Systemd (im_systemd)
Systemd is a Linux initialization system with parallelization capabilities and dependency-based control logic. Systemd journal is the logging component of systemd.
The im_systemd module accepts messages from the systemd journal.
To enable running the im_systemd module under the
|
Configuration
The im_systemd module accepts the following directives in addition to the common module directives.
Optional directives
This optional boolean directive instructs the module to only read entries from the journal that arrive after NXLog Agent is started.
When The following matrix shows the outcome of this directive in conjunction with the SavePos directive:
|
|||||||||||||||||||||||||||||||||||||
If this boolean directive is set to |
Fields
The following fields are used by im_systemd.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$AuditSession
(type: string)-
Session of the process the journal entry originates from, as maintained by the kernel audit subsystem.
$AuditUID
(type: string)-
Login UID of the process the journal entry originates from, as maintained by the kernel audit subsystem.
$BootID
(type: string)-
Kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string.
$Capabilities
(type: string)-
Effective capabilities of the process the journal entry originates from.
$CodeFile
(type: string)-
Code location to generate this message, if known. Contains the source filename.
$CodeFunc
(type: string)-
Code location to generate this message, if known. Contains the function name.
$CodeLine
(type: integer)-
Code location to generate this message, if known. Contains the line number.
$CoredumpUnit
(type: string)-
Annotation to the message in case it contains coredumps from system and session units.
$CoredumpUserUnit
(type: string)-
Annotation to the message in case it contains coredumps from system and session units.
$DevLink
(type: string)-
Additional symlink names pointing to the device node under the '/dev' directory.
$DevName
(type: string)-
Device name of the kernel as it shows up in the device tree under the '/sys' directory.
$DevNode
(type: string)-
Node path of the device under the '/dev' directory.
$Errno
(type: integer)-
Low-level Unix error number which caused the entry, if any. Contains the numeric value of 'errno' formatted as a decimal string.
$EventTime
(type: datetime)-
The earliest trusted timestamp of the message, if any is known that is different from the reception time of the journal.
$Facility
(type: string)-
Syslog compatibility fields containing the facility.
$Group
(type: string)-
Group ID of the process the journal entry originates from.
$Hostname
(type: string)-
The name of the originating host.
$KernelDevice
(type: string)-
Device name of the kernel. If the entry is associated to a block device, the field contains the major and minor of the device node, separated by ":" and prefixed by "b". Similar for character devices but prefixed by "c". For network devices, this is the interface index prefixed by "n". For all other devices, this is the subsystem name prefixed by "+", followed by ":", followed by the kernel device name.
$KernelSubsystem
(type: string)-
Subsystem name of the kernel.
$MachineID
(type: string)-
Machine ID of the originating host.
$Message
(type: string)-
A human-readable message string for the current entry. This is supposed to be the primary text shown to the user. This is usually not translated (but might be in some cases), and not supposed to be parsed for metadata.
$MessageID
(type: string)-
A 128-bit message identifier for recognizing certain message types, if this is desirable. This should contain a 128-bit identifier formatted as a lower-case hexadecimal string, without any separating dashes or suchlike. This is recommended to be a UUID-compatible ID, but this is not enforced, and formatted differently.
$ObjAuditSession
(type: integer)-
This field contains the same value as the 'AuditSession', except that the process identified by PID is described, instead of the process which logged the message.
$ObjAuditUID
(type: integer)-
This field contains the same value as the 'AuditUID', except that the process identified by PID is described, instead of the process which logged the message.
$ObjGroup
(type: integer)-
This field contains the same value as the 'Group', except that the process identified by PID is described, instead of the process which logged the message.
$ObjProcessCmdLine
(type: integer)-
This field contains the same value as the 'ProcessCmdLine', except that the process identified by PID is described, instead of the process which logged the message.
$ObjProcessExecutable
(type: integer)-
This field contains the same value as the 'ProcessExecutable', except that the process identified by PID is described, instead of the process which logged the message.
$ObjProcessID
(type: integer)-
This field contains the same value as the 'ProcessID', except that the process identified by PID is described, instead of the process which logged the message.
$ObjProcessName
(type: integer)-
This field contains the same value as the 'ProcessName', except that the process identified by PID is described, instead of the process which logged the message.
$ObjSystemdCGroup
(type: integer)-
This field contains the same value as the 'SystemdCGroup', except that the process identified by PID is described, instead of the process which logged the message.
$ObjSystemdOwnerUID
(type: integer)-
This field contains the same value as the 'SystemdOwnerUID', except that the process identified by PID is described, instead of the process which logged the message.
$ObjSystemdSession
(type: integer)-
This field contains the same value as the 'SystemdSession', except that the process identified by PID is described, instead of the process which logged the message.
$ObjSystemdUnit
(type: integer)-
This field contains the same value as the 'SystemdUnit', except that the process identified by PID is described, instead of the process which logged the message.
$ObjUser
(type: integer)-
This field contains the same value as the 'User', except that the process identified by PID is described, instead of the process which logged the message.
$ProcessCmdLine
(type: string)-
Command line of the process the journal entry originates from.
$ProcessExecutable
(type: string)-
Executable path of the process the journal entry originates from.
$ProcessID
(type: string)-
Syslog compatibility field containing the client PID.
$ProcessName
(type: string)-
Name of the process the journal entry originates from.
$SelinuxContext
(type: string)-
SELinux security context (label) of the process the journal entry originates from.
$Severity
(type: string)-
A priority value between 0 ("emerg") and 7 ("debug") formatted as a string. This field is compatible with syslog’s priority concept.
$SeverityValue
(type: integer)-
A priority value between 0 ("emerg") and 7 ("debug") formatted as a decimal string. This field is compatible with syslog’s priority concept.
$SourceName
(type: string)-
Syslog compatibility field containing the identifier string (i.e. "tag").
$SysInvID
(type: string)-
Invocation ID for the runtime cycle of the unit the message was generated in, as available to processes of the unit in $INVOCATION_ID.
$SystemdCGroup
(type: string)-
Control group path in the systemd hierarchy of the process the journal entry originates from.
$SystemdOwnerUID
(type: string)-
Owner UID of the systemd session (if any) of the process the journal entry originates from.
$SystemdSession
(type: string)-
Systemd session ID (if any) of the process the journal entry originates from.
$SystemdSlice
(type: string)-
Systemd slice unit of the process the journal entry originates from.
$SystemdUnit
(type: string)-
Systemd unit name (if any) of the process the journal entry originates from.
$SystemdUserUnit
(type: string)-
Systemd user session unit name (if any) of the process the journal entry originates from.
$Transport
(type: string)-
Transport of the entry to the journal service. Available values are: audit, driver, syslog, journal, stdout, kernel.
$User
(type: string)-
User ID of the process the journal entry originates from.
Examples
In this example, NXLog Agent reads journal messages using im_systemd and converts them into JSON format using the xm_json module.
<Extension _json>
Module xm_json
</Extension>
<Input systemd>
Module im_systemd
Exec to_json();
</Input>
Below is a sample of a systemd journal message after it was processed by NXLog Agent.
{"Severity":"info","SeverityValue":6,"Facility":"auth","FacilityValue":3,
"Message":"Reached target User and Group Name Lookups.","SourceName":"systemd",
"ProcessID":1,"BootID":"179e1f0a40c64b6cb126ed97278aef89",
"MachineID":"0823d4a95f464afeb0021a7e75a1b693","Hostname":"user",
"Transport":"kernel","EventReceivedTime":"2020-02-05T14:46:09.809554+00:00",
"SourceModuleName":"systemd","SourceModuleType":"im_systemd"}