]>
Commit | Line | Data |
---|---|---|
ffa16db0 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
798d3a52 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
ffa16db0 LP |
4 | |
5 | <!-- | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2010 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
11 | under the terms of the GNU Lesser General Public License as published by |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
ffa16db0 LP |
13 | (at your option) any later version. |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 18 | Lesser General Public License for more details. |
ffa16db0 | 19 | |
5430f7f2 | 20 | You should have received a copy of the GNU Lesser General Public License |
ffa16db0 LP |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
22 | --> | |
23 | ||
24 | <refentry id="systemd.journal-fields"> | |
25 | ||
798d3a52 ZJS |
26 | <refentryinfo> |
27 | <title>systemd.journal-fields</title> | |
28 | <productname>systemd</productname> | |
29 | ||
30 | <authorgroup> | |
31 | <author> | |
32 | <contrib>Developer</contrib> | |
33 | <firstname>Lennart</firstname> | |
34 | <surname>Poettering</surname> | |
35 | <email>lennart@poettering.net</email> | |
36 | </author> | |
37 | </authorgroup> | |
38 | </refentryinfo> | |
39 | ||
40 | <refmeta> | |
41 | <refentrytitle>systemd.journal-fields</refentrytitle> | |
42 | <manvolnum>7</manvolnum> | |
43 | </refmeta> | |
44 | ||
45 | <refnamediv> | |
46 | <refname>systemd.journal-fields</refname> | |
47 | <refpurpose>Special journal fields</refpurpose> | |
48 | </refnamediv> | |
49 | ||
50 | <refsect1> | |
51 | <title>Description</title> | |
52 | ||
53 | <para>Entries in the journal resemble an environment block in | |
54 | their syntax but with fields that can include binary data. | |
55 | Primarily, fields are formatted UTF-8 text strings, and binary | |
56 | formatting is used only where formatting as UTF-8 text strings | |
57 | makes little sense. New fields may freely be defined by | |
58 | applications, but a few fields have special meaning. All fields | |
59 | with special meanings are optional. In some cases, fields may | |
60 | appear more than once per entry.</para> | |
61 | </refsect1> | |
62 | ||
63 | <refsect1> | |
64 | <title>User Journal Fields</title> | |
65 | ||
66 | <para>User fields are fields that are directly passed from clients | |
67 | and stored in the journal.</para> | |
68 | ||
69 | <variablelist class='journal-directives'> | |
70 | <varlistentry> | |
71 | <term><varname>MESSAGE=</varname></term> | |
72 | <listitem> | |
73 | <para>The human-readable message string for this entry. This | |
74 | is supposed to be the primary text shown to the user. It is | |
75 | usually not translated (but might be in some cases), and is | |
76 | not supposed to be parsed for meta data.</para> | |
77 | </listitem> | |
78 | </varlistentry> | |
79 | ||
80 | <varlistentry> | |
81 | <term><varname>MESSAGE_ID=</varname></term> | |
82 | <listitem> | |
83 | <para>A 128-bit message identifier ID for recognizing | |
84 | certain message types, if this is desirable. This should | |
85 | contain a 128-bit ID formatted as a lower-case hexadecimal | |
86 | string, without any separating dashes or suchlike. This is | |
87 | recommended to be a UUID-compatible ID, but this is not | |
88 | enforced, and formatted differently. Developers can generate | |
89 | a new ID for this purpose with <command>journalctl | |
90 | <option>--new-id</option></command>. | |
91 | </para> | |
92 | </listitem> | |
93 | </varlistentry> | |
94 | ||
95 | <varlistentry> | |
96 | <term><varname>PRIORITY=</varname></term> | |
97 | <listitem> | |
98 | <para>A priority value between 0 (<literal>emerg</literal>) | |
99 | and 7 (<literal>debug</literal>) formatted as a decimal | |
100 | string. This field is compatible with syslog's priority | |
101 | concept.</para> | |
102 | </listitem> | |
103 | </varlistentry> | |
104 | ||
105 | <varlistentry> | |
106 | <term><varname>CODE_FILE=</varname></term> | |
107 | <term><varname>CODE_LINE=</varname></term> | |
108 | <term><varname>CODE_FUNC=</varname></term> | |
109 | <listitem> | |
110 | <para>The code location generating this message, if known. | |
111 | Contains the source filename, the line number and the | |
112 | function name.</para> | |
113 | </listitem> | |
114 | </varlistentry> | |
115 | ||
116 | <varlistentry> | |
117 | <term><varname>ERRNO=</varname></term> | |
118 | <listitem> | |
119 | <para>The low-level Unix error number causing this entry, if | |
120 | any. Contains the numeric value of | |
121 | <citerefentry project='man-pages'><refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
122 | formatted as a decimal string.</para> | |
123 | </listitem> | |
124 | </varlistentry> | |
125 | ||
126 | <varlistentry> | |
127 | <term><varname>SYSLOG_FACILITY=</varname></term> | |
128 | <term><varname>SYSLOG_IDENTIFIER=</varname></term> | |
129 | <term><varname>SYSLOG_PID=</varname></term> | |
130 | <listitem> | |
131 | <para>Syslog compatibility fields containing the facility | |
132 | (formatted as decimal string), the identifier string (i.e. | |
133 | "tag"), and the client PID. (Note that the tag is usually | |
134 | derived from glibc's | |
135 | <varname>program_invocation_short_name</varname> variable, | |
136 | see | |
3ba3a79d | 137 | <citerefentry project='die-net'><refentrytitle>program_invocation_short_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.)</para> |
798d3a52 ZJS |
138 | </listitem> |
139 | ||
140 | </varlistentry> | |
141 | </variablelist> | |
142 | </refsect1> | |
143 | ||
144 | <refsect1> | |
145 | <title>Trusted Journal Fields</title> | |
146 | ||
147 | <para>Fields prefixed with an underscore are trusted fields, i.e. | |
148 | fields that are implicitly added by the journal and cannot be | |
149 | altered by client code.</para> | |
150 | ||
151 | <variablelist class='journal-directives'> | |
152 | <varlistentry> | |
153 | <term><varname>_PID=</varname></term> | |
154 | <term><varname>_UID=</varname></term> | |
155 | <term><varname>_GID=</varname></term> | |
156 | <listitem> | |
157 | <para>The process, user, and group ID of the process the | |
158 | journal entry originates from formatted as a decimal | |
159 | string.</para> | |
160 | </listitem> | |
161 | </varlistentry> | |
162 | ||
163 | <varlistentry> | |
164 | <term><varname>_COMM=</varname></term> | |
165 | <term><varname>_EXE=</varname></term> | |
166 | <term><varname>_CMDLINE=</varname></term> | |
167 | <listitem> | |
168 | <para>The name, the executable path, and the command line of | |
169 | the process the journal entry originates from.</para> | |
170 | </listitem> | |
171 | </varlistentry> | |
172 | ||
173 | <varlistentry> | |
174 | <term><varname>_CAP_EFFECTIVE=</varname></term> | |
175 | <listitem> | |
176 | <para>The effective | |
177 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
178 | of the process the journal entry originates from.</para> | |
179 | </listitem> | |
180 | </varlistentry> | |
181 | ||
182 | <varlistentry> | |
183 | <term><varname>_AUDIT_SESSION=</varname></term> | |
184 | <term><varname>_AUDIT_LOGINUID=</varname></term> | |
185 | <listitem> | |
186 | <para>The session and login UID of the process the journal | |
187 | entry originates from, as maintained by the kernel audit | |
188 | subsystem.</para> | |
189 | </listitem> | |
190 | </varlistentry> | |
191 | ||
192 | <varlistentry> | |
193 | <term><varname>_SYSTEMD_CGROUP=</varname></term> | |
194 | <term><varname>_SYSTEMD_SESSION=</varname></term> | |
195 | <term><varname>_SYSTEMD_UNIT=</varname></term> | |
196 | <term><varname>_SYSTEMD_USER_UNIT=</varname></term> | |
197 | <term><varname>_SYSTEMD_OWNER_UID=</varname></term> | |
198 | <term><varname>_SYSTEMD_SLICE=</varname></term> | |
199 | ||
200 | <listitem> | |
201 | <para>The control group path in the systemd hierarchy, the | |
202 | systemd session ID (if any), the systemd unit name (if any), | |
203 | the systemd user session unit name (if any), the owner UID | |
204 | of the systemd session (if any) and the systemd slice unit | |
205 | of the process the journal entry originates from.</para> | |
206 | </listitem> | |
207 | </varlistentry> | |
208 | ||
209 | <varlistentry> | |
210 | <term><varname>_SELINUX_CONTEXT=</varname></term> | |
211 | <listitem> | |
212 | <para>The SELinux security context (label) of the process | |
213 | the journal entry originates from.</para> | |
214 | </listitem> | |
215 | </varlistentry> | |
216 | ||
217 | <varlistentry> | |
218 | <term><varname>_SOURCE_REALTIME_TIMESTAMP=</varname></term> | |
219 | <listitem> | |
220 | <para>The earliest trusted timestamp of the message, if any | |
221 | is known that is different from the reception time of the | |
222 | journal. This is the time in microseconds since the epoch | |
223 | UTC, formatted as a decimal string.</para> | |
224 | </listitem> | |
225 | </varlistentry> | |
226 | ||
227 | <varlistentry> | |
228 | <term><varname>_BOOT_ID=</varname></term> | |
229 | <listitem> | |
230 | <para>The kernel boot ID for the boot the message was | |
231 | generated in, formatted as a 128-bit hexadecimal | |
232 | string.</para> | |
233 | </listitem> | |
234 | </varlistentry> | |
235 | ||
236 | <varlistentry> | |
237 | <term><varname>_MACHINE_ID=</varname></term> | |
238 | <listitem> | |
239 | <para>The machine ID of the originating host, as available | |
240 | in | |
241 | <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
242 | </listitem> | |
243 | </varlistentry> | |
244 | ||
245 | <varlistentry> | |
246 | <term><varname>_HOSTNAME=</varname></term> | |
247 | <listitem> | |
248 | <para>The name of the originating host.</para> | |
249 | </listitem> | |
250 | </varlistentry> | |
251 | ||
252 | <varlistentry> | |
253 | <term><varname>_TRANSPORT=</varname></term> | |
254 | <listitem> | |
255 | <para>How the entry was received by the journal service. | |
256 | Valid transports are: | |
257 | </para> | |
258 | <variablelist> | |
259 | <varlistentry> | |
260 | <term> | |
261 | <option>driver</option> | |
262 | </term> | |
263 | <listitem> | |
264 | <para>for internally generated messages | |
5199cbe4 | 265 | </para> |
798d3a52 ZJS |
266 | </listitem> |
267 | </varlistentry> | |
268 | ||
269 | <varlistentry> | |
270 | <term> | |
271 | <option>syslog</option> | |
272 | </term> | |
273 | <listitem> | |
274 | <para>for those received via the local syslog socket | |
275 | with the syslog protocol | |
53057ef9 | 276 | </para> |
798d3a52 ZJS |
277 | </listitem> |
278 | </varlistentry> | |
279 | ||
280 | <varlistentry> | |
281 | <term> | |
282 | <option>journal</option> | |
283 | </term> | |
284 | <listitem> | |
285 | <para>for those received via the native journal | |
286 | protocol | |
287 | </para> | |
288 | </listitem> | |
289 | </varlistentry> | |
290 | ||
291 | <varlistentry> | |
292 | <term> | |
293 | <option>stdout</option> | |
294 | </term> | |
295 | <listitem> | |
296 | <para>for those read from a service's standard output | |
297 | or error output | |
298 | </para> | |
299 | </listitem> | |
300 | </varlistentry> | |
301 | ||
302 | <varlistentry> | |
303 | <term> | |
304 | <option>kernel</option> | |
305 | </term> | |
306 | <listitem> | |
307 | <para>for those read from the kernel | |
308 | </para> | |
309 | </listitem> | |
310 | </varlistentry> | |
311 | </variablelist> | |
312 | </listitem> | |
313 | </varlistentry> | |
314 | </variablelist> | |
315 | </refsect1> | |
316 | ||
317 | <refsect1> | |
318 | <title>Kernel Journal Fields</title> | |
319 | ||
320 | <para>Kernel fields are fields that are used by messages | |
321 | originating in the kernel and stored in the journal.</para> | |
322 | ||
323 | <variablelist class='journal-directives'> | |
324 | <varlistentry> | |
325 | <term><varname>_KERNEL_DEVICE=</varname></term> | |
326 | <listitem> | |
327 | <para>The kernel device name. If the entry is associated to | |
328 | a block device, the major and minor of the device node, | |
329 | separated by <literal>:</literal> and prefixed by | |
330 | <literal>b</literal>. Similar for character devices but | |
331 | prefixed by <literal>c</literal>. For network devices, this | |
332 | is the interface index prefixed by <literal>n</literal>. For | |
333 | all other devices, this is the subsystem name prefixed by | |
334 | <literal>+</literal>, followed by <literal>:</literal>, | |
335 | followed by the kernel device name.</para> | |
336 | </listitem> | |
337 | </varlistentry> | |
338 | <varlistentry> | |
339 | <term><varname>_KERNEL_SUBSYSTEM=</varname></term> | |
340 | <listitem> | |
341 | <para>The kernel subsystem name.</para> | |
342 | </listitem> | |
343 | </varlistentry> | |
344 | <varlistentry> | |
345 | <term><varname>_UDEV_SYSNAME=</varname></term> | |
346 | <listitem> | |
347 | <para>The kernel device name as it shows up in the device | |
348 | tree below <filename>/sys</filename>.</para> | |
349 | </listitem> | |
350 | </varlistentry> | |
351 | <varlistentry> | |
352 | <term><varname>_UDEV_DEVNODE=</varname></term> | |
353 | <listitem> | |
354 | <para>The device node path of this device in | |
355 | <filename>/dev</filename>.</para> | |
356 | </listitem> | |
357 | </varlistentry> | |
358 | <varlistentry> | |
359 | <term><varname>_UDEV_DEVLINK=</varname></term> | |
360 | <listitem> | |
361 | <para>Additional symlink names pointing to the device node | |
362 | in <filename>/dev</filename>. This field is frequently set | |
363 | more than once per entry.</para> | |
364 | </listitem> | |
365 | </varlistentry> | |
366 | </variablelist> | |
367 | </refsect1> | |
368 | ||
369 | <refsect1> | |
370 | <title>Fields to log on behalf of a different program</title> | |
371 | ||
372 | <para>Fields in this section are used by programs to specify that | |
373 | they are logging on behalf of another program or unit. | |
374 | </para> | |
375 | ||
376 | <para>Fields used by the <command>systemd-coredump</command> | |
377 | coredump kernel helper: | |
378 | </para> | |
379 | ||
380 | <variablelist class='journal-directives'> | |
381 | <varlistentry> | |
382 | <term><varname>COREDUMP_UNIT=</varname></term> | |
383 | <term><varname>COREDUMP_USER_UNIT=</varname></term> | |
384 | <listitem> | |
385 | <para>Used to annotate messages containing coredumps from | |
386 | system and session units. See | |
387 | <citerefentry><refentrytitle>coredumpctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
388 | </para> | |
389 | </listitem> | |
390 | </varlistentry> | |
391 | </variablelist> | |
392 | ||
ff9b60f3 | 393 | <para>Privileged programs (currently UID 0) may attach |
798d3a52 ZJS |
394 | <varname>OBJECT_PID=</varname> to a message. This will instruct |
395 | <command>systemd-journald</command> to attach additional fields on | |
396 | behalf of the caller:</para> | |
397 | ||
398 | <variablelist class='journal-directives'> | |
399 | <varlistentry> | |
400 | <term><varname>OBJECT_PID=<replaceable>PID</replaceable></varname></term> | |
401 | <listitem> | |
402 | <para>PID of the program that this message pertains to. | |
403 | </para> | |
404 | </listitem> | |
405 | </varlistentry> | |
406 | ||
407 | <varlistentry> | |
408 | <term><varname>OBJECT_UID=</varname></term> | |
409 | <term><varname>OBJECT_GID=</varname></term> | |
410 | <term><varname>OBJECT_COMM=</varname></term> | |
411 | <term><varname>OBJECT_EXE=</varname></term> | |
412 | <term><varname>OBJECT_CMDLINE=</varname></term> | |
413 | <term><varname>OBJECT_AUDIT_SESSION=</varname></term> | |
414 | <term><varname>OBJECT_AUDIT_LOGINUID=</varname></term> | |
415 | <term><varname>OBJECT_SYSTEMD_CGROUP=</varname></term> | |
416 | <term><varname>OBJECT_SYSTEMD_SESSION=</varname></term> | |
417 | <term><varname>OBJECT_SYSTEMD_OWNER_UID=</varname></term> | |
418 | <term><varname>OBJECT_SYSTEMD_UNIT=</varname></term> | |
419 | <term><varname>OBJECT_SYSTEMD_USER_UNIT=</varname></term> | |
420 | <listitem> | |
421 | <para>These are additional fields added automatically by | |
422 | <command>systemd-journald</command>. Their meaning is the | |
423 | same as | |
424 | <varname>_UID=</varname>, | |
425 | <varname>_GID=</varname>, | |
426 | <varname>_COMM=</varname>, | |
427 | <varname>_EXE=</varname>, | |
428 | <varname>_CMDLINE=</varname>, | |
429 | <varname>_AUDIT_SESSION=</varname>, | |
430 | <varname>_AUDIT_LOGINUID=</varname>, | |
431 | <varname>_SYSTEMD_CGROUP=</varname>, | |
432 | <varname>_SYSTEMD_SESSION=</varname>, | |
433 | <varname>_SYSTEMD_UNIT=</varname>, | |
434 | <varname>_SYSTEMD_USER_UNIT=</varname>, and | |
435 | <varname>_SYSTEMD_OWNER_UID=</varname> | |
436 | as described above, except that the process identified by | |
437 | <replaceable>PID</replaceable> is described, instead of the | |
438 | process which logged the message.</para> | |
439 | </listitem> | |
440 | </varlistentry> | |
441 | </variablelist> | |
442 | ||
443 | ||
444 | </refsect1> | |
445 | ||
446 | <refsect1> | |
447 | <title>Address Fields</title> | |
448 | ||
449 | <para>During serialization into external formats, such as the | |
450 | <ulink | |
451 | url="http://www.freedesktop.org/wiki/Software/systemd/export">Journal | |
452 | Export Format</ulink> or the <ulink | |
453 | url="http://www.freedesktop.org/wiki/Software/systemd/json">Journal | |
454 | JSON Format</ulink>, the addresses of journal entries are | |
455 | serialized into fields prefixed with double underscores. Note that | |
456 | these are not proper fields when stored in the journal but for | |
457 | addressing metadata of entries. They cannot be written as part of | |
458 | structured log entries via calls such as | |
459 | <citerefentry><refentrytitle>sd_journal_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
460 | They may also not be used as matches for | |
461 | <citerefentry><refentrytitle>sd_journal_add_match</refentrytitle><manvolnum>3</manvolnum></citerefentry></para> | |
462 | ||
463 | <variablelist class='journal-directives'> | |
464 | <varlistentry> | |
465 | <term><varname>__CURSOR=</varname></term> | |
466 | <listitem> | |
467 | <para>The cursor for the entry. A cursor is an opaque text | |
468 | string that uniquely describes the position of an entry in | |
469 | the journal and is portable across machines, platforms and | |
470 | journal files. | |
471 | </para> | |
472 | </listitem> | |
473 | </varlistentry> | |
474 | ||
475 | <varlistentry> | |
476 | <term><varname>__REALTIME_TIMESTAMP=</varname></term> | |
477 | <listitem> | |
478 | <para>The wallclock time | |
479 | (<constant>CLOCK_REALTIME</constant>) at the point in time | |
480 | the entry was received by the journal, in microseconds since | |
481 | the epoch UTC, formatted as a decimal string. This has | |
482 | different properties from | |
483 | <literal>_SOURCE_REALTIME_TIMESTAMP=</literal>, as it is | |
484 | usually a bit later but more likely to be monotonic. | |
485 | </para> | |
486 | </listitem> | |
487 | </varlistentry> | |
488 | ||
489 | <varlistentry> | |
490 | <term><varname>__MONOTONIC_TIMESTAMP=</varname></term> | |
491 | <listitem> | |
492 | <para>The monotonic time | |
493 | (<constant>CLOCK_MONOTONIC</constant>) at the point in time | |
494 | the entry was received by the journal in microseconds, | |
495 | formatted as a decimal string. To be useful as an address | |
496 | for the entry, this should be combined with the boot ID in | |
497 | <literal>_BOOT_ID=</literal>. | |
498 | </para> | |
499 | </listitem> | |
500 | </varlistentry> | |
501 | </variablelist> | |
502 | </refsect1> | |
503 | ||
504 | <refsect1> | |
505 | <title>See Also</title> | |
506 | <para> | |
507 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
508 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
509 | <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
510 | <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>, | |
511 | <citerefentry><refentrytitle>coredumpctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
512 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
513 | </para> | |
514 | </refsect1> | |
ffa16db0 LP |
515 | |
516 | </refentry> |