Discussion:
Spec for journalctl log entry data structure
(too old to reply)
Thomas Güttler
2017-11-29 12:18:42 UTC
Permalink
Raw Message
_______________________________________________
systemd-devel mailing list
systemd-***@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Tomasz Torcz
2017-11-29 13:53:56 UTC
Permalink
Raw Message
November 29, 2017 1:27 PM, "Thomas Güttler" <***@thomas-guettler.de> wrote:
> is there a spec or docs about the datastructure of a log entry in journalctl?
>
> Which fields does a log record have?

There's a handy man page:
https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html

If you look for low-level journal file format, go to
https://www.freedesktop.org/wiki/Software/systemd/journal-files
Mantas Mikulėnas
2017-11-29 14:03:13 UTC
Permalink
Raw Message
On Wed, Nov 29, 2017 at 2:18 PM, Thomas GÃŒttler <
***@thomas-guettler.de> wrote:

> Hi,
>
>
> is there a spec or docs about the datastructure of a log entry in
> journalctl?
>

The binary on-disk format is documented here:

https://www.freedesktop.org/wiki/Software/systemd/journal-files/

journalctl can also export to text format:

https://www.freedesktop.org/wiki/Software/systemd/export/
https://www.freedesktop.org/wiki/Software/systemd/json/


>
> Which fields does a log record have?
>
There's no fixed schema, although a base list can be found in `man
systemd.journal-fields
<https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html>`
[1], and you can generally expect journald to always add the same
"_trusted" fields.

Out of the "application" fields, you can only assume that MESSAGE= will be
present, but everything else is up to the application. IMHO, it is useful
to supply fields which are useful

a) for filtering, e.g. systemd uses MESSAGE_ID, NetworkManager sets
NM_DEVICE, recent GLib sets GLIB_DOMAIN;

or b) for substitution in "catalog" explanations/translations (see e.g.
`journalctl -x -u systemd-journald`).

Take a look at `journalctl --fields | sort` or `journalctl -o verbose`, and
you'll see what is being used on your system.

--
Mantas Mikulėnas <***@gmail.com>
Loading...