Systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources.
Journal files are, by default, owned and readable by the
systemd-journal system group. To start collecting your journal logs, you need to:
dd-agent user to the
systemd-journal group by running:
usermod -a -G systemd-journal dd-agent
journald.d/conf.yaml file in the in the Agent’s
conf.d/ folder at the root of your Agent’s directory.
Available for Agent versions >6.0
Collecting logs is disabled by default in the Datadog Agent, you need to enable it in
Then add this configuration block to your
journald.d/conf.yaml file to start collecting your Logs:
logs: - type: journald container_mode: true
service attributes, the Agent collects
_COMMand set them to the first non empty value. In order to take advantage of the integration pipelines, Datadog recommends setting the
SyslogIdentifier parameter in the
systemd service file directly, or in a
systemd service override file. Their location depends on your distribution, but you can find the location of the
systemd service file by using the command
systemctl show -p FragmentPath <unit_name>.
Note: With Agent 7.17+, if
container_mode is set to
true, the default behavior changes for logs coming from docker containers. The
source attribute of your logs is automatically set to the corresponding short image name of the container instead of simply
Finally, restart the agent.
By default the Agent looks for the journal at the following locations:
If your journal is located elsewhere, add a
path parameter with the corresponding journal path.
It is possible to filter in/out specific units thanks to the following parameters:
include_units: Includes all units specified.
exclude_units: Excludes all units specified.
logs: - type: journald path: /var/log/journal/ include_units: - docker.service - sshd.service
Tags are critical for finding information in highly dynamic containerized environments, which is why the Agent can collect container tags in journald logs.
This works automatically when the Agent is running from the host. If you are using the containerized version of the Datadog Agent, mount your journal path and the following file:
/etc/machine-id: this ensures that the Agent can query the journal that is stored on the host.
Need help? Contact Datadog Support.
Learn more about infrastructure monitoring and all Datadog integrations on our blog