Systemd-journald is a system service that collects and stores logging data.
It creates and maintains structured, indexed journals based on logging information from a variety of sources.
Collecting logs is disabled by default in the Datadog Agent, you need to enable it in the datadog.yaml with:
logs_enabled:true
Then add this configuration block to your journald.d/conf.yaml file to start collecting your Logs:
logs:- type:journaldcontainer_mode:true
To fill source and service attributes, the Agent collects SYSLOG_IDENTIFIER , _SYSTEMD_UNIT and _COMMand set them to the first non empty value. To take advantage of the integration pipelines, Datadog recommends setting the SyslogIdentifier parameter in the systemd service file directly, or in a systemd service override file. Their location depends on your distribution, but you can find the location of the systemd service file by using the command systemctl show -p FragmentPath <unit_name>.
Note: With Agent 7.17+, if container_mode is set to true, the default behavior changes for logs coming from Docker containers. The source attribute of your logs is automatically set to the corresponding short image name of the container instead of simply docker.
In Datadog Agent version 7.37.0+, you can filter user-level units by using these parameters:
include_user_units: Includes all user-level units specified.
exclude_user_units: Excludes all user-level units specified.
Note: Use the * wildcard in exclude_units or exclude_user_units to specify a particular Journald log. The * wildcard does not work with include_units. By default, if there are no units for neither system nor user, and no matches are defined, all journal logs are collected.
Example:
logs:# Collect all system-level unit logs.- type:journaldexclude_user_units:- '*'
Tags are critical for finding information in highly dynamic containerized environments, which is why the Agent can collect container tags in journald logs.
This works automatically when the Agent is running from the host. If you are using the containerized version of the Datadog Agent, mount your journal path and the following file:
/etc/machine-id: this ensures that the Agent can query the journal that is stored on the host.