Journald source

The journald source reads from the systemd journal using journalctl. It follows the journal in real time and tracks its position using the journal cursor, so no entries are missed across restarts.

This source requires journalctl to be available on the system. It is Linux-only.

Configuration

{
  "sources": {
    "system": {
      "type": "journald"
    }
  }
}

Options

Option	Type	Default	Description
`maxLineLenKB`	int	`64`	Maximum line length in kilobytes. Lines exceeding this are truncated.
`unescapeMessageJSON`	bool	`false`	If `true`, unescape JSON content in the `MESSAGE` field

Unescaping JSON messages

Some services write JSON to journald, but the journal escapes it. Enable unescapeMessageJSON to automatically detect and unescape JSON in the MESSAGE field:

{
  "sources": {
    "system": {
      "type": "journald",
      "unescapeMessageJSON": true
    }
  }
}

Event fields

Field	Value
`sourceType`	`"journald"`
`rawLog`	Full JSON output from journalctl
`eventTime`	Parsed from `__REALTIME_TIMESTAMP` (microseconds since epoch)
`service.name`	Value of `SYSLOG_IDENTIFIER`
`tags.hostname`	Value of `_HOSTNAME` (if present)

High-watermark

The journald source saves its cursor to ~/.config/reveald/kawad-journald-hwm. On restart, reveald resumes from the last saved cursor position.