Well Known Journal Fields
Implicit journal fields for all entries
Monotonic Timestamp
Only useful in conjunction with a BOOT_ID, in usec
Realtime Timestamp
I.e. wallclock timestamp in usec since the epoch 1970
Sequence Number
We’ll probably not expose this in the API in the end, but we’ll list it here, for the sake of completeness
Journal fields we currently store for all entries
_BOOT_ID=
The boot id of the generating host, as readable from /proc/sys/kernel/random/boot_id
_MACHINE_ID=
The machine id of the generating host, as readable from /etc/machine-id
_HOSTNAME=
The hostname of the generating host, i.e. gethostname()
MESSAGE=
The human readable message string for the entry. This is supposed to be the primary text shown to the user. It is not translated, and is not supposed to be parsed for meta data. If meta data is to be send along an entry it should be sent in a journal field of its own (see below)
PRIORITY=
The priority value, with the values between 0 and 7, as defined by syslog
Journal fields we currently store for all entries originating from userspace
_PID=
The PID of the sender process
_UID=
The UID of the sender process
_GID=
The primary GID of the sender process
_COMM=
The process name, as visible in top(1), /proc/$PID/comm
_EXE=
The path of the process binary, /proc/$PID/exe
_CMDLINE=
The full command line of the process, as visible in ps(1), /proc/$PID/cmdline
_AUDIT_SESSION=
The audit session id, /proc/$PID/sessionid
_AUDIT_LOGINUID=
The audit login uid, /proc/$PID/loginuid
_SYSTEMD_CGROUP=
The path of the cgroup of the process in the name=systemd named cgroup hierarchy
_SERVICE=
The systemd service name of the process
_CGROUPS=
All cgroup memberships for all hierarchies
Journal fields we currently store for entries generated via syslog(3)
SYSLOG_FACILITY=
The syslog facility value (pretty useless, just stored because we can’t really drop it)
SOURCE_REALTIME_TIMESTAMP=
The original timestamp of the message (we generally find reception time more interesting)
Journal fields we store for entries originating from kernelspace
_DEVICE=
dev_t, netif ifindex or device name (b8:3, c226:0, n2, +sound:card0 )
_SUBSYSTEM=
kernel subsystem (bus, class)
_DRIVER=
first kernel driver name found in the chain of parent devices
_NODE=
The device node of the device, if any
_UDEV_SYMLINKS=
Symlinks to the device node of the device, if any
Journal fields applications/services are expected to pass
MESSAGE_ID=
A fixed 128Bit ID (aka UUID) identifying a specific message. Random bits generated by the developer while hacking. Useful to lookup translations/meta data online. For well-defined entries that shall be recognizable in userspace.
Further notes
Fields generated by the journal itself are prefixed with “_”, to ensure clients can identify fields that can be trusted, and distinguish them from fields which are generated by applications or services, which cannot necessarily be trusted. The journal will automatically strip all fields beginning with “_” from the journal entries to ensure no client can fake messages.
Every driver/subsystem/service/application can add additional fields, as necessary. It is wise to assign message IDs to messages which carry driver/subsystem/service/application-specific meta data to be sure userspace can identify and parse that data correctly.
The order of the fields in journal entries is undefined and is neither stable nor mandated by the specification.
Example 1: Userspace generated entry
MESSAGE_ID=c686f3b205dd48e0b43ceb6eda479721
MESSAGE=User harald logged in
LOGIN_USER=500
SEAT=seat0
_SERVICE=systemd-logind.service
_EXE=/lib/systemd/systemd-logind
_COMM=systemd-logind
_CMDLINE=/lib/systemd/systemd-logind
_PID=4711
_UID=0
_GID=0
_SYSTEMD_CGROUP=/system/systemd-logind.service
_CGROUPS=cpu:/system/systemd-logind.service
PRIORITY=6
_BOOT_ID=422bc3d271414bc8bc95870f222f24a9
_MACHINE_ID=a91663387a90b89f185d4e860067801a
_HOSTNAME=waldi
LOGIN_USER=500
Example 2: Kernel generated entry
MESSAGE_ID=c2c90533e0614ac2964085462f5fe730
MESSAGE=Sector 4365345 bad: IO error during read operation
_DRIVER=ahci
_DEVICE=b8:0
_SUBSYSTEM=block
_NODE=/dev/sda
_UDEV_SYMLINKS=/dev/by-uuid/47111-2i4325-435345 /dev/by-path/pci-32i74625
SECTOR=4365345
SMART_BLOB
[64bit LE int buffer length][buffer]
_BOOT_ID=422bc3d271414bc8bc95870f222f24a9
_MACHINE_ID=a91663387a90b89f185d4e860067801a
_HOSTNAME=waldi
PRIORITY=2
Well-Known Systemd Journal Message IDs
service started
MESSAGE=Service systemd-logind.service started
MESSAGE_ID=3c64321294e642a596f20cae163adc76
_SERVICE=systemd-logind.service
...
service stopped
MESSAGE=Service systemd-logind.service stopped
MESSAGE_ID=3f52380c4c4b4b4d8b2a84834ade8cb6
_SERVICE=systemd-logind.service
...
service failed
MESSAGE=Service systemd-logind.service failed
MESSAGE_ID=97a707e467974fb0a119fc452de1fa0c
_SERVICE=systemd-logind.service
...
service auto restart
MESSAGE=Service systemd-logind.service respawned
MESSAGE_ID=3cfe73edaf1f4135b0b12053c11bcbda
_SERVICE=systemd-logind.service
...
process core dump
MESSAGE=Process 4711 dumped core
MESSAGE_ID=2c5098b26cf7499d8464cb7d3ffda5e9
_SERVICE=systemd-coredump.service
_EXE=/lib/systemd/systemd-coredump
_COMM=systemd-coredump
_CMDLINE=/lib/systemd/systemd-coredump
_PID=815
_UID=0
_GID=0
_SYSTEMD_CGROUP=/system/systemd-coredump.service
_CGROUPS=cpu:/system/systemd-coredump.service
PRIORITY=3
_BOOT_ID=422bc3d271414bc8bc95870f222f24a9
_MACHINE_ID=60ee2ee217fe4358b2502aa0a9bd2a93
_HOSTNAME=waldi
COREDUMP_PID=75345
COREDUMP_UID=1000
COREDUMP_GID=1000
COREDUMP_EXE=/usr/bin/firefox
COREDUMP_COMM=firefox
COREDUMP_CMDLINE=/usr/bin/firefox http://0pointer.de/
COREDUMP_BLOB=[binary data]
user login
MESSAGE_ID=c686f3b205dd48e0b43ceb6eda479721
LOGIN_USER=500
SEAT=seat0
...
user logout
MESSAGE_ID=068108fa9c12416fa76a163b9c987d72
USER_UID=2702
SEAT=seat0
...
system time set
MESSAGE_ID=57709947780140408acb42ba2ecd5329
...
hostname set
MESSAGE_ID=34ae2f8e07014427bad06fb50d947155
_HOSTNAME=waldi
...