1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd.journal-fields">
27 <title>systemd.journal-fields</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.journal-fields</refentrytitle>
42 <manvolnum>7</manvolnum>
46 <refname>systemd.journal-fields</refname>
47 <refpurpose>Special journal fields</refpurpose>
51 <title>Description</title>
53 <para>Entries in the journal resemble an environment
54 block in their syntax, however with fields that can
55 include binary data. Primarily, fields are formatted
56 UTF-8 text strings, and binary formatting is used only
57 where formatting as UTF-8 text strings makes little
58 sense. New fields may freely be defined by
59 applications, but a few fields have special
60 meaning. All fields with special meanings are
65 <title>User Journal Fields</title>
67 <para>User fields are fields that are directly passed
68 from clients and stored in the journal.</para>
74 <para>The human readable
75 message string for this
76 entry. This is supposed to be
77 the primary text shown to the
78 user. It is usually not
79 translated (but might be in
80 some cases), and is not
81 supposed to be parsed for meta
87 <term>MESSAGE_ID=</term>
89 <para>A 128bit message
90 identifier ID for recognizing
91 certain message types, if this
92 is desirable. This should
93 contain a 128bit id formatted
94 as lower-case hexadecimal
95 string, without any separating
96 dashes or suchlike. This is
97 recommended to be a UUID
98 compatible ID, but this is not
99 enforced, and formatted
100 differently. Developers can
101 generate a new ID for this
104 --new-id</command>.</para>
109 <term>PRIORITY=</term>
111 <para>A priority value between
112 0 (<literal>emerg</literal>)
114 (<literal>debug</literal>)
116 string. This field is
117 compatible with syslog's
118 priority concept.</para>
123 <term>CODE_FILE=</term>
124 <term>CODE_LINE=</term>
125 <term>CODE_FUNC=</term>
127 <para>The code location
128 generating this message, if
129 known. Contains the source
130 file name, the line number and
131 the function name.</para>
136 <term>SYSLOG_FACILITY=</term>
137 <term>SYSLOG_IDENTIFIER=</term>
138 <term>SYSLOG_PID=</term>
140 <para>Syslog compatibility
141 fields containing the facility
142 (formatted as decimal string),
143 the identifier string
144 (i.e. "tag"), and the client
153 <title>Trusted Journal Fields</title>
155 <para>Fields prefixed with an underscore are trusted
156 fields, i.e. fields that are implicitly added by the
157 journal and cannot be altered by client code.</para>
165 <para>The process, user and
166 group ID of the process the
167 journal entry originates from
176 <term>_CMDLINE=</term>
178 <para>The name, the executable
179 path and the command line of
180 the process the journal entry
181 originates from.</para>
186 <term>_AUDIT_SESSION=</term>
187 <term>_AUDIT_LOGINUID=</term>
189 <para>The session and login
190 UID of the process the journal
191 entry originates from, as
192 maintained by the kernel audit
198 <term>_SYSTEMD_CGROUP=</term>
199 <term>_SYSTEMD_SESSION=</term>
200 <term>_SYSTEMD_UNIT=</term>
201 <term>_SYSTEMD_OWNER_UID=</term>
204 <para>The contol group path in
205 the systemd hierarchy, the
206 systemd session ID (if any),
207 the systemd unit name (if any)
208 and the owner UID of the
209 systemd session (if any) of
210 the process the journal entry
211 originates from.</para>
216 <term>_SELINUX_CONTEXT=</term>
218 <para>The SELinux security
219 context of the process the
220 journal entry originates
226 <term>_SOURCE_REALTIME_TIMESTAMP=</term>
228 <para>The earliest trusted
229 timestamp of the message, if
230 any is known that is different
231 from the reception time of the
232 journal. This is the time in
233 usec since the epoch UTC
240 <term>_BOOT_ID=</term>
242 <para>The kernel boot ID for
243 the boot the message was
244 generated in, formatted as
251 <term>_MACHINE_ID=</term>
253 <para>The machine ID of the
254 originating host, as available
256 <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
261 <term>_HOSTNAME=</term>
263 <para>The name of the
264 originating host.</para>
269 <term>_TRANSPORT=</term>
271 <para>How the entry was
272 received by the journal
274 <literal>driver</literal>,
275 <literal>syslog</literal>,
276 <literal>journal</literal>,
277 <literal>stdout</literal>,
278 <literal>kernel</literal> for
279 internally generated messages,
280 for those received via the
281 local syslog socket with the
282 syslog protocol, for those
283 received via the native
284 journal protocol, for the
285 those read from a services'
286 standard output or error
287 output, and for those read
288 from the kernel, resp.
296 <title>Address Fields</title>
298 <para>During serialization into external formats the
299 addresses of journal entries are serialized into
300 fields prefixed with double underscores. Note that
301 these aren't proper fields when stored in the journal,
302 but addressing meta data of entries. They cannot be
303 written as part of structured log entries via calls
305 <citerefentry><refentrytitle>sd_journal_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>. They
306 may also not be used as matches for
307 <citerefentry><refentrytitle>sd_journal_add_match</refentrytitle><manvolnum>3</manvolnum></citerefentry></para>
311 <term>__CURSOR=</term>
313 <para>The cursor for the
314 entry. A cursor is an opaque
315 text string that uniquely
316 describes the position of an
317 entry in the journal and is
318 portable across machines,
319 platforms and journal
325 <term>__REALTIME_TIMESTAMP=</term>
327 <para>The wallclock time
328 (CLOCK_REALTIME) at the point
329 in time the entry was received
330 by the journal, in usec since
331 the epoch UTC formatted as
332 decimal string. This has
333 different properties from
334 <literal>_SOURCE_REALTIME_TIMESTAMP=</literal>
335 as it is usually a bit later
336 but more likely to be
342 <term>__MONOTONIC_TIMESTAMP=</term>
344 <para>The monotonic time
345 (CLOCK_MONOTONIC) at the point
346 in time the entry was received
347 by the journal in usec
349 string. To be useful as an
350 address for the entry this
351 should be combined with with
353 <literal>_BOOT_ID=</literal>.</para>
360 <title>See Also</title>
362 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
363 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
364 <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
365 <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>