Systemd support for more fields

[roidelapluie]

Here is the output that systemd gives from promtail:

pam_unix(sudo:session): session closed for user root

And from fluentbit:

{"_AUDIT_SESSION":"39444","_GID":"0","_COMM":"sudo","_EXE":"/usr/bin/sudo","_CAP_EFFECTIVE":"1fffffffff","_PID":"1546","PRIORITY":"6","_UID":"0","MESSAGE":"pam_unix(sudo:session): session closed for user root","_AUDIT_LOGINUID":"550","_BOOT_ID":"729a106eb5ec435f9e2ef354b8bdda8a","SYSLOG_FACILITY":"10","SYSLOG_IDENTIFIER":"sudo","_TRANSPORT":"syslog","_SYSTEMD_CGROUP":"/system.slice/sshd.service",_SYSTEMD_UNIT":"sshd.service","_SOURCE_REALTIME_TIMESTAMP":"1574205809328532","_MACHINE_ID":"a3956a4f6aa34db59bc7f433d18dbb12","_HOSTNAME":"XXX,"_SYSTEMD_SLICE":"system.slice","_CMDLINE":"XXX"}

I would love to see those fields fetched with promtail.

Especially, with flentbit, I use:

[FILTER]
    Name modify
    Add job systemd
    Rename _SYSTEMD_UNIT unit
    Match      systemd

[Output]
    Name loki
    Match *
    LabelKeys job,unit

to get a unit label. which seems impossible with promtail at the moment.

[rfratto]

Have you tried relabeling the fields? #1261 documents it a little better but you should be able to relabel all journald fields (prefixing it with __journal_):

scrape_configs:
  - job_name: journal
    journal:
      max_age: 12h
      path: /var/log/journal
      labels:
        job: systemd-journal
    relabel_configs:
      - source_labels: ['__journal__systemd_unit']
        target_label: 'unit'

[roidelapluie]

ooh I did not see that pull request :)

I also think that we could differenciate relabel_configs (e.g. run with file_sd)and logs_relabel_configs (run one each ingested line) (like prometheus has relabel_configs and metrics_relabel_configs)