Skip to content

tp: Parse JournaldEventPacket into unified LogTable (2/3)#5797

Open
staticfloat wants to merge 2 commits into
google:mainfrom
staticfloat:sf/journald-part-2
Open

tp: Parse JournaldEventPacket into unified LogTable (2/3)#5797
staticfloat wants to merge 2 commits into
google:mainfrom
staticfloat:sf/journald-part-2

Conversation

@staticfloat
Copy link
Copy Markdown

@staticfloat staticfloat commented May 10, 2026
edited
Loading

Refactor AndroidLogTable into a unified LogTable (log_tables.py,
exposed as __intrinsic_logs) that stores log entries from all sources.
A new log_source STRING column identifies the origin: 'android' or
'journald'. LogTable is moved out of android_tables.py into its own
log_tables.py since it is no longer Android-specific.

New parser parses JournaldEventPacket and inserts into LogTable with log_source='journald'. Journald-specific
metadata (uid, comm, systemd_unit, hostname, transport) is stored via ArgsTracker.

Three SQL views are provided in the prelude:

  • logs: all entries from all sources
  • android_logs: convenience alias for log_source='android' entries
  • journald_logs: journald entries with metadata columns via extract_arg()

Diff tests updated and a new Linux diff test suite covers journald parsing.

This is part 2 of a split-up version of #5331 and will close #3288.

This PR was co-written by AI; while I iterated on it until the look and feel felt correct, there may be context or use cases that I am unaware of. I am open to all review comments, and will do my best to address them.

@staticfloat staticfloat requested a review from a team as a code owner May 10, 2026 00:02
@staticfloat
Copy link
Copy Markdown
Author

staticfloat commented May 10, 2026

Note that because gh stack says that this repository doesn't have stacks enabled, I wasn't able to use that new feature, so this branch contains the commit before it.

@staticfloat staticfloat force-pushed the sf/journald-part-2 branch 2 times, most recently from ce13c00 to fc0360f Compare May 13, 2026 05:03
LalitMaganti
LalitMaganti reviewed May 13, 2026
View reviewed changes
Comment thread src/trace_processor/importers/proto/android_probes_parser.cc Outdated
Comment thread src/trace_processor/importers/proto/linux_probes_module.cc Outdated
Comment thread src/trace_processor/perfetto_sql/stdlib/prelude/after_eof/views.sql Outdated
@staticfloat staticfloat force-pushed the sf/journald-part-2 branch from fc0360f to 5bc3ed8 Compare May 13, 2026 16:21
@staticfloat
Copy link
Copy Markdown
Author

staticfloat commented May 13, 2026

Note: after rebasing my branch, syntaqlite is throwing these errors for me locally:

$ ./tools/format-sources
clang-format: Formatting 21 files
gn: Formatting 9 files
yapf: Formatting 5 files
syntaqlite: Formatting 2 files
ninja: Entering directory `/home/sabae/src/perfetto/out/presubmits'
ninja: no work to do.
/home/sabae/src/perfetto/buildtools/syntaqlite/syntaqlite: symbol lookup error: /home/sabae/src/perfetto/out/presubmits/libperfetto_fmt_dialect.so: undefined symbol: synq_extent_on_shift
`/home/sabae/src/perfetto/buildtools/syntaqlite/syntaqlite fmt --dialect /home/sabae/src/perfetto/out/presubmits/libperfetto_fmt_` returned 127
Run tools/format-sql-sources to fix

Despite my best efforts to clean everything (including nuking the entire out/ directory) the error persists. I'll continue rebasing to see if a fix gets merged for this, until then the SQL might not be formatted totally correctly.

@LalitMaganti
Copy link
Copy Markdown
Member

LalitMaganti commented May 13, 2026

#5852 will fix.

@staticfloat staticfloat force-pushed the sf/journald-part-2 branch from 5bc3ed8 to 30f18b3 Compare May 13, 2026 23:54
@staticfloat
traced_probes: Add linux.journald data source
c13bac7 
Add a new `linux.journald` data source to `traced_probes` that reads log
entries from the systemd journal via `libsystemd`. The library is loaded
at runtime via dlopen("libsystemd.so.0") so there is no compile-time
dependency on libsystemd.

New protos:
- `JournaldConfig` in `protos/perfetto/config/linux/journald_config.proto`
- `JournaldEventPacket` in `protos/perfetto/trace/linux/journald_event.proto`

The data source opens the journal with sd_journal_open(), and emits one
JournaldEventPacket per entry containing: timestamp, pid, priority,
tag, message, uid, comm, systemd_unit, hostname and transport.
@staticfloat
tp: Parse JournaldEventPacket into unified LogTable
a7787d8 
Refactor `AndroidLogTable` into a unified `LogTable` (`log_tables.py`,
exposed as `__intrinsic_logs`) that stores log entries from all sources.
A new log_source STRING column identifies the origin: 'android' or
'journald'. `LogTable` is moved out of `android_tables.py` into its own
`log_tables.py` since it is no longer Android-specific.

New linux_probes_parser.cc parses `JournaldEventPacket` and inserts into
`LogTable` with log_source='journald'. Journald-specific metadata
(uid, comm, systemd_unit, hostname, transport) is stored via `ArgsTracker`.

Three SQL views are provided in the prelude:
- logs: all entries from all sources
- android_logs: convenience alias for log_source='android' entries
- journald_logs: journald entries with metadata columns via extract_arg()

Diff tests updated and a new Linux diff test suite covers journald
parsing.
@staticfloat staticfloat force-pushed the sf/journald-part-2 branch from 30f18b3 to a7787d8 Compare May 15, 2026 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LalitMaganti LalitMaganti LalitMaganti left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Linux journald logs datasource

2 participants

@staticfloat @LalitMaganti