-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[receiver/journald] Add more filtering options #20295
Comments
I missed the "obvious" way to filter journald logs by any property with |
Apparently the Journald receiver doesn't have any specific code owners 🙀
@djaglowski do you have an opinion or do you know who might? 🙂 |
@astencel-sumo, I'd be willing to be a code owner. I'm more familiar with the stanza framework than with journald in particular. Any chance you'd want to co-own this with me? |
I'd be happy to co-own this component with you @djaglowski, but I'm thinking perhaps @sumo-drosiek would be an even better candidate for this component. What do you think @sumo-drosiek and @djaglowski? |
I would be very honored and happy to co-own the receiver |
Great, thanks @sumo-drosiek and @astencel-sumo! |
@sumo-drosiek, it appears you are not a member of the OpenTelemetry org. Typically we need code owners to be members so that we can assign issues, etc. If you want to apply I'm happy to be one of your sponsors. |
Yes, it seems I need to take care of formal part. I appreciate it and going to start the process |
@sumo-drosiek if you are looking for a second sponsor I would be happy to be one of them. |
@djaglowski @atoulme @astencel-sumo here is my application then: open-telemetry/community#1399 |
OK, back to the topic of this issue then 😅 I think perhaps it's best to start with adding the receivers:
journald:
matches:
- _SYSTEMD_UNIT: avahi-daemon.service
_PID: 28097
- _SYSTEMD_UNIT: dbus.service The This is similar to Fluentd's implementation, which I believe to be feature complete. Compared to that, the Fluent Bit's implementation seems to be not as feature complete, if I'm understanding correctly, as it only allows for a single list of conditions, which are all joined with either an |
It may work, as we are able to cover the following examples:
The only thing which I don't really like is duplication of For example for the following configuration:
The behavior will be:
and another example:
converts to
|
Also until there is no decision if we are going to migrate to |
The |
Thanks a lot folks for your thoughts. 🙏 @sumo-drosiek about the
In light of this, it seems to me that the |
@sumo-drosiek Am I looking at the right thing? https://www.freedesktop.org/software/systemd/man/systemd-journal-gatewayd.service.html This one does seem to support the |
Yes, this is correct manual.
It is
In order to achieve |
@astencel-sumo, @djaglowski With
Looking at the behavior I would say that they can be worth to have it, especially |
They all seem worthwhile to me. |
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
@astencel-sumo @djaglowski I think we can finally close this issue :) |
Component(s)
receiver/journald
Is your feature request related to a problem? Please describe.
The Journald receiver currently offers the following options to filter the journald logs:
unit
andpriority
. Sometimes these options are not enough. I have a scenario where a user is running iptables on a host with systemd, and the logs from iptables are written to journald as kernel logs. They do not have any unit assigned, so you cannot filter them byunit
, and filtering bypriority
doesn't help either. It seems that in this case filtering by kernel messages (-k
/--dmesg
as described in the man page) would help.Describe the solution you'd like
The filtering options in the Journald receiver are under the hood translated into the options of the
journalctl
binary. Looking at the command's man page, there are a couple other filtering options that sound like a good candidate to be exposed in the receiver:-k
,--dmesg
- Show only kernel messages.-g
,--grep=
- Filter output to entries where theMESSAGE
field matches the specified regular expression.-t
,--identifier=
- Show messages for the specifiedSYSLOG_IDENTIFIER
Describe alternatives you've considered
An alternative is to read all logs without filtering and apply a
filter
operator, for example like this to get only kernel logs:It's easy to trip on the
filter
operator as you need to remember to invert the condition 😅, also this is probably a lot less performant, especially if you have a lot of logs in systemd.Additional context
No response
The text was updated successfully, but these errors were encountered: