1 <?xml version='
1.0'
?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
6 <refentry id=
"systemd.journal-fields" xmlns:
xi=
"http://www.w3.org/2001/XInclude">
9 <title>systemd.journal-fields
</title>
10 <productname>systemd
</productname>
14 <refentrytitle>systemd.journal-fields
</refentrytitle>
15 <manvolnum>7</manvolnum>
19 <refname>systemd.journal-fields
</refname>
20 <refpurpose>Special journal fields
</refpurpose>
24 <title>Description
</title>
26 <para>Entries in the journal (as written by
27 <citerefentry><refentrytitle>systemd-journald.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
28 resemble a UNIX process environment block in syntax but with field values that may include binary data,
29 and with non-unique field names permitted. Primarily, field values are formatted UTF-
8 text strings —
30 binary encoding is used only where formatting as UTF-
8 text strings makes little sense. New fields may
31 freely be defined by applications, but a few fields have special meanings, which are listed
32 below. Typically, fields may only appear once per log entry, however there are special exceptions: some
33 fields may appear more than once per entry, in which case this is explicitly mentioned below. Even though
34 the logging subsystem makes no restrictions on which fields to accept non-unique values for, it is
35 strongly recommended to avoid relying on this for the fields listed below (except where listed otherwise,
36 as mentioned) in order to avoid unnecessary incompatibilities with other applications.
</para>
40 <title>User Journal Fields
</title>
42 <para>User fields are fields that are directly passed from clients
43 and stored in the journal.
</para>
45 <variablelist class='journal-directives'
>
47 <term><varname>MESSAGE=
</varname></term>
49 <para>The human-readable message string for this entry. This is supposed to be the primary text
50 shown to the user. It is usually not translated (but might be in some cases), and is not supposed
51 to be parsed for metadata. In order to encode multiple lines in a single log entry, separate them
52 by newline characters (ASCII code
10), but encode them as a single
<varname>MESSAGE=
</varname>
53 field. Do not add multiple values of this field type to the same entry (also see above), as
54 consuming applications generally do not expect this and are unlikely to show all values in that
60 <term><varname>MESSAGE_ID=
</varname></term>
62 <para>A
128-bit message identifier ID for recognizing certain message types, if this is desirable. This
63 should contain a
128-bit ID formatted as a lower-case hexadecimal string, without any separating dashes or
64 suchlike. This is recommended to be a UUID-compatible ID, but this is not enforced, and formatted
65 differently. Developers can generate a new ID for this purpose with
<command>systemd-id128 new
</command>.
71 <term><varname>PRIORITY=
</varname></term>
73 <para>A priority value between
0 (
<literal>emerg
</literal>)
74 and
7 (
<literal>debug
</literal>) formatted as a decimal
75 string. This field is compatible with syslog's priority
81 <term><varname>CODE_FILE=
</varname></term>
82 <term><varname>CODE_LINE=
</varname></term>
83 <term><varname>CODE_FUNC=
</varname></term>
85 <para>The code location generating this message, if known.
86 Contains the source filename, the line number and the
92 <term><varname>ERRNO=
</varname></term>
94 <para>The low-level Unix error number causing this entry, if
95 any. Contains the numeric value of
96 <citerefentry project='man-pages'
><refentrytitle>errno
</refentrytitle><manvolnum>3</manvolnum></citerefentry>
97 formatted as a decimal string.
</para>
99 <xi:include href=
"version-info.xml" xpointer=
"v188"/>
104 <term><varname>INVOCATION_ID=
</varname></term>
105 <term><varname>USER_INVOCATION_ID=
</varname></term>
107 <para>A randomized, unique
128-bit ID identifying each runtime cycle of the unit. This is different from
108 <varname>_SYSTEMD_INVOCATION_ID
</varname> in that it is only used for messages coming from systemd code
109 (e.g. logs from the system/user manager or from forked processes performing systemd-related setup).
</para>
111 <xi:include href=
"version-info.xml" xpointer=
"v245"/>
116 <term><varname>SYSLOG_FACILITY=
</varname></term>
117 <term><varname>SYSLOG_IDENTIFIER=
</varname></term>
118 <term><varname>SYSLOG_PID=
</varname></term>
119 <term><varname>SYSLOG_TIMESTAMP=
</varname></term>
121 <para>Syslog compatibility fields containing the facility (formatted as
122 decimal string), the identifier string (i.e.
"tag"), the client PID, and
123 the timestamp as specified in the original datagram. (Note that the tag is
124 usually derived from glibc's
125 <varname>program_invocation_short_name
</varname> variable, see
126 <citerefentry project='die-net'
><refentrytitle>program_invocation_short_name
</refentrytitle><manvolnum>3</manvolnum></citerefentry>.)
</para>
127 <para>Note that the journal service does not validate the values of any structured
128 journal fields whose name is not prefixed with an underscore, and this includes any
129 syslog related fields such as these. Hence, applications that supply a facility, PID,
130 or log level are expected to do so properly formatted, i.e. as numeric integers formatted
131 as decimal strings.
</para>
136 <term><varname>SYSLOG_RAW=
</varname></term>
138 <para>The original contents of the syslog line as received in the syslog
139 datagram. This field is only included if the
<varname>MESSAGE=
</varname>
140 field was modified compared to the original payload or the timestamp could
141 not be located properly and is not included in
142 <varname>SYSLOG_TIMESTAMP=
</varname>. Message truncation occurs when
143 the message contains leading or trailing whitespace (trailing and leading
144 whitespace is stripped), or it contains an embedded
145 <constant>NUL
</constant> byte (the
<constant>NUL
</constant> byte and
146 anything after it is not included). Thus, the original syslog line is
147 either stored as
<varname>SYSLOG_RAW=
</varname> or it can be recreated
148 based on the stored priority and facility, timestamp, identifier, and the
149 message payload in
<varname>MESSAGE=
</varname>.
152 <xi:include href=
"version-info.xml" xpointer=
"v240"/>
157 <term><varname>DOCUMENTATION=
</varname></term>
159 <para>A documentation URL with further information about the topic of the log message. Tools such
160 as
<command>journalctl
</command> will include a hyperlink to a URL specified this way in their
161 output. Should be an
<literal>http://
</literal>,
<literal>https://
</literal>,
162 <literal>file:/
</literal>,
<literal>man:
</literal> or
<literal>info:
</literal> URL.
</para>
164 <xi:include href=
"version-info.xml" xpointer=
"v246"/>
169 <term><varname>TID=
</varname></term>
171 <para>The numeric thread ID (TID) the log message originates from.
</para>
173 <xi:include href=
"version-info.xml" xpointer=
"v247"/>
178 <term><varname>UNIT=
</varname></term>
179 <term><varname>USER_UNIT=
</varname></term>
181 <para>The name of a unit. Used by the system and user managers when logging about specific
184 <para>When
<option>--unit=
<replaceable>name
</replaceable></option> or
185 <option>--user-unit=
<replaceable>name
</replaceable></option> are used with
186 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>, a
187 match pattern that includes
<literal>UNIT=
<replaceable>name
</replaceable>.service
</literal> or
188 <literal>USER_UNIT=
<replaceable>name
</replaceable>.service
</literal> will be generated.
</para>
190 <xi:include href=
"version-info.xml" xpointer=
"v251"/>
197 <title>Trusted Journal Fields
</title>
199 <para>Fields prefixed with an underscore are trusted fields, i.e.
200 fields that are implicitly added by the journal and cannot be
201 altered by client code.
</para>
203 <variablelist class='journal-directives'
>
205 <term><varname>_PID=
</varname></term>
206 <term><varname>_UID=
</varname></term>
207 <term><varname>_GID=
</varname></term>
209 <para>The process, user, and group ID of the process the
210 journal entry originates from formatted as a decimal
211 string. Note that entries obtained via
<literal>stdout
</literal> or
212 <literal>stderr
</literal> of forked processes will contain credentials valid for a parent
213 process (that initiated the connection to
<command>systemd-journald
</command>).
</para>
218 <term><varname>_COMM=
</varname></term>
219 <term><varname>_EXE=
</varname></term>
220 <term><varname>_CMDLINE=
</varname></term>
222 <para>The name, the executable path, and the command line of
223 the process the journal entry originates from.
</para>
228 <term><varname>_CAP_EFFECTIVE=
</varname></term>
231 <citerefentry project='man-pages'
><refentrytitle>capabilities
</refentrytitle><manvolnum>7</manvolnum></citerefentry>
232 of the process the journal entry originates from.
</para>
234 <xi:include href=
"version-info.xml" xpointer=
"v206"/>
239 <term><varname>_AUDIT_SESSION=
</varname></term>
240 <term><varname>_AUDIT_LOGINUID=
</varname></term>
242 <para>The session and login UID of the process the journal
243 entry originates from, as maintained by the kernel audit
249 <term><varname>_SYSTEMD_CGROUP=
</varname></term>
250 <term><varname>_SYSTEMD_SLICE=
</varname></term>
251 <term><varname>_SYSTEMD_UNIT=
</varname></term>
252 <term><varname>_SYSTEMD_USER_UNIT=
</varname></term>
253 <term><varname>_SYSTEMD_USER_SLICE=
</varname></term>
254 <term><varname>_SYSTEMD_SESSION=
</varname></term>
255 <term><varname>_SYSTEMD_OWNER_UID=
</varname></term>
258 <para>The control group path in the systemd hierarchy, the systemd slice unit name, the systemd
259 unit name, the unit name in the systemd user manager (if any), the systemd session ID (if any), and
260 the owner UID of the systemd user unit or systemd session (if any) of the process the journal entry
261 originates from.
</para>
266 <term><varname>_SELINUX_CONTEXT=
</varname></term>
268 <para>The SELinux security context (label) of the process
269 the journal entry originates from.
</para>
274 <term><varname>_SOURCE_REALTIME_TIMESTAMP=
</varname></term>
276 <para>The earliest trusted timestamp of the message, if any
277 is known that is different from the reception time of the
278 journal. This is the time in microseconds since the epoch
279 UTC, formatted as a decimal string.
</para>
284 <term><varname>_BOOT_ID=
</varname></term>
286 <para>The kernel boot ID for the boot the message was
287 generated in, formatted as a
128-bit hexadecimal
293 <term><varname>_MACHINE_ID=
</varname></term>
295 <para>The machine ID of the originating host, as available
297 <citerefentry><refentrytitle>machine-id
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
302 <term><varname>_SYSTEMD_INVOCATION_ID=
</varname></term>
304 <para>The invocation ID for the runtime cycle of the unit
305 the message was generated in, as available to processes
306 of the unit in
<varname>$INVOCATION_ID
</varname> (see
307 <citerefentry><refentrytitle>systemd.exec
</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
</para>
309 <xi:include href=
"version-info.xml" xpointer=
"v233"/>
314 <term><varname>_HOSTNAME=
</varname></term>
316 <para>The name of the originating host.
</para>
321 <term><varname>_TRANSPORT=
</varname></term>
323 <para>How the entry was received by the journal service.
324 Valid transports are:
329 <option>audit
</option>
332 <para>for those read from the kernel audit subsystem
335 <xi:include href=
"version-info.xml" xpointer=
"v227"/>
341 <option>driver
</option>
344 <para>for internally generated messages
347 <xi:include href=
"version-info.xml" xpointer=
"v205"/>
353 <option>syslog
</option>
356 <para>for those received via the local syslog socket
357 with the syslog protocol
360 <xi:include href=
"version-info.xml" xpointer=
"v205"/>
366 <option>journal
</option>
369 <para>for those received via the native journal
373 <xi:include href=
"version-info.xml" xpointer=
"v205"/>
379 <option>stdout
</option>
382 <para>for those read from a service's standard output
386 <xi:include href=
"version-info.xml" xpointer=
"v205"/>
392 <option>kernel
</option>
395 <para>for those read from the kernel
398 <xi:include href=
"version-info.xml" xpointer=
"v205"/>
405 <term><varname>_STREAM_ID=
</varname></term>
407 <para>Only applies to
<literal>_TRANSPORT=stdout
</literal> records: specifies a randomized
128-bit ID assigned
408 to the stream connection when it was first created. This ID is useful to reconstruct individual log streams
409 from the log records: all log records carrying the same stream ID originate from the same stream.
</para>
411 <xi:include href=
"version-info.xml" xpointer=
"v235"/>
415 <term><varname>_LINE_BREAK=
</varname></term>
417 <para>Only applies to
<literal>_TRANSPORT=stdout
</literal> records: indicates that the log message
418 in the standard output/error stream was not terminated with a normal newline character
419 (
<literal>\n
</literal>, i.e. ASCII
10). Specifically, when set this field is one of
420 <option>nul
</option> (in case the line was terminated by a
<constant>NUL
</constant> byte),
<option>line-max
</option> (in
421 case the maximum log line length was reached, as configured with
<varname>LineMax=
</varname> in
422 <citerefentry><refentrytitle>journald.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>),
423 <option>eof
</option> (if this was the last log record of a stream and the stream ended without a
424 final newline character), or
<option>pid-change
</option> (if the process which generated the log
425 output changed in the middle of a line). Note that this record is not generated when a normal
426 newline character was used for marking the log line end.
</para>
428 <xi:include href=
"version-info.xml" xpointer=
"v235"/>
432 <term><varname>_NAMESPACE=
</varname></term>
434 <listitem><para>If this file was written by a
<command>systemd-journald
</command> instance managing a
435 journal namespace that is not the default, this field contains the namespace identifier. See
436 <citerefentry><refentrytitle>systemd-journald.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
437 for details about journal namespaces.
</para>
439 <xi:include href=
"version-info.xml" xpointer=
"v245"/>
443 <term><varname>_RUNTIME_SCOPE=
</varname></term>
445 <listitem><para>A string field that specifies the runtime scope in which the message was logged. If
446 <literal>initrd
</literal>, the log message was processed while the system was running inside the
447 initrd. If
<literal>system
</literal>, the log message was generated after the system switched
448 execution to the host root filesystem.
</para>
450 <xi:include href=
"version-info.xml" xpointer=
"v252"/></listitem>
456 <title>Kernel Journal Fields
</title>
458 <para>Kernel fields are fields that are used by messages
459 originating in the kernel and stored in the journal.
</para>
461 <variablelist class='journal-directives'
>
463 <term><varname>_KERNEL_DEVICE=
</varname></term>
465 <para>The kernel device name. If the entry is associated to a block device, contains the major and
466 minor numbers of the device node, separated by
<literal>:
</literal> and prefixed by
467 <literal>b
</literal>. Similarly for character devices, but prefixed by
<literal>c
</literal>. For
468 network devices, this is the interface index prefixed by
<literal>n
</literal>. For all other
469 devices, this is the subsystem name prefixed by
<literal>+
</literal>, followed by
470 <literal>:
</literal>, followed by the kernel device name.
</para>
472 <xi:include href=
"version-info.xml" xpointer=
"v189"/>
476 <term><varname>_KERNEL_SUBSYSTEM=
</varname></term>
478 <para>The kernel subsystem name.
</para>
480 <xi:include href=
"version-info.xml" xpointer=
"v189"/>
484 <term><varname>_UDEV_SYSNAME=
</varname></term>
486 <para>The kernel device name as it shows up in the device
487 tree below
<filename>/sys/
</filename>.
</para>
489 <xi:include href=
"version-info.xml" xpointer=
"v189"/>
493 <term><varname>_UDEV_DEVNODE=
</varname></term>
495 <para>The device node path of this device in
496 <filename>/dev/
</filename>.
</para>
498 <xi:include href=
"version-info.xml" xpointer=
"v189"/>
502 <term><varname>_UDEV_DEVLINK=
</varname></term>
504 <para>Additional symlink names pointing to the device node
505 in
<filename>/dev/
</filename>. This field is frequently set
506 more than once per entry.
</para>
508 <xi:include href=
"version-info.xml" xpointer=
"v189"/>
515 <title>Fields to log on behalf of a different program
</title>
517 <para>Fields in this section are used by programs to specify that
518 they are logging on behalf of another program or unit.
521 <para>Fields used by the
<command>systemd-coredump
</command>
522 coredump kernel helper:
525 <variablelist class='journal-directives'
>
527 <term><varname>COREDUMP_UNIT=
</varname></term>
528 <term><varname>COREDUMP_USER_UNIT=
</varname></term>
530 <para>Used to annotate messages containing coredumps from
531 system and session units. See
532 <citerefentry><refentrytitle>coredumpctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
538 <para>Privileged programs (currently UID
0) may attach
539 <varname>OBJECT_PID=
</varname> to a message. This will instruct
540 <command>systemd-journald
</command> to attach additional fields on
541 behalf of the caller:
</para>
543 <variablelist class='journal-directives'
>
545 <term><varname>OBJECT_PID=
<replaceable>PID
</replaceable></varname></term>
547 <para>PID of the program that this message pertains to.
550 <xi:include href=
"version-info.xml" xpointer=
"v205"/>
555 <term><varname>OBJECT_UID=
</varname></term>
556 <term><varname>OBJECT_GID=
</varname></term>
557 <term><varname>OBJECT_COMM=
</varname></term>
558 <term><varname>OBJECT_EXE=
</varname></term>
559 <term><varname>OBJECT_CMDLINE=
</varname></term>
560 <term><varname>OBJECT_AUDIT_SESSION=
</varname></term>
561 <term><varname>OBJECT_AUDIT_LOGINUID=
</varname></term>
562 <term><varname>OBJECT_SYSTEMD_CGROUP=
</varname></term>
563 <term><varname>OBJECT_SYSTEMD_SESSION=
</varname></term>
564 <term><varname>OBJECT_SYSTEMD_OWNER_UID=
</varname></term>
565 <term><varname>OBJECT_SYSTEMD_UNIT=
</varname></term>
566 <term><varname>OBJECT_SYSTEMD_USER_UNIT=
</varname></term>
568 <para>These are additional fields added automatically by
569 <command>systemd-journald
</command>. Their meaning is the
571 <varname>_UID=
</varname>,
572 <varname>_GID=
</varname>,
573 <varname>_COMM=
</varname>,
574 <varname>_EXE=
</varname>,
575 <varname>_CMDLINE=
</varname>,
576 <varname>_AUDIT_SESSION=
</varname>,
577 <varname>_AUDIT_LOGINUID=
</varname>,
578 <varname>_SYSTEMD_CGROUP=
</varname>,
579 <varname>_SYSTEMD_SESSION=
</varname>,
580 <varname>_SYSTEMD_UNIT=
</varname>,
581 <varname>_SYSTEMD_USER_UNIT=
</varname>, and
582 <varname>_SYSTEMD_OWNER_UID=
</varname>
583 as described above, except that the process identified by
584 <replaceable>PID
</replaceable> is described, instead of the
585 process which logged the message.
</para>
587 <xi:include href=
"version-info.xml" xpointer=
"v205"/>
595 <title>Address Fields
</title>
597 <para>During serialization into external formats, such as the
598 <ulink url=
"https://systemd.io/JOURNAL_EXPORT_FORMATS#journal-export-format">Journal Export Format
</ulink>
600 <ulink url=
"https://systemd.io/JOURNAL_EXPORT_FORMATS#journal-json-format">Journal JSON Format
</ulink>,
601 the addresses of journal entries are
602 serialized into fields prefixed with double underscores. Note that
603 these are not proper fields when stored in the journal but for
604 addressing metadata of entries. They cannot be written as part of
605 structured log entries via calls such as
606 <citerefentry><refentrytitle>sd_journal_send
</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
607 They may also not be used as matches for
608 <citerefentry><refentrytitle>sd_journal_add_match
</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
611 <variablelist class='journal-directives'
>
613 <term><varname>__CURSOR=
</varname></term>
615 <para>The cursor for the entry. A cursor is an opaque text
616 string that uniquely describes the position of an entry in
617 the journal and is portable across machines, platforms and
624 <term><varname>__REALTIME_TIMESTAMP=
</varname></term>
626 <para>The wallclock time
627 (
<constant>CLOCK_REALTIME
</constant>) at the point in time
628 the entry was received by the journal, in microseconds since
629 the epoch UTC, formatted as a decimal string. This has
630 different properties from
631 <literal>_SOURCE_REALTIME_TIMESTAMP=
</literal>, as it is
632 usually a bit later but more likely to be monotonic.
638 <term><varname>__MONOTONIC_TIMESTAMP=
</varname></term>
640 <para>The monotonic time
641 (
<constant>CLOCK_MONOTONIC
</constant>) at the point in time
642 the entry was received by the journal in microseconds,
643 formatted as a decimal string. To be useful as an address
644 for the entry, this should be combined with the boot ID in
645 <literal>_BOOT_ID=
</literal>.
651 <term><varname>__SEQNUM=
</varname></term>
652 <term><varname>__SEQNUM_ID=
</varname></term>
654 <listitem><para>The sequence number (and associated sequence number ID) of this journal entry in the
655 journal file it originates from. See
656 <citerefentry><refentrytitle>sd_journal_get_seqnum
</refentrytitle><manvolnum>3</manvolnum></citerefentry>
659 <xi:include href=
"version-info.xml" xpointer=
"v254"/></listitem>
665 <title>See Also
</title>
667 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
668 <citerefentry><refentrytitle>systemd-journald.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
669 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
670 <citerefentry><refentrytitle>journald.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
671 <citerefentry><refentrytitle>sd-journal
</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
672 <citerefentry><refentrytitle>coredumpctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
673 <citerefentry><refentrytitle>systemd.directives
</refentrytitle><manvolnum>7</manvolnum></citerefentry>