NAME
systemd.journal-fields - Special journal fields
DESCRIPTION
Entries in the journal (as written by systemd-journald.service(8)) resemble a UNIX process environment block in syntax but with field values that may include binary data, and with non-unique field names permitted. Primarily, field values are formatted UTF-8 text strings — binary encoding is used only where formatting as UTF-8 text strings makes little sense. New fields may freely be defined by applications, but a few fields have special meanings, which are listed below. Typically, fields may only appear once per log entry, however there are special exceptions: some fields may appear more than once per entry, in which case this is explicitly mentioned below. Even though the logging subsystem makes no restrictions on which fields to accept non-unique values for, it is strongly recommended to avoid relying on this for the fields listed below (except where listed otherwise, as mentioned) in order to avoid unnecessary incompatibilities with other applications.
USER JOURNAL FIELDS
User fields are fields that are directly passed from clients and stored in the journal.
MESSAGE=
MESSAGE_ID=
PRIORITY=
CODE_FILE=, CODE_LINE=, CODE_FUNC=
ERRNO=
Added in version 188.
INVOCATION_ID=, USER_INVOCATION_ID=
Added in version 245.
SYSLOG_FACILITY=, SYSLOG_IDENTIFIER=, SYSLOG_PID=, SYSLOG_TIMESTAMP=
Note that the journal service does not validate the values of any structured journal fields whose name is not prefixed with an underscore, and this includes any syslog related fields such as these. Hence, applications that supply a facility, PID, or log level are expected to do so properly formatted, i.e. as integers formatted as decimals.
SYSLOG_RAW=
Added in version 240.
DOCUMENTATION=
Added in version 246.
TID=
Added in version 247.
UNIT=, USER_UNIT=
When --unit=name or --user-unit=name are used with journalctl(1), a match pattern that includes "UNIT=name.service" or "USER_UNIT=name.service" will be generated.
Added in version 251.
TRUSTED JOURNAL FIELDS
Fields prefixed with an underscore are trusted fields, i.e. fields that are implicitly added by the journal and cannot be altered by client code.
_PID=, _UID=, _GID=
_COMM=, _EXE=, _CMDLINE=
_CAP_EFFECTIVE=
Added in version 206.
_AUDIT_SESSION=, _AUDIT_LOGINUID=
_SYSTEMD_CGROUP=, _SYSTEMD_SLICE=, _SYSTEMD_UNIT=, _SYSTEMD_USER_UNIT=, _SYSTEMD_USER_SLICE=, _SYSTEMD_SESSION=, _SYSTEMD_OWNER_UID=
_SELINUX_CONTEXT=
_SOURCE_REALTIME_TIMESTAMP=
_SOURCE_BOOTTIME_TIMESTAMP=
Added in version 257.
_BOOT_ID=
_MACHINE_ID=
_SYSTEMD_INVOCATION_ID=
Added in version 233.
_HOSTNAME=
_TRANSPORT=
audit
Added in version 227.
driver
Added in version 205.
syslog
Added in version 205.
journal
Added in version 205.
stdout
Added in version 205.
kernel
Added in version 205.
_STREAM_ID=
Added in version 235.
_LINE_BREAK=
Added in version 235.
_NAMESPACE=
Added in version 245.
_RUNTIME_SCOPE=
Added in version 252.
KERNEL JOURNAL FIELDS
Kernel fields are fields that are used by messages originating in the kernel and stored in the journal.
_KERNEL_DEVICE=
Added in version 189.
_KERNEL_SUBSYSTEM=
Added in version 189.
_UDEV_SYSNAME=
Added in version 189.
_UDEV_DEVNODE=
Added in version 189.
_UDEV_DEVLINK=
Added in version 189.
FIELDS TO LOG ON BEHALF OF A DIFFERENT PROGRAM
Fields in this section are used by programs to specify that they are logging on behalf of another program or unit.
Fields used by the systemd-coredump coredump kernel helper:
COREDUMP_UNIT=, COREDUMP_USER_UNIT=
Added in version 198.
Privileged programs (currently UID 0) may attach OBJECT_PID= to a message. This will instruct systemd-journald to attach additional fields on behalf of the caller:
OBJECT_PID=PID
Added in version 205.
OBJECT_UID=, OBJECT_GID=, OBJECT_COMM=, OBJECT_EXE=, OBJECT_CMDLINE=, OBJECT_AUDIT_SESSION=, OBJECT_AUDIT_LOGINUID=, OBJECT_SYSTEMD_CGROUP=, OBJECT_SYSTEMD_SESSION=, OBJECT_SYSTEMD_OWNER_UID=, OBJECT_SYSTEMD_UNIT=, OBJECT_SYSTEMD_USER_UNIT=
Added in version 205.
OBJECT_SYSTEMD_INVOCATION_ID=
Added in version 235.
ADDRESS FIELDS
During serialization into external formats, such as the Journal Export Format[1] or the Journal JSON Format[2], the addresses of journal entries are serialized into fields prefixed with double underscores. Note that these are not proper fields when stored in the journal but for addressing metadata of entries. They cannot be written as part of structured log entries via calls such as sd_journal_send(3). They may also not be used as matches for sd_journal_add_match(3).
__CURSOR=
__REALTIME_TIMESTAMP=
__MONOTONIC_TIMESTAMP=
__SEQNUM=, __SEQNUM_ID=
Added in version 254.
SEE ALSO
systemd(1), systemd-journald.service(8), journalctl(1), journald.conf(5), sd-journal(3), coredumpctl(1), systemd.directives(7)
NOTES
- 1.
Journal Export Format
- 2.
Journal JSON Format