sdjournal

sdjournal is a pure Rust systemd journal reader and query engine. It reads *.journal files directly and does not depend on libsystemd or invoke journalctl (tests may use journalctl for golden comparisons).

Status

• Target OS: Linux (non-Linux builds are supported for compilation, but Journal::open_default() is Linux-only).
• Designed for production use: corruption-/truncate-resistant parsing, bounded resource usage, stable merge ordering, cursor checkpoints, follow/tail with rotate support.

Supported systemd / sample matrix

This project is validated in CI on:

• Ubuntu 22.04 (systemd 249.x) as the minimum tested version
• Ubuntu 24.04 (systemd 255.x) as the target tested version

See .github/workflows/ci.yml for the exact matrix and the logged systemd --version output.

Features

• Default: mmap, lz4, zstd
• Optional:
  • xz: enable XZ decompression
  • tracing: emit diagnostics via tracing (caller installs a subscriber)
  • tokio: provides an async follow adapter
  • verify-seal: verify Forward Secure Sealing (TAG/FSS) with a systemd verification key

Quickstart

use sdjournal::Journal;

let journal = Journal::open_default()?;
let mut q = journal.query();
q.match_exact("_SYSTEMD_UNIT", b"sshd.service");
q.since_realtime(0);

for item in q.iter()? {
    let entry = item?;
    if let Some(msg) = entry.get("MESSAGE") {
        println!("{}", String::from_utf8_lossy(msg));
    }
}
# Ok::<(), sdjournal::SdJournalError>(())

Cursor checkpoint (resume after restart)

An end-to-end example that persists the last cursor and resumes via after_cursor is in:

• crates/sdjournal/examples/checkpoint_follow.rs

Run it on Linux:

cargo run -p sdjournal --example checkpoint_follow -- sshd.service /var/tmp/sdjournal.cursor

Development

• Format: cargo fmt
• Lint: cargo clippy --workspace --all-targets --all-features -- -D warnings
• Test: cargo test --workspace --all-features
• Fuzz (nightly): cargo +nightly fuzz run journal_open