How can I see if logs coming into journald for a service were written to STDOUT or STDERR?

Grafana Loki
1

hi there.

I understand that I can use Loki and Grafana together to read logs from journald on a linux machine that uses systemd.

However, it isn’t obvious to me how I can see if logs for a given service were written to STDOUT, or to STDERR from a query in Loki.

I can’t seem to see any settings in the docs for promtail either:

Is this information exposed at all?

I know I can use promtail to read separate files, and use as a way to differentiate between to file streams, but if possible, I’d like to avoid doing this, because the journal in systemd has a number of other benefits too.

2

How can you do that with journalctl?

Is it already implemented in journald? I was able to find pr for that, but it was not merged: journal: provide a way to distinguish between stdout and stderr streams by fabiokung · Pull Request #6599 · systemd/systemd · GitHub

3

Oh, sorry, I think you’re right, @jangaraj. I am more familiar with Loki than Systemd, and I was looking at moving from Supervisor to Systemd for some services because I think Systemd offers a better fit in terms of

I had just assumed that this had been built into Systemd already, but it seems to be unevenly supported at best after looking around online.

I can do this in a running VM:

sudo journalctl _TRANSPORT=stdout

That gives me this output:

-- Logs begin at Thu 2024-02-29 15:46:46 CET, end at Tue 2024-05-07 18:39:01 CEST. --
Feb 29 15:57:21 app1.myapp.org 50-motd-news[3450626]:  * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
Feb 29 15:57:21 app1.myapp.org 50-motd-news[3450626]:    just raised the bar for easy, resilient and secure K8s cluster deployment.
Feb 29 15:57:21 app1.myapp.org 50-motd-news[3450626]:    https://ubuntu.com/engage/secure-kubernetes-at-the-edge
(lots more lines)

I’m using sudo here because the user I’m logged in as in thie case isn’t part of the adm group that I think would give access to the logs.

When I set the transport to stderr however:

sudo journalctl _TRANSPORT=stderr

I get this:

-- Logs begin at Thu 2024-02-29 15:46:46 CET, end at Tue 2024-05-07 18:39:08 CEST. --
-- No entries --

So there might be some kind of support, but it doesn’t seem to be official. I think it’s best for me assume that if I want the distinction between log output that STDOUT and STDERR would give me, I should use another approach, like careful use of log levels or so on.

Thanks for the quick respons BTW :slight_smile:

1 Like