]: 10.111.222.1 - - [12/Oct/2021:16:56:59 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.58.0" "-"

The information of container name is not present in this line, but it would be handy for me.

So, I'm wondering if it was possible to configure journald (a kind of customization in its configuration) to put the value of the field CONTAINER_NAME in the syslog line...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment