<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Nov 29, 2017 at 2:18 PM, Thomas Güttler <span dir="ltr"><<a href="mailto:guettliml@thomas-guettler.de" target="_blank">guettliml@thomas-guettler.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi,</p>
<p><br>
</p>
<p>is there a spec or docs about the datastructure of a log entry in
journalctl?</p></div></blockquote><div><br></div><div>The binary on-disk format is documented here:</div><div><br></div><div><a href="https://www.freedesktop.org/wiki/Software/systemd/journal-files/">https://www.freedesktop.org/wiki/Software/systemd/journal-files/</a><br></div><div><br></div><div>journalctl can also export to text format:</div><div><br></div><div><a href="https://www.freedesktop.org/wiki/Software/systemd/export/">https://www.freedesktop.org/wiki/Software/systemd/export/</a><br></div><div><a href="https://www.freedesktop.org/wiki/Software/systemd/json/">https://www.freedesktop.org/wiki/Software/systemd/json/</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<p><br>
</p>
<p>Which fields does a log record have?</p></div></blockquote><div>There's no fixed schema, although a base list can be found in `<a href="https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html">man systemd.journal-fields</a>` [1], and you can generally expect journald to always add the same "_trusted" fields.<br></div><div><br></div><div>Out of the "application" fields, you can only assume that MESSAGE= will be present, but everything else is up to the application. IMHO, it is useful to supply fields which are useful</div><div><br></div><div>a) for filtering, e.g. systemd uses MESSAGE_ID, NetworkManager sets NM_DEVICE, recent GLib sets GLIB_DOMAIN;</div><div><br></div><div>or b) for substitution in "catalog" explanations/translations (see e.g. `journalctl -x -u systemd-journald`).</div><div><br></div><div>Take a look at `journalctl --fields | sort` or `journalctl -o verbose`, and you'll see what is being used on your system.</div></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Mantas Mikulėnas <<a href="mailto:grawity@gmail.com" target="_blank">grawity@gmail.com</a>></div></div>
</div></div>