1

How can I change my syslog-ng template so that when the log originates from a systemd service / unit, the log message will include the unit's name?

Using ${PROGRAM} just shows the name of the executable that the systemd service called / that the message originated from. journald seems to have a field for this information: _SYSTEMD_UNIT, but referencing that in my syslog-ng template seems to be insufficient.

Background on my setup:

I'm running Debian Jessie and have created systemd services to manage Docker containers. The applications in these containers log to stdout / stderr, which subsequently ends up in log files controlled by journald.

I use syslog-ng (version 3.5.6-2) to forward my logs to loggly and papertrail (comparing them right now). Since I'm running Debian Jessie, I configured journald to forward log messages to syslog by setting ForwardToSyslog=yes in journald.conf.

Problem:

The default templates for loggly and papertrail include ${PROGRAM} in each log message, which is the name of the 'executable' that generated the message. However, in my setup, the executable called is docker for all of my containers. Thus, the name of the executable is useless for helping me filter logs and identify logs originating from specific containers.

Notes:

syslog-ng documentation notes that there is a systemd-journal driver, which seems to provide additional variables. However, that driver doesn't seem to be available in Debian Jessie's version of syslog-ng (3.5.6-2)

BSchlinker
  • 340
  • 2
  • 3
  • 12
  • What's the point of exporting logs to external syslog just to emulate the structured logging behavior of journald which already have necessary information? – god Nov 03 '16 at 23:37

2 Answers2

1

You can find somewhat newer syslog-ng packages (that includes the systemd-journal driver) for Debian Jessie in the repository of a syslog-ng developer at https://build.opensuse.org/project/show/home:laszlo_budai:syslog-ng

I'm not sure that this will make the field available in syslog-ng (unless it is translated somewhere to _COMM or SYSLOG-IDENTIFIER, see http://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/administration-guide/source-read-receive-and-collect-log-messages/systemd-journal-collecting-messages-from-the-systemd-journal-system-log-storage ), but if you do need it, open a Gitub issue at https://github.com/balabit/syslog-ng

Regards, Robert

Robert Fekete
  • 542
  • 1
  • 3
  • 6
1

I'm also referring journald fields that came from docker, basically you'll have to prepend .journald. at the field name, eg.

...
template("<$PRI>1 ${ISODATE} ${HOST} ${.journald.CONTAINER_TAG:--} ${PID:--} ${.journald.CONTAINER_ID:--} - ${MSG}\n")

Then it works like a charm

<134>1 2018-06-14T10:29:08+00:00 typerpc-3 alpine-02.1.vj6qhqulxkkojb9uatd3v08ar 1015 ef4e25bad3a3 - mg 2
deFreitas
  • 121
  • 5