Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
+ Lesser General Public License for more details.
- You should have received a copy of the GNU General Public License
+ You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<para>Entries in the journal resemble an environment
block in their syntax, however with fields that can
include binary data. Primarily, fields are formatted
- ASCII strings, and binary formatting is used only
- where formatting as ASCII makes little sense. New
- fields may be freely defined by applications, but a
- few fields have special meaning. All fields with
- special meaning are optional.</para>
+ UTF-8 text strings, and binary formatting is used only
+ where formatting as UTF-8 text strings makes little
+ sense. New fields may freely be defined by
+ applications, but a few fields have special
+ meaning. All fields with special meanings are
+ optional. In some cases fields may appear more than
+ once per entry.</para>
</refsect1>
<refsect1>
<para>User fields are fields that are directly passed
from clients and stored in the journal.</para>
- <variablelist>
+ <variablelist class='journal-directives'>
<varlistentry>
- <term>MESSAGE=</term>
+ <term><varname>MESSAGE=</varname></term>
<listitem>
<para>The human readable
message string for this
entry. This is supposed to be
the primary text shown to the
- user. It is not translated,
- and is not supposed to be
- parsed for meta data.</para>
+ user. It is usually not
+ translated (but might be in
+ some cases), and is not
+ supposed to be parsed for meta
+ data.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>MESSAGE_ID=</term>
+ <term><varname>MESSAGE_ID=</varname></term>
<listitem>
<para>A 128bit message
identifier ID for recognizing
</varlistentry>
<varlistentry>
- <term>PRIORITY=</term>
+ <term><varname>PRIORITY=</varname></term>
<listitem>
<para>A priority value between
0 (<literal>emerg</literal>)
</varlistentry>
<varlistentry>
- <term>CODE_FILE=</term>
- <term>CODE_LINE=</term>
- <term>CODE_FUNC=</term>
+ <term><varname>CODE_FILE=</varname></term>
+ <term><varname>CODE_LINE=</varname></term>
+ <term><varname>CODE_FUNC=</varname></term>
<listitem>
<para>The code location
generating this message, if
</varlistentry>
<varlistentry>
- <term>SYSLOG_FACILITY=</term>
- <term>SYSLOG_IDENTIFIER=</term>
- <term>SYSLOG_PID=</term>
+ <term><varname>ERRNO=</varname></term>
+ <listitem>
+ <para>The low-level Unix error
+ number causing this entry, if
+ any. Contains the numeric
+ value of
+ <citerefentry><refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ formatted as decimal
+ string.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SYSLOG_FACILITY=</varname></term>
+ <term><varname>SYSLOG_IDENTIFIER=</varname></term>
+ <term><varname>SYSLOG_PID=</varname></term>
<listitem>
<para>Syslog compatibility
fields containing the facility
fields, i.e. fields that are implicitly added by the
journal and cannot be altered by client code.</para>
- <variablelist>
+ <variablelist class='journal-directives'>
<varlistentry>
- <term>_PID=</term>
- <term>_UID=</term>
- <term>_GID=</term>
+ <term><varname>_PID=</varname></term>
+ <term><varname>_UID=</varname></term>
+ <term><varname>_GID=</varname></term>
<listitem>
<para>The process, user and
group ID of the process the
</varlistentry>
<varlistentry>
- <term>_COMM=</term>
- <term>_EXE=</term>
- <term>_CMDLINE=</term>
+ <term><varname>_COMM=</varname></term>
+ <term><varname>_EXE=</varname></term>
+ <term><varname>_CMDLINE=</varname></term>
<listitem>
<para>The name, the executable
path and the command line of
</varlistentry>
<varlistentry>
- <term>_AUDIT_SESSION=</term>
- <term>_AUDIT_LOGINUID=</term>
+ <term><varname>_AUDIT_SESSION=</varname></term>
+ <term><varname>_AUDIT_LOGINUID=</varname></term>
<listitem>
<para>The session and login
UID of the process the journal
</varlistentry>
<varlistentry>
- <term>_SYSTEMD_CGROUP=</term>
- <term>_SYSTEMD_SESSION=</term>
- <term>_SYSTEMD_UNIT=</term>
- <term>_SYSTEMD_OWNER_UID=</term>
+ <term><varname>_SYSTEMD_CGROUP=</varname></term>
+ <term><varname>_SYSTEMD_SESSION=</varname></term>
+ <term><varname>_SYSTEMD_UNIT=</varname></term>
+ <term><varname>_SYSTEMD_USER_UNIT=</varname></term>
+ <term><varname>_SYSTEMD_OWNER_UID=</varname></term>
<listitem>
- <para>The contol group path in
+ <para>The control group path in
the systemd hierarchy, the
systemd session ID (if any),
- the systemd unit name (if any)
+ the systemd unit name (if any),
+ the systemd user session unit name (if any)
and the owner UID of the
systemd session (if any) of
the process the journal entry
</varlistentry>
<varlistentry>
- <term>_SELINUX_CONTEXT=</term>
+ <term><varname>_SELINUX_CONTEXT=</varname></term>
<listitem>
<para>The SELinux security
context of the process the
</varlistentry>
<varlistentry>
- <term>_SOURCE_REALTIME_TIMESTAMP=</term>
+ <term><varname>_SOURCE_REALTIME_TIMESTAMP=</varname></term>
<listitem>
<para>The earliest trusted
timestamp of the message, if
</varlistentry>
<varlistentry>
- <term>_BOOT_ID=</term>
+ <term><varname>_BOOT_ID=</varname></term>
<listitem>
<para>The kernel boot ID for
the boot the message was
</varlistentry>
<varlistentry>
- <term>_MACHINE_ID=</term>
+ <term><varname>_MACHINE_ID=</varname></term>
<listitem>
<para>The machine ID of the
originating host, as available
</varlistentry>
<varlistentry>
- <term>_HOSTNAME=</term>
+ <term><varname>_HOSTNAME=</varname></term>
<listitem>
<para>The name of the
originating host.</para>
</varlistentry>
<varlistentry>
- <term>_TRANSPORT=</term>
+ <term><varname>_TRANSPORT=</varname></term>
<listitem>
<para>How the entry was
received by the journal
journal protocol, for the
those read from a services'
standard output or error
- output, resp. for those read
- from the kernel.
+ output, or for those read
+ from the kernel, respectively.
</para>
</listitem>
</varlistentry>
</refsect1>
<refsect1>
- <title>Address Fields</title>
+ <title>Kernel Journal Fields</title>
+
+ <para>Kernel fields are fields that are used by
+ messages originating in the kernel and stored in the
+ journal.</para>
- <para>During serialization into external formats the
- addresses of journal entries are serialized into
- fields prefixed with double underscores. Note that
- these aren't proper fields when stored in the journal,
- but addressing meta data of entries.</para>
+ <variablelist class='journal-directives'>
+ <varlistentry>
+ <term><varname>_KERNEL_DEVICE=</varname></term>
+ <listitem>
+ <para>The kernel device
+ name. If the entry is
+ associated to a block device,
+ the major and minor of the
+ device node, separated by ':'
+ and prefixed by 'b'. Similar
+ for character devices, but
+ prefixed by 'c'. For network
+ devices the interface index,
+ prefixed by 'n'. For all other
+ devices '+' followed by the
+ subsystem name, followed by
+ ':', followed by the kernel
+ device name.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>_KERNEL_SUBSYSTEM=</varname></term>
+ <listitem>
+ <para>The kernel subsystem name.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>_UDEV_SYSNAME=</varname></term>
+ <listitem>
+ <para>The kernel device name
+ as it shows up in the device
+ tree below
+ <filename>/sys</filename>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>_UDEV_DEVNODE=</varname></term>
+ <listitem>
+ <para>The device node path of
+ this device in
+ <filename>/dev</filename>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>_UDEV_DEVLINK=</varname></term>
+ <listitem>
+ <para>Additional symlink names
+ pointing to the device node in
+ <filename>/dev</filename>. This
+ field is frequently set more
+ than once per entry.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Special Journal Fields</title>
+
+ <para>Fields used by the <command>systemd-coredump</command>
+ coredump kernel helper.
+ </para>
+
+ <variablelist class='journal-directives'>
+ <varlistentry>
+ <term><varname>COREDUMP_UNIT=</varname></term>
+ <term><varname>COREDUMP_USER_UNIT=</varname></term>
+ <listitem>
+ <para>Used to annotate
+ messages containing coredumps from
+ system and session units.
+ See
+ <citerefentry><refentrytitle>systemd-coredumpctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Address Fields</title>
- <variablelist>
+ <para>During serialization into external formats, such
+ as the <ulink
+ url="http://www.freedesktop.org/wiki/Software/systemd/export">Journal
+ Export Format</ulink> or the <ulink
+ url="http://www.freedesktop.org/wiki/Software/systemd/json">Journal
+ JSON Format</ulink>, the addresses of journal entries
+ are serialized into fields prefixed with double
+ underscores. Note that these aren't proper fields when
+ stored in the journal, but addressing meta data of
+ entries. They cannot be written as part of structured
+ log entries via calls such as
+ <citerefentry><refentrytitle>sd_journal_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>. They
+ may also not be used as matches for
+ <citerefentry><refentrytitle>sd_journal_add_match</refentrytitle><manvolnum>3</manvolnum></citerefentry></para>
+
+ <variablelist class='journal-directives'>
<varlistentry>
- <term>__CURSOR=</term>
+ <term><varname>__CURSOR=</varname></term>
<listitem>
<para>The cursor for the
entry. A cursor is an opaque
</varlistentry>
<varlistentry>
- <term>__REALTIME_TIMESTAMP=</term>
+ <term><varname>__REALTIME_TIMESTAMP=</varname></term>
<listitem>
<para>The wallclock time
(CLOCK_REALTIME) at the point
</varlistentry>
<varlistentry>
- <term>__MONOTONIC_TIMESTAMP=</term>
+ <term><varname>__MONOTONIC_TIMESTAMP=</varname></term>
<listitem>
<para>The monotonic time
(CLOCK_MONOTONIC) at the point
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-coredumpctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
</para>
</refsect1>