Here is a typicall event/message from journald (via journalctl -f -o json | jq
for readability):
{
"_AUDIT_LOGINUID": "0",
"SYSLOG_IDENTIFIER": "conmon",
"__REALTIME_TIMESTAMP": "1634057819962204",
"_GID": "0",
"_CAP_EFFECTIVE": "1ffffffffff",
"_SYSTEMD_SLICE": "machine.slice",
"_SYSTEMD_INVOCATION_ID": "d549eaf2a3b64a0082fae57c762d6bf8",
"_SOURCE_REALTIME_TIMESTAMP": "1634057819962176",
"_MACHINE_ID": "db32039497a14274947d80a243d569b9",
"_COMM": "conmon",
"__CURSOR": "s=53db53c5cbb348559a4cfe7615223f25;i=6b4;b=0f256d6dc32a455f8b3b584124c5443b;m=df353cf;t=5ce2abbe6bb5c;x=ec4e41d4dfc9ff3e",
"CODE_FILE": "src/ctr_logging.c",
"CONTAINER_ID": "739283a51578",
"CONTAINER_ID_FULL": "739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842",
"_TRANSPORT": "journal",
"_EXE": "/usr/bin/conmon",
"CONTAINER_NAME": "nginx",
"PRIORITY": "6",
"_CMDLINE": "/usr/bin/conmon --api-version 1 -c 739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842 -u 739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata -p /run/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata/pidfile -n nginx --exit-dir /run/libpod/exits --socket-dir-path /run/libpod/socket -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842",
"_SELINUX_CONTEXT": "unconfined\n",
"CODE_LINE": "264",
"_SYSTEMD_CGROUP": "/machine.slice/libpod-conmon-739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842.scope",
"_PID": "7823",
"_UID": "0",
"_BOOT_ID": "0f256d6dc32a455f8b3b584124c5443b",
"MESSAGE": "10.111.222.1 - - [12/Oct/2021:16:56:59 +0000] \"GET / HTTP/1.1\" 200 615 \"-\" \"curl/7.58.0\" \"-\"\n",
"_SYSTEMD_UNIT": "libpod-conmon-739283a51578940e55fe143426af8c4175c2b2f9ad9420b8bdd5ad8b78292842.scope",
"CODE_FUNC": "write_journald",
"__MONOTONIC_TIMESTAMP": "234050511",
"_AUDIT_SESSION": "1",
"_HOSTNAME": "bullseye-vbox"
}
Here is the associated line in /var/log/syslog
because ForwardToSyslog
is set to true
by default:
Oct 12 18:56:59 bullseye-vbox conmon[7823]: 10.111.222.1 - - [12/Oct/2021:16:56:59 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.58.0" "-"
The information of container name is not present in this line, but it would be handy for me.
So, I'm wondering if it was possible to configure journald (a kind of customization in its configuration) to put the value of the field CONTAINER_NAME
in the syslog line...