systemd.journal-fields — Special journal fields
Entries in the journal resemble an environment block in their syntax but with fields that can include binary data. Primarily, fields are formatted UTF-8 text strings, and binary formatting is used only where formatting as UTF-8 text strings makes little sense. New fields may freely be defined by applications, but a few fields have special meaning. All fields with special meanings are optional. In some cases, fields may appear more than once per entry.
User fields are fields that are directly passed from clients and stored in the journal.
The human-readable message string for this entry. This is supposed to be the primary text shown to the user. It is usually not translated (but might be in some cases), and is not supposed to be parsed for metadata.
A 128-bit message identifier ID for recognizing
certain message types, if this is desirable. This should
contain a 128-bit ID formatted as a lower-case hexadecimal
string, without any separating dashes or suchlike. This is
recommended to be a UUID-compatible ID, but this is not
enforced, and formatted differently. Developers can generate
a new ID for this purpose with journalctl
A priority value between 0 ("
and 7 ("
debug") formatted as a decimal
string. This field is compatible with syslog's priority
The code location generating this message, if known. Contains the source filename, the line number and the function name.
The low-level Unix error number causing this entry, if any. Contains the numeric value of errno(3) formatted as a decimal string.
Syslog compatibility fields containing the facility
(formatted as decimal string), the identifier string (i.e.
"tag"), and the client PID. (Note that the tag is usually
derived from glibc's
Fields prefixed with an underscore are trusted fields, i.e. fields that are implicitly added by the journal and cannot be altered by client code.
The process, user, and group ID of the process the journal entry originates from formatted as a decimal string.
The name, the executable path, and the command line of the process the journal entry originates from.
The effective capabilities(7) of the process the journal entry originates from.
The session and login UID of the process the journal entry originates from, as maintained by the kernel audit subsystem.
The control group path in the systemd hierarchy, the systemd session ID (if any), the systemd unit name (if any), the systemd user session unit name (if any), the owner UID of the systemd session (if any) and the systemd slice unit of the process the journal entry originates from.
The SELinux security context (label) of the process the journal entry originates from.
The earliest trusted timestamp of the message, if any is known that is different from the reception time of the journal. This is the time in microseconds since the epoch UTC, formatted as a decimal string.
The kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string.
The machine ID of the originating host, as available in machine-id(5).
The name of the originating host.
How the entry was received by the journal service. Valid transports are:
for those read from the kernel audit subsystem
for internally generated messages
for those received via the local syslog socket with the syslog protocol
for those received via the native journal protocol
for those read from a service's standard output or error output
for those read from the kernel
Kernel fields are fields that are used by messages originating in the kernel and stored in the journal.
The kernel device name. If the entry is associated to
a block device, the major and minor of the device node,
separated by "
:" and prefixed by
b". Similar for character devices but
prefixed by "
c". For network devices, this
is the interface index prefixed by "
all other devices, this is the subsystem name prefixed by
+", followed by "
followed by the kernel device name.
The kernel subsystem name.
The kernel device name as it shows up in the device
The device node path of this device in
Additional symlink names pointing to the device node
/dev. This field is frequently set
more than once per entry.
Fields in this section are used by programs to specify that they are logging on behalf of another program or unit.
Fields used by the systemd-coredump coredump kernel helper:
Privileged programs (currently UID 0) may attach
OBJECT_PID= to a message. This will instruct
systemd-journald to attach additional fields on
behalf of the caller:
PID of the program that this message pertains to.
These are additional fields added automatically by
systemd-journald. Their meaning is the
as described above, except that the process identified by
PID is described, instead of the
process which logged the message.
During serialization into external formats, such as the Journal Export Format or the Journal JSON Format, the addresses of journal entries are serialized into fields prefixed with double underscores. Note that these are not proper fields when stored in the journal but for addressing metadata of entries. They cannot be written as part of structured log entries via calls such as sd_journal_send(3). They may also not be used as matches for sd_journal_add_match(3)
The cursor for the entry. A cursor is an opaque text string that uniquely describes the position of an entry in the journal and is portable across machines, platforms and journal files.
The wallclock time
CLOCK_REALTIME) at the point in time
the entry was received by the journal, in microseconds since
the epoch UTC, formatted as a decimal string. This has
different properties from
_SOURCE_REALTIME_TIMESTAMP=", as it is
usually a bit later but more likely to be monotonic.
The monotonic time
CLOCK_MONOTONIC) at the point in time
the entry was received by the journal in microseconds,
formatted as a decimal string. To be useful as an address
for the entry, this should be combined with the boot ID in