Journald setup #

On a client site which should already have journald please install additionally systemd-journal-upload and edit /etc/systemd/journal-upload.conf and set URL to VictoriaLogs endpoint:

      [Upload]
URL=http://localhost:9428/insert/journald
    

Substitute the localhost:9428 address inside endpoints section with the real TCP address of VictoriaLogs.

Time field #

VictoriaLogs uses the __REALTIME_TIMESTAMP field as _time field for the logs ingested via journald protocol. Other field can be used instead of __REALTIME_TIMESTAMP by specifying it via -journald.timeField command-line flag. See the list of supported Journald fields .

Level field #

VictoriaLogs automatically sets the level log field according to the PRIORITY field value .

Stream fields #

VictoriaLogs uses (_MACHINE_ID, _HOSTNAME, _SYSTEMD_UNIT) as stream fields for logs ingested via journald protocol. The list of log stream fields can be changed via -journald.streamFields command-line flag if needed, by providing comma-separated list of journald fields from this list .

Please make sure that the log stream fields passed to -journald.streamFields do not contain fields with high number or unbound number of unique values, since this may lead to high cardinality issues . This can happen with _SYSTEMD_UNIT if you have templated units with non-static instances such as systemd-coredump@.service or if you have a .socket unit with Accept=yes.

The following Journald fields are also good candidates for stream fields:

• _TRANSPORT (to separate out kernel and audit logs which are not associated with a _SYSTEMD_UNIT)
• _SYSTEMD_USER_UNIT

Dropping fields #

VictoriaLogs can be configured for skipping the given log fields for logs ingested via journald protocol, via -journald.ignoreFields command-line flag, which accepts comma-separated list of log fields to ignore. This list can contain log field prefixes ending with * such as some-prefix*. In this case all the fields starting from some-prefix are ignored.

See the list of supported Journald fields .

Multitenancy #

By default VictoriaLogs stores logs ingested via journald protocol into (AccountID=0, ProjectID=0) tenant . This can be changed by passing the needed tenant in the format AccountID:ProjectID at the -journald.tenantID command-line flag. For example, -journald.tenantID=123:456 would store logs ingested via journald protocol into (AccountID=123, ProjectID=456) tenant.

See also:

• Data ingestion troubleshooting .
• How to query VictoriaLogs .
• Docker-compose demo for Journald integration with VictoriaLogs .