Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd_journald: Transform keys from journald JSON to Cloud Logging JSON #256

Open
akkornel opened this issue Oct 31, 2021 · 3 comments · Fixed by #502
Open

systemd_journald: Transform keys from journald JSON to Cloud Logging JSON #256

akkornel opened this issue Oct 31, 2021 · 3 comments · Fixed by #502

Comments

@akkornel
Copy link

Hello!

I am looking at using the Ops Agent for my GCP project, and I'm especially interested in using the systemd_journald receiver. I am interested in this because journald is already collecting logs for me, and it would be great to take advantage of journald's structured-log format.

Even though the receiver is doing the work of pulling in logs from journald, the log entries coming from journald aren't in a form that Cloud Logging can process. So, my request is that the Ops Agent's systemd_journald receiver be enhanced to transform the JSON entries from systemd's schema to Cloud Logging's schema.

One key from the JSON needs a simple key change:

  • The key MESSAGE needs to change to message.

One key needs both a key change and a value change:

  • SYSLOG_PRIORITY is a numeric priority encoded as a string. The key name needs to change to severity, and the value needs to be mapped to an acceptable-to-Cloud-Logging string using the following mapping:
    7 maps to DEBUG
    6 maps to INFO
    5 maps to NOTICE
    4 maps to WARNING
    3 maps to ERROR
    2 maps to CRITICAL
    1 maps to ALERT
    0 maps to EMERGENCY

There are three keys which could be present and, if so, need to trigger the creation of the logging.googleapis.com/sourceLocation object:

  • CODE_FILE: If present, it should be added to the logging.googleapis.com/sourceLocation object, under key file.
  • CODE_LINE: If present, it should be added to the logging.googleapis.com/sourceLocation object, under key line.
  • CODE_FUNC: If present, it should be added to the logging.googleapis.com/sourceLocation object, under key function.

Finally, the timestamp object has to be created by applying some math to the __REALTIME_TIMESTAMP key:

For the timestampSeconds key: Take the value from ⌊__REALTIME_TIMESTAMP ÷ 1000000⌋.
For the timestampNanos key: Take the value from __REALTIME_TIMESTAMP mod 1000000 × 1000.
@quentinmit
Copy link
Member

Severity mapping and code mapping are both good feature requests.

Are you actually having problems with the message and timestamp? Those should work fine without any additional translation.

@quentinmit quentinmit mentioned this issue Mar 30, 2022
Closed
@qingling128 qingling128 mentioned this issue Mar 31, 2022
Merged
@quentinmit
Copy link
Member

I'm going to reopen this since it looks like we haven't fixed MESSAGE yet.

@quentinmit quentinmit reopened this Apr 8, 2022
@alemnew
Copy link

alemnew commented Mar 7, 2024

Is there any ETA for this to be fixed and released?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@quentinmit @alemnew @akkornel