Menu
Grafana Cloud

loki.source.journal

loki.source.journal reads from the systemd journal and forwards them to other loki.* components.

Multiple loki.source.journal components can be specified by giving them different labels.

Note

Make sure that the grafana-alloy user is a member of the following groups:

  • adm
  • systemd-journal

Usage

alloy
loki.source.journal "LABEL" {
  forward_to    = RECEIVER_LIST
}

Arguments

The component starts a new journal reader and fans out log entries to the list of receivers passed in forward_to.

loki.source.journal supports the following arguments:

NameTypeDescriptionDefaultRequired
format_as_jsonboolWhether to forward the original journal entry as JSON.falseno
max_agedurationThe oldest relative time from process start that will be read."7h"no
pathstringPath to a directory to read entries from.""no
matchesstringJournal matches to filter. The + character is not supported, only logical AND matches will be added.""no
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes
relabel_rulesRelabelRulesRelabeling rules to apply on log entries.{}no
labelsmap(string)The labels to apply to every log coming out of the journal.{}no

Note

A job label is added with the full name of the component loki.source.journal.LABEL.

When the format_as_json argument is true, log messages are passed through as JSON with all of the original fields from the journal entry. Otherwise, the log message is taken from the content of the MESSAGE field from the journal entry.

When the path argument is empty, /var/log/journal and /run/log/journal will be used for discovering journal entries.

The relabel_rules argument can make use of the rules export value from a loki.relabel component to apply one or more relabeling rules to log entries before they’re forwarded to the list of receivers in forward_to.

All messages read from the journal include internal labels following the pattern of __journal_FIELDNAME and will be dropped before sending to the list of receivers specified in forward_to. To keep these labels, use the relabel_rules argument and relabel them to not be prefixed with __.

Note

Many field names from journald start with an _, such as _systemd_unit. The final internal label name would be __journal__systemd_unit, with two underscores between __journal and systemd_unit.

Component health

loki.source.journal is only reported as unhealthy if given an invalid configuration.

Debug Metrics

  • loki_source_journal_target_parsing_errors_total (counter): Total number of parsing errors while reading journal messages.
  • loki_source_journal_target_lines_total (counter): Total number of successful journal lines read.

Example

alloy
loki.relabel "journal" {
  forward_to = []

  rule {
    source_labels = ["__journal__systemd_unit"]
    target_label  = "unit"
  }
}

loki.source.journal "read"  {
  forward_to    = [loki.write.endpoint.receiver]
  relabel_rules = loki.relabel.journal.rules
  labels        = {component = "loki.source.journal"}
}

loki.write "endpoint" {
  endpoint {
    url ="loki:3100/api/v1/push"
  }
}

Compatible components

loki.source.journal can accept arguments from the following components:

Note

Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.