i try to forward my systemd logs to a elk / kibana stack. but i fail majorly… does any have a working config example for fluentd or filebeat for a nixos stack?
thanks
Johannes
Not exactly what you are asking for, but vector has served me well for various log shipping purposes, including journald.
1 Like
Thanks that worked like a charm - for everyone else this is an example config i use incl. some filters to exclude or include special logs:
services.vector = {
enable = true;
journaldAccess = true;
settings = builtins.fromTOML ''
[sources.journald]
type = "journald"
current_boot_only = true
[transforms.journald_system]
type = "filter"
inputs = [ "journald" ]
# invert condition everything except...
condition = "false == includes(value: [\"docker.service\", \"vector.service\"], item: ._SYSTEMD_UNIT)"
[transforms.journald_transform]
type = "filter"
inputs = [ "journald" ]
# include all container to monitor
condition = "includes(value: [\"mailcowdockerized-dovecot-mailcow-1\", \"mailcowdockerized-postfix-mailcow-1\",\"mailcowdockerized-rspamd-mailcow-1\",\"mailcowdockerized-mysql-mailcow-1\",\"mailcowdockerized-sogo-mailcow-1\",\"mailcowdockerized-dockerapi-mailcow-1\",\"mailcowdockerized-rspamd-mailcow-1\",\"mailcowdockerized-netfilter-mailcow-1\"], item: .CONTAINER_NAME)"
# [sinks.my_sink_id]
# type = "file"
# encoding.codec = "json"
# inputs = [ "journald_system" ]
# path = "/tmp/vector-%Y-%m-%d.log"
[sinks.joesnuc_elastic]
type = "elasticsearch"
inputs = [ "journald_transform", "journald_system" ]
api_version = "auto"
endpoints = [ "http://elastic-server:9200" ]
id_key = "id"
'';
};
}
1 Like