On a client site which should already have journald please install additionally systemd-journal-upload
and edit /etc/systemd/journal-upload.conf and set URL to VictoriaLogs endpoint:
[Upload]
URL=http://localhost:9428/insert/journald
# Starting v258 systemd-journal-upload custom HTTP headers and compression are supported
# Header=AccountID: 5
# Header=ProjectID: 10
# Compression=zstd:4 lz4:2
Substitute the localhost:9428 address inside endpoints section with the real TCP address of VictoriaLogs.
Port 9428 is not the default port associated with with systemd-journal-upload so on a system with SELinux in enforcing mode, it may be necessary to adjust the policy or assign the port, for example: semanage port -a -t journal_remote_port_t -p tcp 9428
Time field #
VictoriaLogs uses the __REALTIME_TIMESTAMP field as
_time field
for the logs ingested via journald protocol. Other field can be used instead of __REALTIME_TIMESTAMP by specifying it via -journald.timeField command-line flag.
Starting systemd-journal-upload v258 time field can be set using VL-Time-Field HTTP header.
See the list of supported Journald fields .
Level field #
VictoriaLogs automatically sets the level log field according to the PRIORITY field value
.
Stream fields #
VictoriaLogs uses (_MACHINE_ID, _HOSTNAME, _SYSTEMD_UNIT) as
stream fields
for logs ingested via journald protocol. The list of log stream fields can be changed via -journald.streamFields command-line flag if needed,
by providing comma-separated list of journald fields from this list
.
Starting systemd-journal-upload v258 stream fields can be set using VL-Stream-Fields HTTP header.
Please make sure that the log stream fields passed to -journald.streamFields do not contain fields with high number or unbound number of unique values,
since this may lead to
high cardinality issues
.
This can happen with _SYSTEMD_UNIT if you have templated units with non-static instances
such as systemd-coredump@.service or if you have a .socket unit with Accept=yes.
The following Journald fields are also good candidates for stream fields:
_TRANSPORT(to separate out kernel and audit logs which are not associated with a_SYSTEMD_UNIT)_SYSTEMD_USER_UNIT
Dropping fields #
VictoriaLogs can be configured for skipping the given
log fields
for logs ingested via journald protocol, via -journald.ignoreFields command-line flag, which accepts comma-separated list of log fields to ignore.
This list can contain log field prefixes ending with * such as some-prefix*. In this case all the fields starting from some-prefix are ignored.
Starting systemd-journal-upload v258 ignored fields can be set using VL-Ignore-Fields HTTP header.
See the list of supported Journald fields .
Multitenancy #
By default VictoriaLogs stores logs ingested via journald protocol into (AccountID=0, ProjectID=0)
tenant
.
This can be changed by passing the needed tenant in the format AccountID:ProjectID at the -journald.tenantID command-line flag.
For example, -journald.tenantID=123:456 would store logs ingested via journald protocol into (AccountID=123, ProjectID=456) tenant.
Starting systemd-journal-upload v258 tenant information can be set using AccountID and ProjectID HTTP headers.
See also: