{"id":19693827,"url":"https://github.com/aiven-open/journalpump","last_synced_at":"2025-07-22T10:32:55.081Z","repository":{"id":35727693,"uuid":"40006143","full_name":"Aiven-Open/journalpump","owner":"Aiven-Open","description":"systemd journald to aws_cloudwatch, elasticsearch, google cloud logging, kafka, rsyslog or logplex log sender","archived":false,"fork":false,"pushed_at":"2025-05-08T15:07:46.000Z","size":666,"stargazers_count":61,"open_issues_count":6,"forks_count":22,"subscribers_count":67,"default_branch":"master","last_synced_at":"2025-07-12T21:07:46.351Z","etag":null,"topics":["elasticsearch","journald","kafka","logplex","message-pump"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Aiven-Open.png","metadata":{"files":{"readme":"README.rst","changelog":"NEWS","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-07-31T13:17:39.000Z","updated_at":"2025-06-27T10:43:10.000Z","dependencies_parsed_at":"2023-12-14T13:34:24.678Z","dependency_job_id":"e3a5a105-12f3-4072-a0b6-dd32297702ab","html_url":"https://github.com/Aiven-Open/journalpump","commit_stats":null,"previous_names":["aiven-open/journalpump","aiven/journalpump"],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/Aiven-Open/journalpump","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fjournalpump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fjournalpump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fjournalpump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fjournalpump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Aiven-Open","download_url":"https://codeload.github.com/Aiven-Open/journalpump/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fjournalpump/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266475119,"owners_count":23934885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elasticsearch","journald","kafka","logplex","message-pump"],"created_at":"2024-11-11T19:18:18.456Z","updated_at":"2025-07-22T10:32:55.033Z","avatar_url":"https://github.com/Aiven-Open.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"journalpump |BuildStatus|_\n==========================\n\n.. |BuildStatus| image:: https://github.com/aiven/journalpump/actions/workflows/build.yml/badge.svg?branch=master\n.. _BuildStatus: https://github.com/aiven/journalpump/actions\n.. image:: https://codecov.io/gh/aiven/journalpump/branch/master/graph/badge.svg?token=nLr7M7hvCx\n :target: https://codecov.io/gh/aiven/journalpump\n\njournalpump is a daemon that takes log messages from journald and pumps them\nto a given output. Currently supported outputs are Elasticsearch, Apache Kafka®,\nlogplex, rsyslog, websocket and AWS CloudWatch. It reads messages from\njournald and optionally checks if they match a config rule and forwards them\nas JSON messages to the desired output.\n\n\nBuilding\n========\n\nTo build an installation package for your distribution, go to the root\ndirectory of a journalpump Git checkout and then run:\n\nDebian::\n\n make deb\n\nThis will produce a .deb package into the parent directory of the Git\ncheckout.\n\nFedora::\n\n make rpm\n\nThis will produce an RPM in rpm/RPMS/noarch/.\n\nOther::\n\n python3 setup.py bdist_egg\n\nThis will produce an egg file into a dist directory within the same folder.\n\nFor a source install the dependency `python-systemd \u003chttps://github.com/systemd/python-systemd\u003e`_ has\nto be installed through your distribution's package manager (The PyPI `systemd` package is not the\nsame!).\n\njournalpump requires Python 3.4 or newer.\n\n\nInstallation\n============\n\nTo install it run as root:\n\nDebian::\n\n dpkg -i ../journalpump*.deb\n\nFedora::\n\n su -c 'dnf install rpm/RPMS/noarch/*'\n\nOn Fedora it is recommended to simply run journalpump under systemd::\n\n systemctl enable journalpump.service\n\nand eventually after the setup section, you can just run::\n\n systemctl start journalpump.service\n\nOther::\n\n python3 setup.py install\n\nOn systems without systemd it is recommended that you run journalpump within\nsupervisord_ or similar process control system.\n\n.. _supervisord : http://supervisord.org\n\n\nSetup\n=====\n\nAfter installation you need to create a suitable JSON configuration file for\nyour installation.\n\n\nGeneral notes\n=============\n\nIf correctly installed, journalpump comes with a single executable,\n``journalpump`` that takes as an argument the path to journalpump's JSON\nconfiguration file.\n\n``journalpump`` is the main process that should be run under systemd or\nsupervisord.\n\nWhile journalpump is running it may be useful to read the JSON state file\nthat will be created as ``journalpump_state.json`` to the current working\ndirectory. The JSON state file is human readable and should give an\nunderstandable description of the current state of the journalpump.\n\n\nTop level configuration\n=======================\nExample::\n\n {\n \"log_level\": \"INFO\",\n \"field_filters\": {\n ...\n },\n \"unit_log_levels\": {\n ...\n },\n \"json_state_file_path\": \"/var/lib/journalpump/journalpump_state.json\",\n \"readers\": {\n ...\n },\n \"statsd\": {\n \"host\": \"127.0.0.1\",\n \"port\": 12345,\n \"prefix\": \"user-\",\n \"tags\": {\n \"sometag\": \"somevalue\"\n }\n }\n }\n\n\n``json_state_file_path`` (default ``\"journalpump_state.json\"``)\n\nLocation of a JSON state file which describes the state of the\njournalpump process.\n\n``statsd`` (default ``null``)\n\nEnables metrics sending to a statsd daemon that supports the influxdb-statsd\n/ telegraf syntax with tags.\n\nThe ``tags`` setting can be used to enter optional tag values for the metrics.\n\nThe ``prefix`` setting can be used to enter an optional prefix for all metric names.\n\nMetrics sending follows the `Telegraf spec`_.\n\n.. _`Telegraf spec`: https://github.com/influxdata/telegraf/tree/master/plugins/inputs/statsd\n\n``log_level`` (default ``\"INFO\"``)\n\nDetermines log level of journalpump. `Available log levels \u003chttps://docs.python.org/3/library/logging.html#logging-levels\u003e`_.\n\nField filter configuration\n==========================\n\nField filters can be used to restrict the journald fields that journalpump sends forward.\nField filter configuration structure::\n\n {\n \"field_filters\": {\n \"filter_name\": {\n \"type\": \"whitelist|blacklist\",\n \"fields\": [\"field1\", \"field2\"]\n }\n }\n }\n\n``filter_name``\n\nName of the filter. The filters can be configured per sender and depending\non the use case the filters for different senders may vary.\n\n``type`` (default ``whitelist``)\n\nSpecifies whether the listed fields will be included (``whitelist``) or\nexcluded (``blacklist``).\n\n``fields``\n\nThe actual fields to include or exclude. Field name matching is case\ninsensitive and underscores in the beginning of the fields are trimmed.\n\nUnit log levels configuration\n=============================\n\nUnit log levels can be used to specify which log levels you want to set on a per unit basis. Matching supports glob\npatterns. For example, to only process messsages for a systemd-unit called ``test-unit`` with severity ``WARNING`` or higher,\nyour config could look like this::\n\n {\n \"unit_log_levels\": {\n \"log_level_name\": [\n {\n \"service_glob\": \"test-unit*\",\n \"log_level\": \"WARNING\"\n },\n {\n \"service_glob\": \"*-unit\",\n \"log_level\": \"INFO\"\n }\n ]\n }\n }\n\nNote that if your unit would match multiple patterns (like \"test-unit\" would in the example above), the first match will\nget used, i.e \"WARNING\" in this case.\n\n``log_level_name``\n\nName of the log level configuration. This can be configured per sender and depending\non the use case the settings for different senders may vary.\n\nReader configuration\n====================\nReader configuration structure::\n\n {\n \"readers\": {\n \"some_reader\": {\n \"senders\": {\n \"some_log\": {\n ...\n },\n \"another_log\": {\n ...\n }\n }\n },\n \"another_reader\": {\n \"senders\": {\n \"some_kafka\": {\n ...\n }\n }\n }\n }\n }\n\nExample configuration for a single reader::\n\n {\n \"field_filters\": {\n \"drop_process_id\": {\n \"fields\": [\"process_id\"],\n \"type\": \"blacklist\"\n }\n },\n \"unit_log_levels\": {\n \"drop_everything_below_warning\": [\n {\n \"service_glob\": \"*\",\n \"log_level\": \"WARNING\"\n }\n ]\n },\n \"journal_path\": \"/var/lib/machines/container1/var/log/journal/b09ffd62229f4bd0829e883c6bb12c4e\",\n \"senders\": {\n \"k1\": {\n \"output_type\": \"kafka\",\n \"field_filter\": \"drop_process_id\",\n \"unit_log_level\": \"drop_everything_below_warning\",\n \"ca\": \"/etc/journalpump/ca-bundle.crt\",\n \"certfile\": \"/etc/journalpump/node.crt\",\n \"kafka_address\": \"kafka.somewhere.com:12345\",\n \"kafka_topic\": \"journals\",\n \"keyfile\": \"/etc/journalpump/node.key\",\n \"ssl\": true\n },\n },\n \"searches\": [\n {\n \"fields\": {\n \"MESSAGE\": \"kernel: Out of memory: Kill process .+ \\\\((?P\u003cprocess\u003e[^ ]+)\\\\)\"\n },\n \"name\": \"journal.oom_killer\"\n }\n ],\n \"secret_filter_metrics\": true,\n \"secret_filters\": [\n {\n \"pattern\": \"SENSITIVE\",\n \"replacement\": \"[REDACTED]\"\n }],\n \"threshold_for_metric_emit\": 10\n \"tags\": {\n \"type\": \"container\"\n }\n }\n\n\n``initial_position`` (default ``head``)\n\nControls where the readers starts when the journalpump is launched for the first time:\n\n* ``head``: First entry in the journal\n* ``tail``: Last entry in the journal\n* ``\u003cinteger\u003e``: Seconds from current boot session\n\n``match_key`` (default ``null``)\n\nIf you want to match against a single journald field, this configuration key\ndefines the key to match against.\n\n``match_value`` (default ``null``)\n\nIf you want to match against a single journald field, this configuration key\ndefines the value to match against. Currently only equality is allowed.\nNote this means if you specify ``match_key`` and not ``match_value``, then the reader\nwill match all entries that do not contain the ``match_key``.\n\n``msg_buffer_max_length`` (default ``50000``)\n\nHow many journal entries to read at most into a memory buffer from\nwhich the journalpump feeds the configured logsender.\n\n``journal_path`` (default ``null``)\n\nPath to the directory containing journal files if you want to override the\ndefault one.\n\n``journal_namespace`` (default ``null`` - read from default systemd namespace)\n\nJournal namespace to read logs from.\nThis feature requires latest version of ``python-systemd`` `with namespace support \u003chttps://github.com/systemd/python-systemd/pull/87\u003e`_\n\n``units_to_match`` (default ``[]``)\n\nRequire that the logs message matches only against certain _SYSTEMD_UNITs.\nIf not set, we allow log events from all units.\n\n``flags`` (default ``LOCAL_ONLY``)\n\n``\"LOCAL_ONLY\"`` opens journal on local machine only; ``\"RUNTIME_ONLY\"`` opens only volatile journal files;\nand ``\"SYSTEM\"`` opens journal files of system services and the kernel, ``\"CURRENT_USER\"`` opens files of the\ncurrent user; and ``\"OS_ROOT\"`` is used to open the journal from directories relative to the specified\ndirectory path or file descriptor. Multiple flags can be OR'ed together using a list:\n``[\"LOCAL_ONLY\", \"CURRENT_USER\"]``.\n\n``secret_filters`` (default ``[]``)\n\nSecret filters can be used to redact sensitive data which matches known patterns in logs before forwarding the message along\nto it's final destination. To use: add a number of filters following the pattern below to the reader config. The ``pattern`` is a standard\npython regex, and the matching substring will be subbed with ``replacement``. Patterns are compiled at runtime.\n\nSimple pattern example:\n\nThis simple pattern should be used for most cases. It will replace SECRET with [REDACTED] but will leave the rest of the message intact.\n\n\"secret_filters\": [\n {\n \"pattern\": \"SECRET\",\n \"replacement\": \"[REDACTED]\"\n }\n]\n\nComplex pattern example:\n\nFor more complex requirements, a python regex with capture groups can be provided, and the contents of the message restructured using backrefs.\nThis example will only replace SENSITIVE with [REDACTED] as long as foo and bar are also part of the pattern.\n\n\"secret_filters\": [\n {\n \"pattern\": \"(bar)(SENSITIVE)(foo)\",\n \"replacement\": \"\\\\1[REDACTED]\\\\3\",\n }\n]\n\nUsing backrefs, the message can also be restructured into a new format.\n\"secret_filters\": [\n {\n \"pattern\": \"(bar)(SENSITIVE)(foo)\",\n \"replacement\": \"\\\\1\\\\3 pattern was [REDACTED]\",\n }\n]\n\nSecret filters and searches can be made to use re2 as a regex engine by running journalpump with the environment \"USE_RE2=yes\". Make sure that the PyPI package \"google_re2\" is installed with at least version 1.1\n\n``secret_filter_metrics`` ( default: ``false``)\nChange this setting to true to emit metrics to the metrics host whenever a secret pattern is matched.\nThis matching happens before other filtering to help catch secrets being leaked to disk.\n\n``threshold_for_metric_emit`` ( default: ``10``)\nFor the regex searches in journalpump, if search takes longer than this value, default 10 seconds, a metric will be emitted.\ntype: int unit: second\n\nSender Configuration\n--------------------\n``output_type`` (default ``null``)\n\nOutput to write journal events to. Options are `elasticsearch`, `kafka`,\n`file`, `websocket` and `logplex`.\n\n``field_filter`` (default ``null``)\n\nName of the field filter to apply for this sender, if any.\n\n\nFile Sender Configuration\n-------------------------\nWrites journal entries as JSON to a text file, one entry per line.\n\n``file_output`` sets the path to the output file.\n\n\nElasticsearch Sender Configuration\n----------------------------------\n``ca`` (default ``null``)\n\nElasticsearch Certificate Authority path, needed when you're using Elasticsearch\nwith self-signed certificates.\n\n``elasticsearch_index_days_max`` (default ``3``)\n\nMaximum number of days of logs to keep in Elasticsearch. Relevant when\nusing output_type ``elasticsearch``.\n\n``elasticsearch_index_prefix`` (default ``journalpump``)\n\nElasticsearch index name to use when Maximum number of days of logs to keep\nin Elasticsearch. Relevant when using output_type ``elasticsearch``.\n\n``elasticsearch_timeout`` (default ``10.0``)\n\nElasticsearch request timeout limit. The default should work for most\npeople but you might need to increase it in case you have a large latency to\nserver or the server is very congested. Required when using output_type\n``elasticsearch``.\n\n``elasticsearch_url`` (default ``null``)\n\nFully qualified elasticsearch url of the form\n``https://username:password@hostname.com:port``.\nRequired when using output_type ``elasticsearch``.\n\n\nApache Kafka Sender Configuration\n---------------------------------\n``ca`` (default ``null``)\n\nApache Kafka Certificate Authority path, needed when you're using Kafka with SSL\nauthentication.\n\n``certfile`` (default ``null``)\n\nApache Kafka client certificate path, needed when you're using Kafka with SSL\nauthentication.\n\n``kafka_api_version`` (default ``0.9``)\n\nWhich Apache Kafka server API version to use.\n\n``kafka_topic`` (default ``null``)\n\nWhich Kafka topic do you want the journalpump to write to.\nRequired when using output_type ``kafka``.\n\n``kafka_topic_config`` (default ``null``)\n\nIf this key is present, its value must be another mapping with the default\nconfiguration used to create the topic, if it does not exist yet.\n\nThe mapping must have these values::\n\n {\n \"num_partitions\": 3,\n \"replication_factor\": 3\n }\n\n\n``kafka_address`` (default ``null``)\n\nThe address of the Kafka server which to write to.\nRequired when using output_type ``kafka``.\n\n``kafka_msg_key`` (default ``null``)\n\nThe key to use when writing messages into Kafka. Can be used\nfor partition selection.\n\n``keyfile`` (default ``null``)\n\nKafka client key path, needed when you're using Kafka with SSL\nauthentication.\n\n``socks5_proxy`` (default ``null``)\n\nDefined socks5 proxy to use for Kafka connections. This feature\nis currently only supported in Aiven fork of kafka-python library.\n\nAWS CloudWatch Logs Sender Configuration\n----------------------------------------\n``aws_cloudwatch_log_group``\n\nThe log group used in AWS CloudWatch.\n\n``aws_cloudwatch_log_stream``\n\nThe log stream used in AWS CloudWatch.\n\n``aws_region`` (default ``null``)\n\nAWS region used.\n\n``aws_access_key_id`` (default ``null``)\n\nAWS access key id used.\n\n``aws_secret_access_key`` (default ``null``)\n\nAWS secret access key used.\n\nThe AWS credentials and region are optional. In case they are not included\ncredentials are configured automatically by the ``botocore`` module.\n\nThe AWS credentials that are used need the following permissions:\n``logs:CreateLogGroup``, ``logs:CreateLogStream``, ``logs:PutLogEvents``\nand ``logs:DescribeLogStreams``.\n\nGoogle Cloud Logging Sender Configuration\n-----------------------------------------\n``google_cloud_logging_project_id``\n\nThe GCP project id to which logs will be sent.\n\n``google_cloud_logging_log_id``\n\nThe log id to be used for this particular sender.\n\n``google_cloud_logging_resource_labels``\n\nA dictionary containing the labels added to the monitored resource.\nFind the allowed labels from https://cloud.google.com/monitoring/api/resources#tag_generic_node.\n\n``google_service_account_credentials``\n\nThe service account credentials to be used for this sender. If not\ndefined, the sender will try to find credentials from the system.\n\nRsyslog Sender Configuration\n----------------------------\n\n``rsyslog_server`` (default ``null``)\n\nAddress of the remote syslog server.\n\n``rsyslog_port`` (default ``514``)\n\nPort used by the remote syslog server.\n\n``default_facility`` (default ``1``)\n\nFacility for the syslog message if not provided by the entry being relayed.\n(see RFC5424 for list of facilities.)\n\n``default_severity`` (default ``6``)\n\nSeverity for the syslog message if not provided by the entry being relayed.\n(see RFC5424 for list of priorities.)\n\n``format`` (default ``rfc5424``)\n\nLog format to use. Can be rfc3164, rfc5424 or custom.\n\n``logline`` (default ``null``)\n\nCustom logline format (ignored unless format is set to custom). The format is a limited version\nof the formatting used by rsyslog. Supported tags are pri, procotol-version, timestamp,\ntimestamp:::date-rfc3339, HOSTNAME, app-name, procid, msgid, msg and structured-data.\n\nFor example the rfc3164 log format would be defined as `\u003c%pri%\u003e%timestamp% %HOSTNAME% %app-name%[%procid%]: %msg%`\n\n``structured_data`` (default ``null``)\n\nContent of structured data section (optional, required by some services to identify the sender).\n\n``ssl`` (default ``false``)\n\nRequire encrypted connection.\n\n``ca_certs`` (default ``null``)\n\nCA path. Note! setting ca will automatically also set ssl to True\n\n``client_cert`` (default ``null``)\n\nClient certificate path, required if remote syslog requires SSL authentication.\n\n``client_key`` (default ``null``)\n\nClient key path, required if remote syslog requires SSL authentication.\n\n``format`` (default ``rfc5424``)\n\nFormat message according to rfc5424 or rfc3164\n\nWebsocket Sender Configuration\n------------------------------\n``websocket_uri`` (default ``null``)\n\nWhich Websocket URI do you want the journalpump to write to.\nRequired when using output_type ``websocket``.\n\n``ca`` (default ``null``)\n\nWebsocket Certificate Authority path, needed when you're using SSL\nauthentication.\n\n``certfile`` (default ``null``)\n\nWebsocket client certificate path, needed when you're using SSL\nauthentication.\n\n``keyfile`` (default ``null``)\n\nWebsocket client key path, needed when you're using SSL\nauthentication.\n\n``socks5_proxy`` (default ``null``)\n\nDefined socks5 proxy to use for Websocket connections.\n\n``max_batch_size`` (default ``1048576``)\n\nAdjust message batch size, set to 0 to disable batching. When batching is\nenabled, multiple journal messages are sent in a single websocket message,\nseparated by a single NUL byte.\n\n``compression`` (default ``\"snappy\"``)\n\nCompress messages on application level using the specified algorithm.\nDecompression is done by an application behind the websocket server,\nallowing end-to-end compression. When batching is enabled, compression is\ndone on complete batches. Supported values: ``\"snappy\"``, ``\"none\"``.\n\n``websocket_compression`` (default ``\"none\"``)\n\nEnable compression of websocket messages using the ``permessage-deflate``\nextension. The messages will be decompressed by the websocket server. When\nbatching is enabled, compression is done on complete batches. Supported\nvalues: ``\"deflate\"``, ``\"none\"``.\n\n\n\nLicense\n=======\n\njournalpump is licensed under the Apache License, Version 2.0.\nFull license text is available in the ``LICENSE`` file and at\nhttp://www.apache.org/licenses/LICENSE-2.0.txt\n\n\nCredits\n=======\n\njournalpump was created by Hannu Valtonen \u003channu.valtonen@aiven.io\u003e\nand is now maintained by Aiven hackers \u003copensource@aiven.io\u003e.\n\nRecent contributors are listed on the project's GitHub `contributors page`_.\n\n.. _`contributors page`: https://github.com/aiven/journalpump/graphs/contributors\n\nTrademark\n=========\n\nApache Kafka is either registered trademark or trademark of the Apache Software\nFoundation in the United States and/or other countries. Elasticsearch,\nAWS CloudWatch, logplex and rsyslog are trademarks and property of their respective\nowners. All product and service names used in this website are for identification\npurposes only and do not imply endorsement.\n\n\nContact\n=======\n\nBug reports and patches are very welcome, please post them as GitHub issues\nand pull requests at https://github.com/aiven/journalpump . Any\npossible vulnerabilities or other serious issues should be reported directly\nto the maintainers \u003copensource@aiven.io\u003e.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faiven-open%2Fjournalpump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faiven-open%2Fjournalpump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faiven-open%2Fjournalpump/lists"}