DescriptionEntries in the journal resemble an environment
- block in their syntax, however with fields that can
+ block in their syntax but with fields that can
include binary data. Primarily, fields are formatted
UTF-8 text strings, and binary formatting is used only
where formatting as UTF-8 text strings makes little
sense. New fields may freely be defined by
applications, but a few fields have special
meaning. All fields with special meanings are
- optional. In some cases fields may appear more than
+ optional. In some cases, fields may appear more than
once per entry.
@@ -72,7 +72,7 @@
MESSAGE=
- The human readable
+ The human-readable
message string for this
entry. This is supposed to be
the primary text shown to the
@@ -87,22 +87,22 @@
MESSAGE_ID=
- A 128bit message
+ A 128-bit message
identifier ID for recognizing
certain message types, if this
is desirable. This should
- contain a 128bit id formatted
- as lower-case hexadecimal
+ contain a 128-bit ID formatted
+ as a lower-case hexadecimal
string, without any separating
dashes or suchlike. This is
- recommended to be a UUID
- compatible ID, but this is not
+ recommended to be a
+ UUID-compatible ID, but this is not
enforced, and formatted
differently. Developers can
generate a new ID for this
- purpose with
- journalctl
- --new-id.
+ purpose with journalctl
+ .
+
@@ -113,7 +113,7 @@
0 (emerg)
and 7
(debug)
- formatted as decimal
+ formatted as a decimal
string. This field is
compatible with syslog's
priority concept.
@@ -128,7 +128,7 @@
The code location
generating this message, if
known. Contains the source
- file name, the line number and
+ filename, the line number and
the function name.
@@ -140,8 +140,8 @@
number causing this entry, if
any. Contains the numeric
value of
- errno3
- formatted as decimal
+ errno3
+ formatted as a decimal
string.
@@ -156,7 +156,10 @@
(formatted as decimal string),
the identifier string
(i.e. "tag"), and the client
- PID.
+ PID. (Note that the tag is
+ usually derived from glibc's
+ program_invocation_short_name
+ variable, see program_invocation_short_name3.)
@@ -176,10 +179,10 @@
_UID=_GID=
- The process, user and
+ The process, user, and
group ID of the process the
journal entry originates from
- formatted as decimal
+ formatted as a decimal
string.
@@ -190,7 +193,16 @@
_CMDLINE=The name, the executable
- path and the command line of
+ path, and the command line of
+ the process the journal entry
+ originates from.
+
+
+
+
+ _CAP_EFFECTIVE=
+
+ The effective capabilities7 of
the process the journal entry
originates from.
@@ -214,17 +226,20 @@
_SYSTEMD_UNIT=_SYSTEMD_USER_UNIT=_SYSTEMD_OWNER_UID=
+ _SYSTEMD_SLICE=
- The control group path in
- the systemd hierarchy, the
+ The control group path
+ in the systemd hierarchy, the
systemd session ID (if any),
- the systemd unit name (if any),
- the systemd user session unit name (if any)
- and the owner UID of the
- systemd session (if any) of
- the process the journal entry
- originates from.
+ the systemd unit name (if
+ any), the systemd user session
+ unit name (if any), the owner
+ UID of the systemd session (if
+ any) and the systemd slice
+ unit of the process the
+ journal entry originates
+ from.
@@ -232,8 +247,8 @@
_SELINUX_CONTEXT=The SELinux security
- context of the process the
- journal entry originates
+ context (label) of the process
+ the journal entry originates
from.
@@ -246,8 +261,8 @@
any is known that is different
from the reception time of the
journal. This is the time in
- usec since the epoch UTC
- formatted as decimal
+ microseconds since the epoch UTC,
+ formatted as a decimal
string.
@@ -258,7 +273,7 @@
The kernel boot ID for
the boot the message was
generated in, formatted as
- 128bit hexadecimal
+ a 128-bit hexadecimal
string.
@@ -286,23 +301,75 @@
How the entry was
received by the journal
- service. One of
- driver,
- syslog,
- journal,
- stdout,
- kernel for
- internally generated messages,
- for those received via the
- local syslog socket with the
- syslog protocol, for those
- received via the native
- journal protocol, for the
- those read from a services'
- standard output or error
- output, or for those read
- from the kernel, respectively.
+ service. Valid transports are:
+
+
+
+
+
+
+ for
+ internally
+ generated
+ messages
+
+
+
+
+
+
+
+
+
+ for those
+ received via the
+ local syslog
+ socket with the
+ syslog protocol
+
+
+
+
+
+
+
+
+
+ for those
+ received via the
+ native journal
+ protocol
+
+
+
+
+
+
+
+
+
+ for those
+ read from a
+ service's
+ standard output
+ or error output
+
+
+
+
+
+
+
+
+
+ for those
+ read from the
+ kernel
+
+
+
+
@@ -315,34 +382,34 @@
messages originating in the kernel and stored in the
journal.
-
+
- _KERNEL_DEVICE=
+ _KERNEL_DEVICE=The kernel device
name. If the entry is
associated to a block device,
the major and minor of the
- device node, separated by ':'
- and prefixed by 'b'. Similar
- for character devices, but
- prefixed by 'c'. For network
- devices the interface index,
- prefixed by 'n'. For all other
- devices '+' followed by the
- subsystem name, followed by
- ':', followed by the kernel
+ device node, separated by :
+ and prefixed by b. Similar
+ for character devices but
+ prefixed by c. For network
+ devices, this is the interface index
+ prefixed by n. For all other
+ devices, this is the subsystem name
+ prefixed by +, followed by
+ :, followed by the kernel
device name.
- _KERNEL_SUBSYSTEM=
+ _KERNEL_SUBSYSTEM=The kernel subsystem name.
- _UDEV_SYSNAME=
+ _UDEV_SYSNAME=The kernel device name
as it shows up in the device
@@ -351,7 +418,7 @@
- _UDEV_DEVNODE=
+ _UDEV_DEVNODE=The device node path of
this device in
@@ -359,7 +426,7 @@
- _UDEV_DEVLINK=
+ _UDEV_DEVLINK=Additional symlink names
pointing to the device node in
@@ -371,6 +438,89 @@
+
+ Fields to log on behalf of a different program
+
+ Fields in this section are used by programs
+ to specify that they are logging on behalf of another
+ program or unit.
+
+
+ Fields used by the systemd-coredump
+ coredump kernel helper:
+
+
+
+
+ COREDUMP_UNIT=
+ COREDUMP_USER_UNIT=
+
+ Used to annotate
+ messages containing coredumps from
+ system and session units.
+ See
+ coredumpctl1.
+
+
+
+
+
+ Priviledged programs (currently UID 0) may
+ attach OBJECT_PID= to a
+ message. This will instruct
+ systemd-journald to attach
+ additional fields on behalf of the caller:
+
+
+
+ OBJECT_PID=PID
+
+ PID of the program that this
+ message pertains to.
+
+
+
+
+
+ OBJECT_UID=
+ OBJECT_GID=
+ OBJECT_COMM=
+ OBJECT_EXE=
+ OBJECT_CMDLINE=
+ OBJECT_AUDIT_SESSION=
+ OBJECT_AUDIT_LOGINUID=
+ OBJECT_SYSTEMD_CGROUP=
+ OBJECT_SYSTEMD_SESSION=
+ OBJECT_SYSTEMD_OWNER_UID=
+ OBJECT_SYSTEMD_UNIT=
+ OBJECT_SYSTEMD_USER_UNIT=
+
+ These are additional fields added automatically
+ by systemd-journald.
+ Their meaning is the same as
+ _UID=,
+ _GID=,
+ _COMM=,
+ _EXE=,
+ _CMDLINE=,
+ _AUDIT_SESSION=,
+ _AUDIT_LOGINUID=,
+ _SYSTEMD_CGROUP=,
+ _SYSTEMD_SESSION=,
+ _SYSTEMD_UNIT=,
+ _SYSTEMD_USER_UNIT=, and
+ _SYSTEMD_OWNER_UID=
+ as described above, except that the
+ process identified by PID
+ is described, instead of the process
+ which logged the message.
+
+
+
+
+
+
+
Address Fields
@@ -381,8 +531,8 @@
url="http://www.freedesktop.org/wiki/Software/systemd/json">Journal
JSON Format, the addresses of journal entries
are serialized into fields prefixed with double
- underscores. Note that these aren't proper fields when
- stored in the journal, but addressing meta data of
+ underscores. Note that these are not proper fields when
+ stored in the journal but for addressing metadata of
entries. They cannot be written as part of structured
log entries via calls such as
sd_journal_send3. They
@@ -399,8 +549,8 @@
describes the position of an
entry in the journal and is
portable across machines,
- platforms and journal
- files.
+ platforms and journal files.
+
@@ -408,16 +558,17 @@
__REALTIME_TIMESTAMP=The wallclock time
- (CLOCK_REALTIME) at the point
- in time the entry was received
- by the journal, in usec since
- the epoch UTC formatted as
- decimal string. This has
- different properties from
- _SOURCE_REALTIME_TIMESTAMP=
+ (CLOCK_REALTIME)
+ at the point in time the entry
+ was received by the journal,
+ in microseconds since the epoch
+ UTC, formatted as a decimal
+ string. This has different
+ properties from
+ _SOURCE_REALTIME_TIMESTAMP=,
as it is usually a bit later
- but more likely to be
- monotonic.
+ but more likely to be monotonic.
+
@@ -425,15 +576,15 @@
__MONOTONIC_TIMESTAMP=The monotonic time
- (CLOCK_MONOTONIC) at the point
- in time the entry was received
- by the journal in usec
- formatted as decimal
+ (CLOCK_MONOTONIC)
+ at the point in time the entry
+ was received by the journal in
+ microseconds, formatted as a decimal
string. To be useful as an
- address for the entry this
- should be combined with with
- boot ID in
- _BOOT_ID=.
+ address for the entry, this
+ should be combined with the
+ boot ID in _BOOT_ID=.
+
@@ -446,6 +597,7 @@
journalctl1,
journald.conf5,
sd-journal3,
+ coredumpctl1,
systemd.directives7