Systemd (im_systemd)

Systemd is a Linux initialization system with parallelization capabilities and dependency-based control logic. Systemd journal is the logging component of systemd.

The im_systemd module accepts messages from the systemd journal.

To enable running the im_systemd module under the nxlog user, the latter must be added to the systemd-journal group. For example, this could be the following command:

$ sudo gpasswd -a nxlog -g systemd-journal

Configuration

The im_systemd module accepts the following directives in addition to the common module directives.

Optional directives

ReadFromLast

This optional boolean directive instructs the module to only read entries from the journal that arrive after NXLog Agent is started. When TRUE, a cursor is saved with the last journal position read, and on the next start, NXLog Agent will continue to read entries from this position. When FALSE, NXLog Agent will read from the beginning of the journal. If this directive is not specified, it defaults to TRUE.

The following matrix shows the outcome of this directive in conjunction with the SavePos directive:

ReadFromLast SavePos SavedPosition Outcome

TRUE

TRUE

No

Reads events that are logged after NXLog Agent is started.

TRUE

TRUE

Yes

Reads events from the saved position.

TRUE

FALSE

No

Reads events that are logged after NXLog Agent is started.

TRUE

FALSE

Yes

Reads events that are logged after NXLog Agent is started.

FALSE

TRUE

No

Reads all events.

FALSE

TRUE

Yes

Reads events from the saved position.

FALSE

FALSE

No

Reads all events.

FALSE

FALSE

Yes

Reads all events.

SavePos

If this boolean directive is set to TRUE, the journal position will be saved when NXLog Agent exits. The journal position will be read from the cache file upon startup. The default is TRUE, the journal position will be saved if this directive is not specified. This directive affects the outcome of the ReadFromLast directive. The SavePos directive can be overridden by the global NoCache directive.

Fields

The following fields are used by im_systemd.

$raw_event (type: string)

A list of event fields in key-value pairs.

$AuditSession (type: string)

Session of the process the journal entry originates from, as maintained by the kernel audit subsystem.

$AuditUID (type: string)

Login UID of the process the journal entry originates from, as maintained by the kernel audit subsystem.

$BootID (type: string)

Kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string.

$Capabilities (type: string)

Effective capabilities of the process the journal entry originates from.

$CodeFile (type: string)

Code location to generate this message, if known. Contains the source filename.

$CodeFunc (type: string)

Code location to generate this message, if known. Contains the function name.

$CodeLine (type: integer)

Code location to generate this message, if known. Contains the line number.

$CoredumpUnit (type: string)

Annotation to the message in case it contains coredumps from system and session units.

$CoredumpUserUnit (type: string)

Annotation to the message in case it contains coredumps from system and session units.

$DevName (type: string)

Device name of the kernel as it shows up in the device tree under the '/sys' directory.

$DevNode (type: string)

Node path of the device under the '/dev' directory.

$Errno (type: integer)

Low-level Unix error number which caused the entry, if any. Contains the numeric value of 'errno' formatted as a decimal string.

$EventTime (type: datetime)

The earliest trusted timestamp of the message, if any is known that is different from the reception time of the journal.

$Facility (type: string)

Syslog compatibility fields containing the facility.

$Group (type: string)

Group ID of the process the journal entry originates from.

$Hostname (type: string)

The name of the originating host.

$KernelDevice (type: string)

Device name of the kernel. If the entry is associated to a block device, the field contains the major and minor of the device node, separated by ":" and prefixed by "b". Similar for character devices but prefixed by "c". For network devices, this is the interface index prefixed by "n". For all other devices, this is the subsystem name prefixed by "+", followed by ":", followed by the kernel device name.

$KernelSubsystem (type: string)

Subsystem name of the kernel.

$MachineID (type: string)

Machine ID of the originating host.

$Message (type: string)

A human-readable message string for the current entry. This is supposed to be the primary text shown to the user. This is usually not translated (but might be in some cases), and not supposed to be parsed for metadata.

$MessageID (type: string)

A 128-bit message identifier for recognizing certain message types, if this is desirable. This should contain a 128-bit identifier formatted as a lower-case hexadecimal string, without any separating dashes or suchlike. This is recommended to be a UUID-compatible ID, but this is not enforced, and formatted differently.

$ObjAuditSession (type: integer)

This field contains the same value as the 'AuditSession', except that the process identified by PID is described, instead of the process which logged the message.

$ObjAuditUID (type: integer)

This field contains the same value as the 'AuditUID', except that the process identified by PID is described, instead of the process which logged the message.

$ObjGroup (type: integer)

This field contains the same value as the 'Group', except that the process identified by PID is described, instead of the process which logged the message.

$ObjProcessCmdLine (type: integer)

This field contains the same value as the 'ProcessCmdLine', except that the process identified by PID is described, instead of the process which logged the message.

$ObjProcessExecutable (type: integer)

This field contains the same value as the 'ProcessExecutable', except that the process identified by PID is described, instead of the process which logged the message.

$ObjProcessID (type: integer)

This field contains the same value as the 'ProcessID', except that the process identified by PID is described, instead of the process which logged the message.

$ObjProcessName (type: integer)

This field contains the same value as the 'ProcessName', except that the process identified by PID is described, instead of the process which logged the message.

$ObjSystemdCGroup (type: integer)

This field contains the same value as the 'SystemdCGroup', except that the process identified by PID is described, instead of the process which logged the message.

$ObjSystemdOwnerUID (type: integer)

This field contains the same value as the 'SystemdOwnerUID', except that the process identified by PID is described, instead of the process which logged the message.

$ObjSystemdSession (type: integer)

This field contains the same value as the 'SystemdSession', except that the process identified by PID is described, instead of the process which logged the message.

$ObjSystemdUnit (type: integer)

This field contains the same value as the 'SystemdUnit', except that the process identified by PID is described, instead of the process which logged the message.

$ObjUser (type: integer)

This field contains the same value as the 'User', except that the process identified by PID is described, instead of the process which logged the message.

$ProcessCmdLine (type: string)

Command line of the process the journal entry originates from.

$ProcessExecutable (type: string)

Executable path of the process the journal entry originates from.

$ProcessID (type: string)

Syslog compatibility field containing the client PID.

$ProcessName (type: string)

Name of the process the journal entry originates from.

$SelinuxContext (type: string)

SELinux security context (label) of the process the journal entry originates from.

$Severity (type: string)

A priority value between 0 ("emerg") and 7 ("debug") formatted as a string. This field is compatible with syslog’s priority concept.

$SeverityValue (type: integer)

A priority value between 0 ("emerg") and 7 ("debug") formatted as a decimal string. This field is compatible with syslog’s priority concept.

$SourceName (type: string)

Syslog compatibility field containing the identifier string (i.e. "tag").

$SysInvID (type: string)

Invocation ID for the runtime cycle of the unit the message was generated in, as available to processes of the unit in $INVOCATION_ID.

$SystemdCGroup (type: string)

Control group path in the systemd hierarchy of the process the journal entry originates from.

$SystemdOwnerUID (type: string)

Owner UID of the systemd session (if any) of the process the journal entry originates from.

$SystemdSession (type: string)

Systemd session ID (if any) of the process the journal entry originates from.

$SystemdSlice (type: string)

Systemd slice unit of the process the journal entry originates from.

$SystemdUnit (type: string)

Systemd unit name (if any) of the process the journal entry originates from.

$SystemdUserUnit (type: string)

Systemd user session unit name (if any) of the process the journal entry originates from.

$Transport (type: string)

Transport of the entry to the journal service. Available values are: audit, driver, syslog, journal, stdout, kernel.

$User (type: string)

User ID of the process the journal entry originates from.

Examples

Example 1. Using the im_systemd module to read the systemd journal

In this example, NXLog Agent reads journal messages using im_systemd and converts them into JSON format using the xm_json module.

nxlog.conf
<Extension _json>
    Module         xm_json
</Extension>

<Input systemd>
    Module         im_systemd
    Exec           to_json();
</Input>

Below is a sample of a systemd journal message after it was processed by NXLog Agent.

Event Sample
{"Severity":"info","SeverityValue":6,"Facility":"auth","FacilityValue":3,
"Message":"Reached target User and Group Name Lookups.","SourceName":"systemd",
"ProcessID":1,"BootID":"179e1f0a40c64b6cb126ed97278aef89",
"MachineID":"0823d4a95f464afeb0021a7e75a1b693","Hostname":"user",
"Transport":"kernel","EventReceivedTime":"2020-02-05T14:46:09.809554+00:00",
"SourceModuleName":"systemd","SourceModuleType":"im_systemd"}