Reveald

Reveald is RunReveal's log collection agent. It runs as a lightweight daemon on your hosts, collecting logs from files, journald, syslog, Windows Event Log, and other sources, then forwarding them to RunReveal or S3 in batches.

Why reveald

Simple configuration --- A single JSON file defines your sources and destinations. Supports comments and trailing commas (HUJSON).
Low overhead --- Reveald is a single static binary with no runtime dependencies. It uses minimal CPU and memory, making it suitable for running on every host.
Reliable delivery --- Events are batched and flushed on a configurable interval. Reveald tracks file offsets and journald cursors across restarts so no logs are lost.
Flexible routing --- Collect from multiple sources simultaneously and send to multiple destinations. Every source feeds every destination.
Processors built in --- Parse key-value pairs, apply regex extraction, or refine fields with rule-based matching before events leave the host.

Architecture

Reveald follows a simple pipeline architecture:

┌──────────┐     ┌───────────────┐     ┌──────────────┐
│  Sources  │────▶│  Event Queue  │────▶│ Destinations  │
└──────────┘     └───────────────┘     └──────────────┘
  file                                    runreveal
  journald                                s3
  syslog                                  mqtt
  command                                 printer
  windows
  cri
  mqtt
  nginx-syslog

Sources emit events into an internal queue. The queue buffers events and delivers them to all configured destinations. Each destination batches and flushes independently.

Supported sources

Source	Type identifier	Description
File	`file`	Tail log files in a directory
Journald	`journald`	Read systemd journal
Syslog	`syslog`	Listen for syslog over UDP
Command	`command`	Run a command on an interval and capture output
Windows Event Log	`eventlog`	Subscribe to Windows Event Log channels
CRI	`cri`	Parse Kubernetes CRI container logs
MQTT	`mqtt`	Subscribe to an MQTT topic
Nginx Syslog	`nginx_syslog`	Parse nginx access logs via syslog

Supported destinations

Destination	Type identifier	Description
RunReveal	`runreveal`	Send to RunReveal via webhook
S3	`s3`	Write to Amazon S3 or S3-compatible storage
MQTT	`mqtt`	Publish to an MQTT broker
Printer	`printer`	Write to stdout for debugging

Processors

Processors wrap a source and transform events before they reach destinations.

Processor	Type identifier	Description
Refine	`refine`	Rule-based field matching and extraction
KV	`kv`	Key-value pair parsing
Regex	`regex`	Named capture group extraction

Next steps

Quickstart --- Get logs flowing to RunReveal in five minutes
Installation --- Download and install reveald
Configuration --- Learn the config file format