Sources
Sources define where reveald collects logs. Each source runs as a goroutine, continuously reading events and feeding them into the internal event queue for delivery to all configured destinations.
Available sources
| Source | Type | Platform | Description |
|---|---|---|---|
| File | file | All | Tail log files in a directory |
| Journald | journald | Linux | Read systemd journal |
| Syslog | syslog | All | Listen for syslog over UDP |
| Command | command | All | Run a command on an interval |
| Windows Event Log | eventlog | Windows | Subscribe to event log channels |
| CRI | cri | Linux | Parse Kubernetes container runtime logs |
| MQTT | mqtt | All | Subscribe to an MQTT topic |
| Nginx Syslog | nginx_syslog | All | Parse nginx access logs via syslog |
Configuring sources
Sources are defined under the "sources" key in your config file. Each source has a unique name and a "type" field:
You can configure as many sources as needed. All sources run concurrently and all events are sent to every destination.
Event structure
Every source emits events with a common structure:
| Field | Type | Description |
|---|---|---|
sourceType | string | Identifies the source type (e.g. "file", "journald") |
rawLog | JSON | The original log content |
eventTime | timestamp | When the event occurred (source-specific parsing) |
eventName | string | Optional event name |
src | object | Source IP and port (if applicable) |
dst | object | Destination IP and port (if applicable) |
actor | object | User who performed the action (if applicable) |
service | object | Service or process name |
tags | map | Arbitrary key-value metadata |
Different sources populate different fields. See each source's documentation for details on which fields are set and how timestamps are parsed.