This section describes the options of the systemd-journal() source in syslog-ng OSE.

The systemd-journal() driver has the following options:

default-facility()

Type: facility string
Default: local0

Description: This parameter assigns a facility value to the messages received from the systemd-journal() source if the message does not specify one.

default-priority()

Type: priority string
Default: notice

Description: This parameter assigns an emergency level to the messages received from the systemd-journal() source if the message does not specify one. For example, default-priority(warning).

default-level()

Type: string
Default: notice

Description: The default level value if the PRIORITY entry does not exist.

hook-commands()

Description: This option makes it possible to execute external programs when the relevant driver is initialized or torn down. The hook-commands() can be used with all source and destination drivers with the exception of the usertty() and internal() drivers.

NOTE: The syslog-ng OSE application must be able to start and restart the external program, and have the necessary permissions to do so. For example, if your host is running AppArmor or SELinux, you might have to modify your AppArmor or SELinux configuration to enable syslog-ng OSE to execute external applications.

Using the hook-commands() when syslog-ng OSE starts or stops

To execute an external program when syslog-ng OSE starts or stops, use the following options:

startup()

Type: string
Default: N/A

Description: Defines the external program that is executed as syslog-ng OSE starts.

shutdown()

Type: string
Default: N/A

Description: Defines the external program that is executed as syslog-ng OSE stops.

Using the hook-commands() when syslog-ng OSE reloads

To execute an external program when the syslog-ng OSE configuration is initiated or torn down, for example, on startup/shutdown or during a syslog-ng OSE reload, use the following options:

setup()

Type: string
Default: N/A

Description: Defines an external program that is executed when the syslog-ng OSE configuration is initiated, for example, on startup or during a syslog-ng OSE reload.

teardown()

Type: string
Default: N/A

Description: Defines an external program that is executed when the syslog-ng OSE configuration is stopped or torn down, for example, on shutdown or during a syslog-ng OSE reload.

Example: Using the hook-commands() with a network source

In the following example, the hook-commands() is used with the network() driver and it opens an iptables port automatically as syslog-ng OSE is started/stopped.

The assumption in this example is that the LOGCHAIN chain is part of a larger ruleset that routes traffic to it. Whenever the syslog-ng OSE created rule is there, packets can flow, otherwise the port is closed.

source {
    network(transport(udp)
        hook-commands(
          startup("iptables -I LOGCHAIN 1 -p udp --dport 514 -j ACCEPT")
          shutdown("iptables -D LOGCHAIN 1")
        )
      );
};

host-override()

Type: string
Default:  

Description: Replaces the HOST part of the message with the parameter string.

keep-hostname()

Type: yes or no
Default: no

Description: Enable or disable hostname rewriting.

NOTE: If the log message does not contain a hostname in its HOST field, syslog-ng OSE automatically adds a hostname to the message.

  • For messages received from the network, this hostname is the address of the host that sent the message (this means the address of the last hop if the message was transferred via a relay).

  • For messages received from the local host, syslog-ng OSE adds the name of the host.

This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

NOTE: When relaying messages, enable this option on the syslog-ng OSE server and also on every relay, otherwise syslog-ng OSE will treat incoming messages as if they were sent by the last relay.

match-boot()

Type: yes, no
Default: no

This option is available in syslog-ng OSE 4.1 and later versions.

Description: If this option is set to yes, syslog-ng OSE fetches only which relate to the current boot. Every message generated in the previous boot is ignored.

matches()

Type: string
Default:  

This option is available in syslog-ng OSE 4.1 and later versions.

Description: This option specifies one or more filters to be applied on the journal fields. This options application is similar to journalctl.

Example:

matches(
    "_COMM" => "systemd"
    )

max-field-size()

Type: number (characters)
Default: 65536

Description: The maximum length of a field’s value.

namespace()

Type: string
Default: “*”

Description: The namespace() option works exactly the same way as the respective option of the Journalctl command line tool.

The following modes of operation are available:

  • If you do not specify the namespace() option in your configuration, or if you specify an empty string, the systemd-journal() source reads and displays log data from all namespaces.

  • If you specify the namespace() option as namespace(“*”), the systemd-journal() source reads and displays log data from all namespaces, interleaved.

  • If namespace(<specified-namespace>) is specified, the systemd-journal() source only reads and displays log data from the specified namespace.

  • If the namespace identifier is prefixed with “+” when you specify your namespace() option, the systemd-journal()source only reads and displays log data from the specified namespace and the default namespace, interleaved.

Syntax: namespace(string)

NOTE: Starting with syslog-ng OSE version 4.4, multiple systemd-journal() sources can be configured. When configuring multiple sources, each systemd namespace must be unique.

Example: configuration examples for using the namespace() option

The following configuration example uses the default value for the namespace() option:

source s_journal
{ 
  systemd-journal(namespace("*"));
};

The following configuration example uses a prefixed namespace identifier in the namespace() option:

source s_journal
{ 
  systemd-journal(namespace("+foobar"));
};

NOTE: Namespace support was introduced to the Journalctl command line tool in Systemd version 2.45. The syslog-ng OSE application supports the namespace() option from version 3.29. For further information about namespaces on the Systemd side, see Journal Namespaces.

prefix()

Type: string
Default: .journald.

Description: If this option is set, every non-built-in mapped names get a prefix (for example: “.SDATA.journald.”). By default, syslog-ng OSE adds the .journald. prefix to every value.

read-old-records()

Accepted values: yes | no
Default: yes

Description: If set to yes, syslog-ng OSE will start reading the records from the beginning of the journal, if the journal has not been read yet. If set to no, syslog-ng OSE will read only the new records. If the source has a state in the persist file, this option will have no effect.

time-zone()

Type: name of the timezone, or the timezone offset
Default:  

Description: The default timezone for messages read from the source. Applies only if no timezone is specified within the message itself.

The timezone can be specified by using the name, for example, time-zone(“Europe/Budapest”)), or as the timezone offset in +/-HH:MM format, for example, +01:00). On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.

use-fqdn()

Accepted values: yes | no
Default: no

Description: Use this option to add a Fully Qualified Domain Name (FQDN) instead of a short hostname. You can specify this option either globally or per-source. The local setting of the source overrides the global option if available.

TIP: Set use-fqdn() to yes if you want to use the custom-domain() global option.

NOTE: This option has no effect if the keep-hostname() option is enabled (keep-hostname(yes)) and the message contains a hostname.

Updated: