On a client site which should already have journald please install additionally systemd-journal-upload
and edit /etc/systemd/journal-upload.conf
and set URL
to VictoriaLogs endpoint:
[Upload]
URL=http://localhost:9428/insert/journald
Substitute the localhost:9428
address inside endpoints
section with the real TCP address of VictoriaLogs.
Time field #
VictoriaLogs uses the __REALTIME_TIMESTAMP
field as _time
field
for the logs ingested via journald protocol. Other field can be used instead of __REALTIME_TIMESTAMP
by specifying it via -journald.timeField
command-line flag.
See the list of supported Journald fields
.
Level field #
VictoriaLogs automatically sets the level
log field according to the PRIORITY
field value
.
Stream fields #
VictoriaLogs uses (_MACHINE_ID, _HOSTNAME, _SYSTEMD_UNIT)
as stream fields
for logs ingested via journald protocol. The list of log stream fields can be changed via -journald.streamFields
command-line flag if needed,
by providing comma-separated list of journald fields from this list
.
Please make sure that the log stream fields passed to -journald.streamFields
do not contain fields with high number or unbound number of unique values,
since this may lead to high cardinality issues
.
This can happen with _SYSTEMD_UNIT
if you have templated units with non-static instances
such as systemd-coredump@.service
or if you have a .socket
unit with Accept=yes
.
The following Journald fields are also good candidates for stream fields:
_TRANSPORT
(to separate out kernel and audit logs which are not associated with a_SYSTEMD_UNIT
)_SYSTEMD_USER_UNIT
Dropping fields #
VictoriaLogs can be configured for skipping the given log fields
for logs ingested via journald protocol, via -journald.ignoreFields
command-line flag, which accepts comma-separated list of log fields to ignore.
This list can contain log field prefixes ending with *
such as some-prefix*
. In this case all the fields starting from some-prefix
are ignored.
See the list of supported Journald fields .
Multitenancy #
By default VictoriaLogs stores logs ingested via journald protocol into (AccountID=0, ProjectID=0)
tenant
.
This can be changed by passing the needed tenant in the format AccountID:ProjectID
at the -journald.tenantID
command-line flag.
For example, -journald.tenantID=123:456
would store logs ingested via journald protocol into (AccountID=123, ProjectID=456)
tenant.
See also: