| <?xml version='1.0'?> <!--*-nxml-*--> |
| <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
| |
| <refentry id="systemd.journal-fields"> |
| |
| <refentryinfo> |
| <title>systemd.journal-fields</title> |
| <productname>systemd</productname> |
| </refentryinfo> |
| |
| <refmeta> |
| <refentrytitle>systemd.journal-fields</refentrytitle> |
| <manvolnum>7</manvolnum> |
| </refmeta> |
| |
| <refnamediv> |
| <refname>systemd.journal-fields</refname> |
| <refpurpose>Special journal fields</refpurpose> |
| </refnamediv> |
| |
| <refsect1> |
| <title>Description</title> |
| |
| <para>Entries in the journal resemble an environment block in |
| their syntax but with fields that can include binary data. |
| Primarily, fields are formatted UTF-8 text strings, and binary |
| formatting is used only where formatting as UTF-8 text strings |
| makes little sense. New fields may freely be defined by |
| applications, but a few fields have special meaning. All fields |
| with special meanings are optional. In some cases, fields may |
| appear more than once per entry.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>User Journal Fields</title> |
| |
| <para>User fields are fields that are directly passed from clients |
| and stored in the journal.</para> |
| |
| <variablelist class='journal-directives'> |
| <varlistentry> |
| <term><varname>MESSAGE=</varname></term> |
| <listitem> |
| <para>The human-readable message string for this entry. This |
| is supposed to be the primary text shown to the user. It is |
| usually not translated (but might be in some cases), and is |
| not supposed to be parsed for metadata.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>MESSAGE_ID=</varname></term> |
| <listitem> |
| <para>A 128-bit message identifier ID for recognizing certain message types, if this is desirable. This |
| should contain a 128-bit ID formatted as a lower-case hexadecimal string, without any separating dashes or |
| suchlike. This is recommended to be a UUID-compatible ID, but this is not enforced, and formatted |
| differently. Developers can generate a new ID for this purpose with <command>systemd-id128 new</command>. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>PRIORITY=</varname></term> |
| <listitem> |
| <para>A priority value between 0 (<literal>emerg</literal>) |
| and 7 (<literal>debug</literal>) formatted as a decimal |
| string. This field is compatible with syslog's priority |
| concept.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>CODE_FILE=</varname></term> |
| <term><varname>CODE_LINE=</varname></term> |
| <term><varname>CODE_FUNC=</varname></term> |
| <listitem> |
| <para>The code location generating this message, if known. |
| Contains the source filename, the line number and the |
| function name.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>ERRNO=</varname></term> |
| <listitem> |
| <para>The low-level Unix error number causing this entry, if |
| any. Contains the numeric value of |
| <citerefentry project='man-pages'><refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum></citerefentry> |
| formatted as a decimal string.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>SYSLOG_FACILITY=</varname></term> |
| <term><varname>SYSLOG_IDENTIFIER=</varname></term> |
| <term><varname>SYSLOG_PID=</varname></term> |
| <term><varname>SYSLOG_TIMESTAMP=</varname></term> |
| <listitem> |
| <para>Syslog compatibility fields containing the facility (formatted as |
| decimal string), the identifier string (i.e. "tag"), the client PID, and |
| the timestamp as specified in the original datagram. (Note that the tag is |
| usually derived from glibc's |
| <varname>program_invocation_short_name</varname> variable, see |
| <citerefentry project='die-net'><refentrytitle>program_invocation_short_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.)</para> |
| <para>Note that the journal service does not validate the values of any structured |
| journal fields whose name is not prefixed with an underscore, and this includes any |
| syslog related fields such as these. Hence, applications that supply a facility, PID, |
| or log level are expected to do so properly formatted, i.e. as numeric integers formatted |
| as decimal strings.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>SYSLOG_RAW=</varname></term> |
| <listitem> |
| <para>The original contents of the syslog line as received in the syslog |
| datagram. This field is only included if the <varname>MESSAGE=</varname> |
| field was modified compared to the original payload or the timestamp could |
| not be located properly and is not included in |
| <varname>SYSLOG_TIMESTAMP=</varname>. Message truncation occurs when when |
| the message contains leading or trailing whitespace (trailing and leading |
| whitespace is stripped), or it contains an embedded |
| <constant>NUL</constant> byte (the <constant>NUL</constant> byte and |
| anything after it is not included). Thus, the original syslog line is |
| either stored as <varname>SYSLOG_RAW=</varname> or it can be recreated |
| based on the stored priority and facility, timestamp, identifier, and the |
| message payload in <varname>MESSAGE=</varname>. |
| </para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </refsect1> |
| |
| <refsect1> |
| <title>Trusted Journal Fields</title> |
| |
| <para>Fields prefixed with an underscore are trusted fields, i.e. |
| fields that are implicitly added by the journal and cannot be |
| altered by client code.</para> |
| |
| <variablelist class='journal-directives'> |
| <varlistentry> |
| <term><varname>_PID=</varname></term> |
| <term><varname>_UID=</varname></term> |
| <term><varname>_GID=</varname></term> |
| <listitem> |
| <para>The process, user, and group ID of the process the |
| journal entry originates from formatted as a decimal |
| string. Note that entries obtained via <literal>stdout</literal> or |
| <literal>stderr</literal> of forked processes will contain credentials valid for a parent |
| process (that initiated the connection to <command>systemd-journald</command>).</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_COMM=</varname></term> |
| <term><varname>_EXE=</varname></term> |
| <term><varname>_CMDLINE=</varname></term> |
| <listitem> |
| <para>The name, the executable path, and the command line of |
| the process the journal entry originates from.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_CAP_EFFECTIVE=</varname></term> |
| <listitem> |
| <para>The effective |
| <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
| of the process the journal entry originates from.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_AUDIT_SESSION=</varname></term> |
| <term><varname>_AUDIT_LOGINUID=</varname></term> |
| <listitem> |
| <para>The session and login UID of the process the journal |
| entry originates from, as maintained by the kernel audit |
| subsystem.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_SYSTEMD_CGROUP=</varname></term> |
| <term><varname>_SYSTEMD_SLICE=</varname></term> |
| <term><varname>_SYSTEMD_UNIT=</varname></term> |
| <term><varname>_SYSTEMD_USER_UNIT=</varname></term> |
| <term><varname>_SYSTEMD_SESSION=</varname></term> |
| <term><varname>_SYSTEMD_OWNER_UID=</varname></term> |
| |
| <listitem> |
| <para>The control group path in the systemd hierarchy, the |
| the systemd slice unit name, the systemd unit name, the |
| unit name in the systemd user manager (if any), the systemd |
| session ID (if any), and the owner UID of the systemd user |
| unit or systemd session (if any) of the process the journal |
| entry originates from.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_SELINUX_CONTEXT=</varname></term> |
| <listitem> |
| <para>The SELinux security context (label) of the process |
| the journal entry originates from.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_SOURCE_REALTIME_TIMESTAMP=</varname></term> |
| <listitem> |
| <para>The earliest trusted timestamp of the message, if any |
| is known that is different from the reception time of the |
| journal. This is the time in microseconds since the epoch |
| UTC, formatted as a decimal string.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_BOOT_ID=</varname></term> |
| <listitem> |
| <para>The kernel boot ID for the boot the message was |
| generated in, formatted as a 128-bit hexadecimal |
| string.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_MACHINE_ID=</varname></term> |
| <listitem> |
| <para>The machine ID of the originating host, as available |
| in |
| <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_SYSTEMD_INVOCATION_ID=</varname></term> |
| <listitem> |
| <para>The invocation ID for the runtime cycle of the unit |
| the message was generated in, as available to processes |
| of the unit in <varname>$INVOCATION_ID</varname> (see |
| <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>).</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_HOSTNAME=</varname></term> |
| <listitem> |
| <para>The name of the originating host.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>_TRANSPORT=</varname></term> |
| <listitem> |
| <para>How the entry was received by the journal service. |
| Valid transports are: |
| </para> |
| <variablelist> |
| <varlistentry> |
| <term> |
| <option>audit</option> |
| </term> |
| <listitem> |
| <para>for those read from the kernel audit subsystem |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term> |
| <option>driver</option> |
| </term> |
| <listitem> |
| <para>for internally generated messages |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term> |
| <option>syslog</option> |
| </term> |
| <listitem> |
| <para>for those received via the local syslog socket |
| with the syslog protocol |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term> |
| <option>journal</option> |
| </term> |
| <listitem> |
| <para>for those received via the native journal |
| protocol |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term> |
| <option>stdout</option> |
| </term> |
| <listitem> |
| <para>for those read from a service's standard output |
| or error output |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term> |
| <option>kernel</option> |
| </term> |
| <listitem> |
| <para>for those read from the kernel |
| </para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><varname>_STREAM_ID=</varname></term> |
| <listitem> |
| <para>Only applies to <literal>_TRANSPORT=stdout</literal> records: specifies a randomized 128bit ID assigned |
| to the stream connection when it was first created. This ID is useful to reconstruct individual log streams |
| from the log records: all log records carrying the same stream ID originate from the same stream.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><varname>_LINE_BREAK=</varname></term> |
| <listitem> |
| <para>Only applies to <literal>_TRANSPORT=stdout</literal> records: indicates that the log message in the |
| standard output/error stream was not terminated with a normal newline character (<literal>\n</literal>, |
| i.e. ASCII 10). Specifically, when set this field is one of <option>nul</option> (in case the line was |
| terminated by a NUL byte), <option>line-max</option> (in case the maximum log line length was reached, as |
| configured with <varname>LineMax=</varname> in |
| <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) or |
| <option>eof</option> (if this was the last log record of a stream and the stream ended without a final |
| newline character). Note that this record is not generated when a normal newline character was used for |
| marking the log line end.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </refsect1> |
| |
| <refsect1> |
| <title>Kernel Journal Fields</title> |
| |
| <para>Kernel fields are fields that are used by messages |
| originating in the kernel and stored in the journal.</para> |
| |
| <variablelist class='journal-directives'> |
| <varlistentry> |
| <term><varname>_KERNEL_DEVICE=</varname></term> |
| <listitem> |
| <para>The kernel device name. If the entry is associated to |
| a block device, the major and minor of the device node, |
| separated by <literal>:</literal> and prefixed by |
| <literal>b</literal>. Similar for character devices but |
| prefixed by <literal>c</literal>. For network devices, this |
| is the interface index prefixed by <literal>n</literal>. For |
| all other devices, this is the subsystem name prefixed by |
| <literal>+</literal>, followed by <literal>:</literal>, |
| followed by the kernel device name.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><varname>_KERNEL_SUBSYSTEM=</varname></term> |
| <listitem> |
| <para>The kernel subsystem name.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><varname>_UDEV_SYSNAME=</varname></term> |
| <listitem> |
| <para>The kernel device name as it shows up in the device |
| tree below <filename>/sys</filename>.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><varname>_UDEV_DEVNODE=</varname></term> |
| <listitem> |
| <para>The device node path of this device in |
| <filename>/dev</filename>.</para> |
| </listitem> |
| </varlistentry> |
| <varlistentry> |
| <term><varname>_UDEV_DEVLINK=</varname></term> |
| <listitem> |
| <para>Additional symlink names pointing to the device node |
| in <filename>/dev</filename>. This field is frequently set |
| more than once per entry.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </refsect1> |
| |
| <refsect1> |
| <title>Fields to log on behalf of a different program</title> |
| |
| <para>Fields in this section are used by programs to specify that |
| they are logging on behalf of another program or unit. |
| </para> |
| |
| <para>Fields used by the <command>systemd-coredump</command> |
| coredump kernel helper: |
| </para> |
| |
| <variablelist class='journal-directives'> |
| <varlistentry> |
| <term><varname>COREDUMP_UNIT=</varname></term> |
| <term><varname>COREDUMP_USER_UNIT=</varname></term> |
| <listitem> |
| <para>Used to annotate messages containing coredumps from |
| system and session units. See |
| <citerefentry><refentrytitle>coredumpctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. |
| </para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| |
| <para>Privileged programs (currently UID 0) may attach |
| <varname>OBJECT_PID=</varname> to a message. This will instruct |
| <command>systemd-journald</command> to attach additional fields on |
| behalf of the caller:</para> |
| |
| <variablelist class='journal-directives'> |
| <varlistentry> |
| <term><varname>OBJECT_PID=<replaceable>PID</replaceable></varname></term> |
| <listitem> |
| <para>PID of the program that this message pertains to. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>OBJECT_UID=</varname></term> |
| <term><varname>OBJECT_GID=</varname></term> |
| <term><varname>OBJECT_COMM=</varname></term> |
| <term><varname>OBJECT_EXE=</varname></term> |
| <term><varname>OBJECT_CMDLINE=</varname></term> |
| <term><varname>OBJECT_AUDIT_SESSION=</varname></term> |
| <term><varname>OBJECT_AUDIT_LOGINUID=</varname></term> |
| <term><varname>OBJECT_SYSTEMD_CGROUP=</varname></term> |
| <term><varname>OBJECT_SYSTEMD_SESSION=</varname></term> |
| <term><varname>OBJECT_SYSTEMD_OWNER_UID=</varname></term> |
| <term><varname>OBJECT_SYSTEMD_UNIT=</varname></term> |
| <term><varname>OBJECT_SYSTEMD_USER_UNIT=</varname></term> |
| <listitem> |
| <para>These are additional fields added automatically by |
| <command>systemd-journald</command>. Their meaning is the |
| same as |
| <varname>_UID=</varname>, |
| <varname>_GID=</varname>, |
| <varname>_COMM=</varname>, |
| <varname>_EXE=</varname>, |
| <varname>_CMDLINE=</varname>, |
| <varname>_AUDIT_SESSION=</varname>, |
| <varname>_AUDIT_LOGINUID=</varname>, |
| <varname>_SYSTEMD_CGROUP=</varname>, |
| <varname>_SYSTEMD_SESSION=</varname>, |
| <varname>_SYSTEMD_UNIT=</varname>, |
| <varname>_SYSTEMD_USER_UNIT=</varname>, and |
| <varname>_SYSTEMD_OWNER_UID=</varname> |
| as described above, except that the process identified by |
| <replaceable>PID</replaceable> is described, instead of the |
| process which logged the message.</para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| |
| </refsect1> |
| |
| <refsect1> |
| <title>Address Fields</title> |
| |
| <para>During serialization into external formats, such as the |
| <ulink |
| url="https://www.freedesktop.org/wiki/Software/systemd/export">Journal |
| Export Format</ulink> or the <ulink |
| url="https://www.freedesktop.org/wiki/Software/systemd/json">Journal |
| JSON Format</ulink>, the addresses of journal entries are |
| serialized into fields prefixed with double underscores. Note that |
| these are not proper fields when stored in the journal but for |
| addressing metadata of entries. They cannot be written as part of |
| structured log entries via calls such as |
| <citerefentry><refentrytitle>sd_journal_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>. |
| They may also not be used as matches for |
| <citerefentry><refentrytitle>sd_journal_add_match</refentrytitle><manvolnum>3</manvolnum></citerefentry></para> |
| |
| <variablelist class='journal-directives'> |
| <varlistentry> |
| <term><varname>__CURSOR=</varname></term> |
| <listitem> |
| <para>The cursor for the entry. A cursor is an opaque text |
| string that uniquely describes the position of an entry in |
| the journal and is portable across machines, platforms and |
| journal files. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>__REALTIME_TIMESTAMP=</varname></term> |
| <listitem> |
| <para>The wallclock time |
| (<constant>CLOCK_REALTIME</constant>) at the point in time |
| the entry was received by the journal, in microseconds since |
| the epoch UTC, formatted as a decimal string. This has |
| different properties from |
| <literal>_SOURCE_REALTIME_TIMESTAMP=</literal>, as it is |
| usually a bit later but more likely to be monotonic. |
| </para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>__MONOTONIC_TIMESTAMP=</varname></term> |
| <listitem> |
| <para>The monotonic time |
| (<constant>CLOCK_MONOTONIC</constant>) at the point in time |
| the entry was received by the journal in microseconds, |
| formatted as a decimal string. To be useful as an address |
| for the entry, this should be combined with the boot ID in |
| <literal>_BOOT_ID=</literal>. |
| </para> |
| </listitem> |
| </varlistentry> |
| </variablelist> |
| </refsect1> |
| |
| <refsect1> |
| <title>See Also</title> |
| <para> |
| <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>coredumpctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
| </para> |
| </refsect1> |
| |
| </refentry> |