---
title: "Collecting and analyzing coreos (journald) logs w/ Sumo Logic"
page_name: "Collecting and Analyzing CoreOS (journald) Logs w/ Sumo Logic"
type: "blog"
slug: "collecting-journald-logs"
published_at: "2015-04-03"
modified_at: "2025-05-09"
url: "https://www.sumologic.com/blog/collecting-journald-logs"
canonical: "https://www.sumologic.com/blog/collecting-journald-logs"
markdown_url: "https://www.sumologic.com/blog/collecting-journald-logs.md"
lang: "en"
excerpt: "How to pull logs, not from the containers themselves, but from journald, which CoreOS uses? An easy way to do this is by setting up a new systemd service..."
taxonomy_blog_category:
  - "Containers"
---

[ All blogs ](https://www.sumologic.com/blog "blog")[Containers](https://www.sumologic.com/blog/containers)

# Collecting and Analyzing CoreOS (journald) Logs w/ Sumo Logic

[David Wynn](#blog-author-block-119)

April 3, 2015

2 min read 

[Containers](https://www.sumologic.com/blog/containers)

##### Table of contents

 

 

 

## Towards More and Better Tools

With Docker becoming an increasingly popular platform for deploying applications, we’re continually looking into how we can best leverage Sumo to help collect all the logs from containerized apps. We’ve already posted about Docker a few times regarding best collection strategies, and our official Docker image.

One other request that we have heard from customers is how to pull logs, not from the containers themselves, but from journald, which [CoreOS](https://coreos.com/) uses.

An easy way to do this is by setting up a new systemd service that forwards those logs over udp to a Sumo Logic Collector.

## How to Set Up Journald Collection with Sumo Logic

First, you’ll need to set up a collector that listens for the udp traffic we’re about to send it. Since CoreOS is built for a containerized world, we recommend setting up the official Sumo Logic Docker image on the localhost, and mapping it to the appropriate ports.

```
docker run -d -p 514:514 -p 514:514/udp --name="sumo-logic-collector" sumologic/collector:latest-syslog [Access ID] [Access key]
```

Second, you’ll want to create a new unit that describes the forwarding system we’ll want to set up. An example unit file is provided below, but you can tweak the journalctl output if you want to change the formatting to another iso format or json.

```
[Unit]
Description=Send Journalctl to Sumo
 
[Service]
TimeoutStartSec=0
ExecStart=/bin/sh -c '/usr/bin/journalctl -f | /usr/bin/ncat --udp localhost 514'

Restart=always
RestartSec=5s

[Install]
WantedBy=multi-user.target
```

In-depth details for creating the service can be found [here](https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/), though the gist is to save this unit file as journalctl\_syslog.service in /etc/systemd/system and run the following commands:

```
$ sudo systemctl enable /etc/systemd/system/journalctl_syslog.service
$ sudo systemctl start journalctl_syslog.service
```

Once the service is up and running, that’s all there is to it. Restarts will be handled by systemd, and all the data should be forwarded appropriately to the cloud from the collector.

## Example Queries

Once the data is present inside of Sumo Logic, you might want to try some of the following searches:

#### Message Count by Unit

```
_sourceCategory=journald 
| parse ""MESSAGE" : "*"" as message nodrop
| parse ""UNIT" : "*"" as unit nodrop
| where !(isNull(unit) OR unit="")
| timeslice by 1m
| count by unit, _timeslice
| transpose row _timeslice column unit
```

#### Log Levels Over Time

```
_sourceCategory=journald 
| parse ""MESSAGE" : "*"" as message nodrop
| parse ""UNIT" : "*"" as unit nodrop
| where isNull(unit) OR unit=""
| parse regex field=message "(?<level>[A-Z]{2,})"
| timeslice by 1m
| count by level, _timeslice
| where level !=""
| transpose row _timeslice column level
```

#### Outlier Detection on Total Number of Journald Messages

```
_sourceCategory=journald 
| timeslice by 1m
| count by _timeslice
| outlier _count
```

 

 

### Article Tags

- [Containers](https://www.sumologic.com/blog/containers)

David Wynn

[](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Collecting%20and%20Analyzing%20CoreOS%20%28journald%29%20Logs%20w%2F%20Sumo%20Logic&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fcollecting-journald-logs "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fcollecting-journald-logs "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fcollecting-journald-logs "Linkedin")

[Previous blog

Optimizing Selectivity in Search Queries](https://www.sumologic.com/blog/optimizing-selectivity-search-queries)[Next blog

New Docker Logging Drivers](https://www.sumologic.com/blog/new-docker-logging-drivers)

People who read this also enjoyed

[  

Kubernetes vs Docker: How to choose the right container solution?

July 8, 2025

 

 ](https://www.sumologic.com/blog/kubernetes-vs-docker)[  

From stateful to stateless: Sumo Logic’s transition from Lucene to Parquet-based architecture

October 29, 2024

 

 ](https://www.sumologic.com/blog/stateful-to-stateless-architecture)[  

How to execute an Azure Cloud purple team exercise

September 28, 2023

 

 ](https://www.sumologic.com/blog/azure-cloud-purple-team)[  

Learn how to use the common OpenTelemetry demo application with Sumo Logic

January 26, 2023

 ](https://www.sumologic.com/blog/common-opentelemetry-demo-application)

[AI Instructions](https://www.sumologic.com/ai-instructions.md)