1. 日志的查询1: 通常的时间+grep过滤. 2. 日志的查询2: field filter 字段过滤. 2.1 -F, -N命令 2.2 man systemd.journal-fields 2.3 本机可用字段及数据
1. 日志的查询1: 通常的时间+grep过滤.
$ sudo journalctl -S 12:18:00 -U 12:36:00 -o short-iso -o with-unit
$ sudo journalctl -S "2020-07-27 23:18:00" -U 2:36:00 -o short-iso -o with-unit
+ | grep -i 忽略大小写; -E "a|b|c" or; -w 单词匹配; -v 不包含;
2. 日志的查询2: field filter 字段过滤.
2.1 -F, -N命令
有那些fields字段及数据可用, 可使用 -F, -N命令查询. 看看help和man page的描述.
- --help
- -N, --fields List all field names currently used 列出当前使用的所有字段名称
- -F, --field= List all values that a specified field takes 列出指定字段所需的所有值
- man page
- -N, --fields Print all field names currently used in all entries of the journal. 打印当前在日记帐所有条目中使用的所有字段名称。
- -F, --field= Print all possible data values the specified field can take in all entries of the journal. 打印指定字段可以在日记帐的所有条目中使用的所有可能的数据值。
2.2 man systemd.journal-fields
https://jlk.fjfi.cvut.cz/arch/manpages/man/systemd.journal-fields.7.en
NAME: systemd.journal-fields - Special journal fields 特殊日志字段
DESCRIPTION:
Entries in the journal (as written by systemd-journald.service(8)) resemble a UNIX process environment block in syntax but with fields that may include binary data. Primarily, fields are formatted UTF-8 text strings, and binary encoding is used only where formatting as UTF-8 text strings makes little sense. New fields may freely be defined by applications, but a few fields have special meanings. All fields with special meanings are optional. In some cases, fields may appear more than once per entry. |
日志中的条目(由systemd-journald.service(8)编写)的语法类似于UNIX进程环境块, 但其字段可能包含二进制数据。 首先, 字段是格式化的UTF-8文本字符串, 并且仅在格式化为UTF-8文本字符串意义不大的情况下才使用二进制编码。 应用程序可以自由定义新字段, 但是一些字段具有特殊含义。 具有特殊含义的所有字段都是可选的。 在某些情况下, 每个条目中的字段可能会出现多次。 |
SEE ALSO: systemd(1), systemd-journald.service(8), journalctl(1), journald.conf(5), sd-journal(3), coredumpctl(1), systemd.directives(7)
NOTES:
1. Journal Export Format https://www.freedesktop.org/wiki/Software/systemd/export
2. Journal JSON Format https://www.freedesktop.org/wiki/Software/systemd/json
特殊日志字段列表
fields= | ss | systemd.journal-fields - Special journal fields | systemd.journal-fields-特殊期刊领域 | |wc -l | key |
USER JOURNAL FIELDS | User fields are fields that are directly passed from clients and stored in the journal. | 用户字段是直接从客户端传递并存储在日记中的字段。 | |||
MESSAGE | 1 | The human-readable message string for this entry. This is supposed to be the primary text shown to the user. It is usually not translated (but might be in some cases), and is not supposed to be parsed for metadata. |
此条目的人类可读消息字符串。 这应该是显示给用户的主要文本。 它通常不翻译(但在某些情况下可能会翻译), 并且不应解析为元数据。 |
0 | 消息 |
MESSAGE_ID | 2 | A 128-bit message identifier ID for recognizing certain message types, if this is desirable. This should contain a 128-bit ID formatted as a lower-case hexadecimal string, without any separating dashes or suchlike. This is recommended to be a UUID-compatible ID, but this is not enforced, and formatted differently. Developers can generate a new ID for this purpose with systemd-id128 new. |
如果需要, 用于识别某些消息类型的128位消息标识符ID。 它应包含一个格式为小写十六进制字符串的128位ID, 且没有任何破折号等。 建议将其设置为与UUID兼容的ID, 但这不是强制性的, 并且格式不同。 为此, 开发人员可以使用systemd-id128 new生成新的ID。 |
0 | 消息ID |
PRIORITY | 3 | A priority value between 0 ("emerg") and 7 ("debug") formatted as a decimal string. This field is compatible with syslog's priority concept. |
优先级值介于0("emerg”)和7("debug”)之间, 格式为十进制字符串。 该字段与syslog的优先级概念兼容。 |
7 | 优先级 |
CODE_FILE | 4 | The code location generating this message, if known. Contains the source filename, the line number and the function name. |
生成此消息的代码位置(如果已知)。 包含源文件名, 行号和函数名。 |
47 | 源文件名 |
CODE_LINE | 127 | 代码行号 | |||
CODE_FUNC | 42 | 函数名 | |||
ERRNO | 5 | The low-level Unix error number causing this entry, if any. Contains the numeric value of errno(3) formatted as a decimal string. |
导致该条目的低级Unix错误号(如果有)。 包含格式为十进制字符串的errno(3)的数值。 |
1 | 错误编号 |
INVOCATION_ID | 6 | A randomized, unique 128-bit ID identifying each runtime cycle of the unit. This is different from _SYSTEMD_INVOCATION_ID in that it is only used for messages coming from systemd code (e.g. logs from the system/user manager or from forked processes performing systemd-related setup). |
一个随机的, 唯一的128位ID, 用于标识该设备的每个运行周期。 这与_SYSTEMD_INVOCATION_ID的不同之处在于, 它仅用于来自系统代码的消息 (例如, 来自系统/用户管理器的日志或执行与systemd相关的设置的分支进程的日志)。 |
2707 | 调用ID |
USER_INVOCATION_ID | 1425 | 用户调用ID | |||
SYSLOG_FACILITY | 7 | Syslog compatibility fields containing the facility (formatted as decimal string), the identifier string (i.e. "tag"), the client PID, and the timestamp as specified in the original datagram. (Note that the tag is usually derived from glibc's program_invocation_short_name variable, see program_invocation_short_name(3).) Note that the journal service does not validate the values of any structured journal fields whose name is not prefixed with an underscore, and this includes any syslog related fields such as these. Hence, applications that supply a facility, PID, or log level are expected to do so properly formatted, i.e. as numeric integers formatted as decimal strings. |
Syslog兼容性字段包含原始数据报中指定的功能(格式为十进制字符串), 标识符字符串(即"标签”), 客户端PID和时间戳。 (请注意, 标记通常是从glibc的program_invocation_short_name变量派生的, 请参阅program_invocation_short_name(3)。) 请注意, 日志服务不会验证名称不带下划线前缀的任何结构化日志字段的值, 并且包括与系统日志相关的所有信息诸如此类的字段。 因此, 提供功能, PID或日志级别的应用程序应以正确的格式进行格式化, 即以整数格式设置为十进制字符串。 |
6 | syslog设施 |
SYSLOG_IDENTIFIER | 48 | syslog标识符 | |||
SYSLOG_PID | 140 | syslog pid | |||
SYSLOG_TIMESTAMP | 74168 | syslog时间戳 | |||
SYSLOG_RAW | 8 | The original contents of the syslog line as received in the syslog datagram. This field is only included if the MESSAGE= field was modified compared to the original payload or the timestamp could not be located properly and is not included in SYSLOG_TIMESTAMP=. Message truncation occurs when when the message contains leading or trailing whitespace (trailing and leading whitespace is stripped), or it contains an embedded NUL byte (the NUL byte and anything after it is not included). Thus, the original syslog line is either stored as SYSLOG_RAW= or it can be recreated based on the stored priority and facility, timestamp, identifier, and the message payload in MESSAGE=. |
syslog数据报中收到的syslog行的原始内容。 仅当与原始有效负载相比修改了MESSAGE=字段或时间戳无法正确定位并且未包含在SYSLOG_TIMESTAMP=中时, 才包含此字段。 当消息包含前导或尾随空白(尾随和前导空格被剥离)或消息包含嵌入式NUL字节(不包括NUL字节及其后的任何内容)时, 消息截断就会发生。 因此, 原始syslog行要么存储为SYSLOG_RAW=, 要么可以基于MESSAGE=中存储的优先级和功能, 时间戳, 标识符和消息有效负载来重新创建。 |
1686 | syslog原始内容 |
TRUSTED JOURNAL FIELDS | Fields prefixed with an underscore are trusted fields, i.e. fields that are implicitly added by the journal and cannot be altered by client code. | 带有下划线前缀的字段是受信任的字段, 即日志隐式添加的字段, 不能由客户端代码更改。 | |||
_PID | 9 | The process, user, and group ID of the process the journal entry originates from formatted as a decimal string. Note that entries obtained via "stdout" or "stderr" of forked processes will contain credentials valid for a parent process (that initiated the connection to systemd-journald). |
日记帐分录源自的流程, 用户和流程的组ID, 格式为十进制字符串。 请注意, 通过分叉进程的"stdout”或"stderr”获得的条目将包含对父进程(启动了与systemd-journald的连接)有效的凭据。 |
13362 | pid |
_UID | 8 | uid | |||
_GID | 8 | gid | |||
_COMM | 10 | The name, the executable path, and the command line of the process the journal entry originates from. | 日记帐分录所源自的进程的名称, 可执行路径和命令行。 | 52 | 命令名 |
_EXE | 46 | 可执行路径 | |||
_CMDLINE | 579 | 命令行 | |||
_CAP_EFFECTIVE | 11 | The effective capabilities(7) of the process the journal entry originates from. | 日记帐分录所源自的过程的有效功能(7)。 | 12 | 有效功能 |
_AUDIT_SESSION | 12 | The session and login UID of the process the journal entry originates from, as maintained by the kernel audit subsystem. | 日记帐分录所源自的进程的会话和登录UID, 由内核审计子系统维护。 | 9 | 会话(审计) |
_AUDIT_LOGINUID | 3 | 登录ID(审计) | |||
_SYSTEMD_CGROUP | 13 | The control group path in the systemd hierarchy, the the systemd slice unit name, the systemd unit name, the unit name in the systemd user manager (if any), the systemd session ID (if any), and the owner UID of the systemd user unit or systemd session (if any) of the process the journal entry originates from. | systemd层次结构中的控制组路径, systemd切片单元名称, systemd单元名称, systemd用户管理器中的单元名称(如果有), systemd会话ID(如果有)以及systemd的所有者UID 日记帐分录所源自的过程的用户单元或系统会话(如果有)。 | 55 | 系统控制组路径 |
_SYSTEMD_SLICE | 6 | 系统切片单元名 | |||
_SYSTEMD_UNIT | 42 | 系统单元名称 | |||
_SYSTEMD_USER_UNIT | 9 | 系统用户单元 | |||
_SYSTEMD_USER_SLICE | 1 | 系统用户切片 | |||
_SYSTEMD_SESSION | 6 | 系统会话 | |||
_SYSTEMD_OWNER_UID | 2 | 系统所有者uid | |||
_SELINUX_CONTEXT | 14 | The SELinux security context (label) of the process the journal entry originates from. | 日记帐分录所源自的过程的SELinux安全性上下文(标签)。 | ||
_SOURCE_REALTIME_TIMESTAMP | 15 | The earliest trusted timestamp of the message, if any is known that is different from the reception time of the journal. This is the time in microseconds since the epoch UTC, formatted as a decimal string. |
消息的最早受信任时间戳(如果已知)与日志的接收时间不同。 这是自纪元UTC以来的时间(以毫秒为单位), 格式为十进制字符串。 |
0 | 源实时时间戳 |
_BOOT_ID | 16 | The kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string. | 生成消息的启动的内核启动ID, 格式为128位十六进制字符串。 | 31 | 开机编号 |
_MACHINE_ID | 17 | The machine ID of the originating host, as available in machine-id(5). | 原始主机的机器ID, 如在machine-id(5)中可用。 | 1 | 机器编号 |
_SYSTEMD_INVOCATION_ID | 18 | The invocation ID for the runtime cycle of the unit the message was generated in, as available to processes of the unit in $INVOCATION_ID (see systemd.exec(5)). | 生成消息的单元的运行周期的调用ID, 可用于$INVOCATION_ID中的单元进程(请参阅systemd.exec(5))。 | 530 | 系统调用ID |
_HOSTNAME | 19 | The name of the originating host. | 发起主机的名称。 | 1 | 主机名 |
_TRANSPORT | 20 | How the entry was received by the journal service. Valid transports are: | 日记服务如何接收条目。有效的传输方式是: | 6 | 传输方式 |
audit | for those read from the kernel audit subsystem | 对于那些从内核审计子系统读取的内容 | |||
driver | for internally generated messages | 用于内部生成的消息 | |||
syslog | for those received via the local syslog socket with the syslog protocol | 对于通过本地syslog套接字通过syslog协议接收的消息 | |||
journal | for those received via the native journal protocol | 对于通过本机日记协议接收的邮件 | |||
stdout | for those read from a service's standard output or error output | 用于从服务的标准输出或错误输出中读取的内容 | |||
kernel | for those read from the kernel | 对于那些从内核中读取的内容 | |||
_STREAM_ID | 21 | Only applies to "_TRANSPORT=stdout" records: specifies a randomized 128bit ID assigned to the stream connection when it was first created. This ID is useful to reconstruct individual log streams from the log records: all log records carrying the same stream ID originate from the same stream. |
仅适用于"_TRANSPORT=stdout”记录:指定首次创建时分配给流连接的随机128位ID。 此ID对于从日志记录重构单个日志流很有用:所有带有相同流ID的日志记录都源自同一流。 |
440 | 流ID |
_LINE_BREAK | 22 | Only applies to "_TRANSPORT=stdout" records: indicates that the log message in the standard output/error stream was not terminated with a normal newline character ("\n", i.e. ASCII 10). Specifically, when set this field is one of nul (in case the line was terminated by a NUL byte), line-max (in case the maximum log line length was reached, as configured with LineMax= in journald.conf(5)) or eof (if this was the last log record of a stream and the stream ended without a final newline character). Note that this record is not generated when a normal newline character was used for marking the log line end. |
仅适用于"_TRANSPORT=stdout”记录:指示标准输出/错误流中的日志消息未以普通换行符("\ n”, 即ASCII 10)终止。 具体来说, 当设置此字段为nul(如果行以NUL字节终止)时, 为line-max(如果达到最大日志行长度, 如journald.conf(5)中的LineMax=配置), 则为其中之一。或eof(如果这是流的最后一个日志记录, 并且流结束时没有最后的换行符)。 请注意, 当使用常规换行符标记日志行结束时, 不会生成此记录。 |
1 | 非常规换行 |
_NAMESPACE | 23 | If this file was written by a systemd-journald instance managing a journal namespace that is not the default, this field contains the namespace identifier. See systemd-journald.service(8) for details about journal namespaces. |
如果此文件是由管理默认名称的日记命名空间的systemd-journald实例编写的, 则此字段包含命名空间标识符。 有关日记名称空间的详细信息, 请参见systemd-journald.service(8)。 |
||
KERNEL JOURNAL FIELDS | Kernel fields are fields that are used by messages originating in the kernel and stored in the journal. | 内核字段是源于内核并存储在日志中的消息所使用的字段。 | |||
_KERNEL_DEVICE | 24 | The kernel device name. If the entry is associated to a block device, the major and minor of the device node, separated by ":" and prefixed by "b". Similar for character devices but prefixed by "c". For network devices, this is the interface index prefixed by "n". For all other devices, this is the subsystem name prefixed by "+", followed by ":", followed by the kernel device name. |
内核设备名称。 如果条目与块设备相关联, 则设备节点的主节点和次节点用":”分隔并以"b”作为前缀。 与字符设备类似, 但以"c”为前缀。 对于网络设备, 这是前缀为"n”的接口索引。 对于所有其他设备, 这是子系统名称, 前缀为"+”, 后跟":”, 后跟内核设备名。 |
126 | 内核设备 |
_KERNEL_SUBSYSTEM | 25 | The kernel subsystem name. | 内核子系统名称。 | 16 | 内核子系统 |
_UDEV_SYSNAME | 26 | The kernel device name as it shows up in the device tree below /sys. | 显示在/ sys下的设备树中的内核设备名称。 | 95 | /sys下内核设备 |
_UDEV_DEVNODE | 27 | The device node path of this device in /dev. | 该设备在/ dev中的设备节点路径。 | 42 | /dev设备节点路径 |
_UDEV_DEVLINK | 28 | Additional symlink names pointing to the device node in /dev. This field is frequently set more than once per entry. | 指向/ dev中设备节点的其他符号链接名称。经常为每个条目设置一次以上此字段。 | ||
ADDRESS FIELDS | During serialization into external formats, such as the Journal Export Format[1] or the Journal JSON Format[2], the addresses of journal entries are serialized into fields prefixed with double underscores. Note that these are not proper fields when stored in the journal but for addressing metadata of entries. They cannot be written as part of structured log entries via calls such as sd_journal_send(3). They may also not be used as matches for sd_journal_add_match(3) |
在序列化为外部格式(例如"日记帐导出格式”[1]或"日记JSON格式[2]”)期间, 日记帐分录的地址被序列化为带有双下划线前缀的字段。 请注意, 当存储在日志中时, 这些字段不是正确的字段, 而是用于处理条目的元数据。 不能通过诸如sd_journal_send(3)之类的调用将它们写为结构化日志条目的一部分。 它们也可能不用作sd_journal_add_match(3)的匹配项 |
|||
__CURSOR | 29 | The cursor for the entry. A cursor is an opaque text string that uniquely describes the position of an entry in the journal and is portable across machines, platforms and journal files. |
条目的光标。 游标是一个不透明的文本字符串, 它唯一描述日记中条目的位置, 并且可以在计算机, 平台和日记文件之间移植。 |
||
__REALTIME_TIMESTAMP | 30 | The wallclock time (CLOCK_REALTIME) at the point in time the entry was received by the journal, in microseconds since the epoch UTC, formatted as a decimal string. This has different properties from "_SOURCE_REALTIME_TIMESTAMP=", as it is usually a bit later but more likely to be monotonic. |
日志接收到该条目的时间点的挂钟时间(CLOCK_REALTIME), 从纪元UTC开始以毫秒为单位, 格式为十进制字符串。 它具有与"_SOURCE_REALTIME_TIMESTAMP="不同的属性, 因为它通常会稍晚一些, 但更有可能是单调的。 |
||
__MONOTONIC_TIMESTAMP | 31 | The monotonic time (CLOCK_MONOTONIC) at the point in time the entry was received by the journal in microseconds, formatted as a decimal string. To be useful as an address for the entry, this should be combined with the boot ID in "_BOOT_ID=". |
日志接收条目的时间点的单调时间(CLOCK_MONOTONIC), 以微秒为单位, 格式为十进制字符串。 为了用作条目的地址, 应将其与"_BOOT_ID="中的引导ID结合使用。 |
||
FIELDS TO LOG ON BEHALF OF A DIFFERENT PROGRAM | Fields in this section are used by programs to specify that they are logging on behalf of another program or unit. | 程序使用本节中的字段来指定它们代表另一个程序或单元进行记录。 | |||
Fields used by the systemd-coredump coredump kernel helper: | systemd-coredump coredump内核助手使用的字段: | ||||
COREDUMP_UNIT | 32 | Used to annotate messages containing coredumps from system and session units. See coredumpctl(1). | 用于注释包含来自系统和会话单元的核心转储的消息。 参见coredumpctl(1)。 | 2 | 核心转储单元 |
COREDUMP_USER_UNIT | |||||
Privileged programs (currently UID 0) may attach OBJECT_PID= to a message. This will instruct systemd-journald to attach additional fields on behalf of the caller: |
特权程序(当前UID为0)可以将OBJECT_PID=附加到消息。 这将指示systemd-journald代表调用方附加其他字段: |
||||
OBJECT_PID=PID | 33 | PID of the program that this message pertains to. | 此消息所属程序的PID。 | ||
OBJECT_UID | 34 | These are additional fields added automatically by systemd-journald. Their meaning is the same as _UID=, _GID=, _COMM=, _EXE=, _CMDLINE=, _AUDIT_SESSION=, _AUDIT_LOGINUID=, _SYSTEMD_CGROUP=, _SYSTEMD_SESSION=, _SYSTEMD_UNIT=, _SYSTEMD_USER_UNIT=, and _SYSTEMD_OWNER_UID= as described above, except that the process identified by PID is described, instead of the process which logged the message. |
这些是systemd-journald自动添加的其他字段。 它们的含义与_UID=, _GID=, _COMM=, _EXE=, _CMDLINE=, _AUDIT_SESSION=, _AUDIT_LOGINUID=, _SYSTEMD_CGROUP=, _SYSTEMD_SESSION=, _SYSTEMD_UNIT=, _ SYSTEMD_USER_一样, _SYSTEMD_USER_ 描述了由PID标识的内容, 而不是记录该消息的过程。 |
||
OBJECT_GID | |||||
OBJECT_COMM | |||||
OBJECT_EXE | |||||
OBJECT_CMDLINE | |||||
OBJECT_AUDIT_SESSION | |||||
OBJECT_AUDIT_LOGINUID | |||||
OBJECT_SYSTEMD_CGROUP | |||||
OBJECT_SYSTEMD_SESSION | |||||
OBJECT_SYSTEMD_OWNER_UID | |||||
OBJECT_SYSTEMD_UNIT | |||||
OBJECT_SYSTEMD_USER_UNIT |
2.3 本机可用字段及数据
具体可用的字段名称及可能的数据都取自本机的日志文件内容. 就是说每台电脑都不一样, 只能自己查询才知道. 如下查出本机当前可用的字段有160个.
$ sudo journalctl -N |wc -l
160
每个字段又有多个数值可选. 这使得日志的过滤更精细.
收集可用数值的数量:
$ sudo journalctl -F _AUDIT_FIELD_RES |wc -l >> temp.txt
参照以上将160个字段列出来, 160行命令, 直接复制, 粘贴到终端即可执行, 依次将可用数值的数量写入temp.txt文件.
本机当前的可用字段列表...
ty | ss | journalctl -N | -F |wc -l | -F … 可用数据举例 | 关键字 |
USER JOURNAL FIELDS | 1 | MESSAGE | 0 | 消息 | |
2 | MESSAGE_ID | 0 | 消息ID | ||
3 | PRIORITY | 7 | 优先级 | ||
4 | CODE_FILE | 47 | 源文件名 | ||
CODE_FUNC | 42 | 函数名 | |||
CODE_LINE | 127 | 代码行号 | |||
5 | ERRNO | 1 | 105 | 错误编号 | |
6 | INVOCATION_ID | 2707 | 调用ID | ||
USER_INVOCATION_ID | 1425 | 用户调用ID | |||
7 | SYSLOG_FACILITY | 6 | syslog设施 | ||
SYSLOG_IDENTIFIER | 48 | syslog标识符 | |||
SYSLOG_PID | 140 | syslog pid | |||
SYSLOG_TIMESTAMP | 74168 | syslog时间戳 | |||
8 | SYSLOG_RAW | 1686 | syslog原始内容 | ||
TRUSTED JOURNAL FIELDS | 9 | _GID | 8 | gid | |
_PID | 13362 | pid | |||
_UID | 8 | uid | |||
10 | _CMDLINE | 579 | 命令行 | ||
_COMM | 52 | 命令名 | |||
_EXE | 46 | 可执行路径 | |||
11 | _CAP_EFFECTIVE | 12 | 有效功能 | ||
12 | _AUDIT_LOGINUID | 3 | 1001; 620;.. | 登录ID(审计) | |
_AUDIT_SESSION | 9 | 会话(审计) | |||
13 | _SYSTEMD_CGROUP | 55 | 系统控制组路径 | ||
_SYSTEMD_OWNER_UID | 2 | 1001; 620 | 系统所有者uid | ||
_SYSTEMD_SESSION | 6 | 5; c2; 2; c1; 7; c3 | 系统会话 | ||
_SYSTEMD_SLICE | 6 | user-1001.slice; user-620.slice… | 系统切片单元名 | ||
_SYSTEMD_UNIT | 42 | 系统单元名称 | |||
_SYSTEMD_USER_SLICE | 1 | -.slice | 系统用户切片 | ||
_SYSTEMD_USER_UNIT | 9 | gvfs-daemon.service; thunar.service | 系统用户单元 | ||
15 | _SOURCE_REALTIME_TIMESTAMP | 0 | 源实时时间戳 | ||
16 | _BOOT_ID | 31 | 开机编号 | ||
17 | _MACHINE_ID | 1 | 213df5b115df44afa70277ddc24726ef | 机器编号 | |
18 | _SYSTEMD_INVOCATION_ID | 530 | 系统调用ID | ||
19 | _HOSTNAME | 1 | tompc | 主机名 | |
20 | _TRANSPORT | 6 | syslog; stdout; audit; journal; driver; kernel | 传输方式 | |
21 | _STREAM_ID | 440 | 流ID | ||
22 | _LINE_BREAK | 1 | eof | 非常规换行 | |
KERNEL JOURNAL FIELDS | 24 | _KERNEL_DEVICE | 126 | 内核设备 | |
25 | _KERNEL_SUBSYSTEM | 16 | 内核子系统 | ||
26 | _UDEV_SYSNAME | 95 | /sys下内核设备 | ||
27 | _UDEV_DEVNODE | 42 | /dev设备节点路径 | ||
32 | COREDUMP_UNIT | 2 | session-2.scope; session-5.scope | 核心转储单元 |
journalctl -N | -F |wc -l | -F … 可用数据举例 | 关键字 |
_AUDIT_FIELD_A0 | 5 | 审计字段a0 | |
_AUDIT_FIELD_A1 | 165 | 审计字段a1 | |
_AUDIT_FIELD_A2 | 5 | 审计字段a2 | |
_AUDIT_FIELD_A3 | 187 | 审计字段a3 | |
_AUDIT_FIELD_ARCH | 1 | c000003e | 审计 字段 arch |
_AUDIT_FIELD_AUDIT_ENABLED | 1 | 1 | 审计 字段 审计 已启用 |
_AUDIT_FIELD_AUDIT_PID | 11 | … | 审计 字段 审计 pid |
_AUDIT_FIELD_DEV | 2 | wlp16s0, wlan0 | 审计 字段 设备 (无线网络) |
_AUDIT_FIELD_EXIT | 5 | 审计 字段 退出 | |
_AUDIT_FIELD_ITEMS | 1 | 0 | 审计字段项目 |
_AUDIT_FIELD_KEY | 1 | (null) | 审计字段密钥 |
_AUDIT_FIELD_OLD | 8 | 审计领域旧 | |
_AUDIT_FIELD_OLD_PROM | 2 | 0; 256 | 审计字段旧 prom |
_AUDIT_FIELD_PROM | 2 | 0; 256 | 审计字段舞会 |
_AUDIT_FIELD_OP | 3 | UNLOAD; LOAD; set | 审计 字段 操作 |
_AUDIT_FIELD_PROG_ID | 78 | 审计字段程序编号 | |
_AUDIT_FIELD_RES | 1 | 1 | 审计字段资源 |
_AUDIT_FIELD_SGID | 3 | 985; 620; 0 | 审计领域 组id |
_AUDIT_FIELD_SIG | 1 | 11 | 审计字段信号 |
_AUDIT_FIELD_SUCCESS | 1 | yes | 审计字段成功 |
_AUDIT_FIELD_SUID | 3 | 1001; 620; 0 | 审计字段suid |
_AUDIT_FIELD_SYSCALL | 4 | 54; 321; 1; 44 | 审计字段系统调用 |
_AUDIT_ID | 31545 | 审计编号 | |
_AUDIT_TYPE | 22 | 审计类型 | |
_AUDIT_TYPE_NAME | 22 | 审计类型名称 | |
_EGID | 3 | 985; 620; 0 | egid |
_EUID | 3 | 1001; 620; 0 | euid |
_FSGID | 3 | 985; 620; 0 | fsgid |
_FSUID | 3 | 1001; 620; 0 | fsuid |
_PPID | 45 | ppid | |
_SOURCE_MONOTONIC_TIMESTAMP | 10103 | 源单调时间戳 | |
_TTY | 5 | pts2; pts0; (none); pts1; Pts3 | tty |
AUDIT_FIELD_ACCT | 9 | root, toma, lightdm, pcp, couchdb, | 审计 字段 acct |
AUDIT_FIELD_ADDR | 1 | ? | 审计 字段 addr |
AUDIT_FIELD_COMM | 2 | systemd-update-utmp; systemd | 审计 字段 comm |
AUDIT_FIELD_EXE | 7 | /usr/bin/unix_chkpwd /usr/bin/sudo… |
审计字段exe |
AUDIT_FIELD_GRANTORS | 11 | pam… | 审计字段授予者 |
AUDIT_FIELD_HOSTNAME | 2 | tompc; ? | 审计字段主机名 |
AUDIT_FIELD_ID | 7 | 审计字段编号 | |
AUDIT_FIELD_NAME | 2 | "China-cHen"; "China-cHen_5G" | 审计字段名称 (无线网络) |
AUDIT_FIELD_OP | 10 | PAM:unix_chkpwd; logout; login… | 审计 字段 操作 |
AUDIT_FIELD_PID | 7 | 审计字段pid | |
AUDIT_FIELD_RES | 2 | failed; success | 审计字段资源 |
AUDIT_FIELD_RESULT | 1 | success | 审计字段结果 |
AUDIT_FIELD_TERMINAL | 10 | /dev/pts/3 /dev/tty7 |
审计字段终端 |
AUDIT_FIELD_UID | 1 | 1001 | 审计字段uid |
AUDIT_FIELD_UNIT | 67 | 审计字段单元 | |
AUDIT_FIELD_UUID | 2 | 审计字段uuid | |
AVAILABLE | 24 | 可用的 | |
AVAILABLE_PRETTY | 5 | 2.4G; 2.5G; 389.6M; 2.2G; 2.3G | 可用漂亮 |
COMMAND | 1 | ExecStart | 命令 |
COREDUMP_CGROUP | 2 | /user.slice/user-1001.slice/session-2.scope /user.slice/user-1001.slice/session-5.scope |
核心转储cgroup |
COREDUMP_CMDLINE | 10 | coredump 命令行 | |
COREDUMP_COMM | 3 | chromium; xfce4-session; pluma | coredump comm |
COREDUMP_CWD | 1 | /home/toma | 核心转储 cwd |
COREDUMP_ENVIRON | 7826 | 核心转储环境 (有空行) | |
COREDUMP_EXE | 3 | /usr/lib/chromium/chromium /usr/bin/xfce4-session /usr/bin/pluma |
核心转储 exe |
COREDUMP_FILENAME | 14 | coredump文件名 | |
COREDUMP_GID | 1 | 985 | 核心转储 gid |
COREDUMP_HOSTNAME | 1 | tompc | coredump主机名 |
COREDUMP_OPEN_FDS | 11545 | 核心转储开放fds | |
COREDUMP_OWNER_UID | 1 | 1001 | coredump所有者uid |
COREDUMP_PID | 14 | coredump pid | |
COREDUMP_PROC_CGROUP | 140 | coredump proc cgroup | |
COREDUMP_PROC_LIMITS | 18 | coredump 进程限制(表) | |
COREDUMP_PROC_MAPS | 19025 | coredump proc映射 | |
COREDUMP_PROC_MOUNTINFO | 370 | coredump proc mountinfo | |
COREDUMP_PROC_STATUS | 784 | coredump proc状态 | |
COREDUMP_RLIMIT | 1 | 核心转储限制 | |
COREDUMP_ROOT | 1 | / | 核心转储根 |
COREDUMP_SESSION | 2 | 2; 5 | 核心转储会话 |
COREDUMP_SIGNAL | 1 | 11 | 核心转储信号 |
COREDUMP_SIGNAL_NAME | 1 | SIGSEGV | 核心转储信号名称 |
COREDUMP_SLICE | 1 | user-1001.slice | 核心转储切片 |
COREDUMP_TIMESTAMP | 14 | 核心转储时间戳 | |
COREDUMP_TRUNCATED | 1 | 1 | 核心转储被截断 |
COREDUMP_UID | 1 | 1001 | 核心转储 |
CURRENT_USE | 24 | 当前使用 | |
CURRENT_USE_PRETTY | 23 | 当前使用的漂亮 | |
DEVICE | 1 | controlC0 | 设备 |
DISK_AVAILABLE | 27 | 可用磁盘 | |
DISK_AVAILABLE_PRETTY | 8 | 磁盘可用漂亮 | |
DISK_KEEP_FREE | 2 | 磁盘保持空闲 | |
DISK_KEEP_FREE_PRETTY | 2 | 1.4G; 198.8M | 磁盘保持自由漂亮 |
EXIT_CODE | 1 | exited | 退出码 |
EXIT_STATUS | 1 | 1 | 退出状态 |
GLIB_DOMAIN | 5 | udisks; tumblerd; xfconfd; tumbler; Gdk | glib域 |
GLIB_OLD_LOG_API | 1 | 1 | glib旧日志api |
JOB_ID | 1542 | 工作编号 | |
JOB_RESULT | 2 | done; failed | 工作结果 |
JOB_TYPE | 4 | stop; start; restart; reload | 工作类型 |
JOURNAL_NAME | 2 | System Journal; Runtime Journal | 日志名称 |
JOURNAL_PATH | 2 | /var/log/journal/… /run/log/journal/… |
日志路径 |
KERNEL_USEC | 23 | 内核用例 | |
LEADER | 41 | 领导 | |
LIMIT | 2 | 3211776000; 416927744 | 限制 |
LIMIT_PRETTY | 2 | 2.9G; 397.6M | 极限漂亮 |
MAX_USE | 2 | 3211776000; 416927744 | 最大使用 |
MAX_USE_PRETTY | 2 | 2.9G; 397.6M | 最大使用率 |
N_RESTARTS | 5 | n重新启动 | |
NM_DEVICE | 4 | wlp16s0; enp0s25; lo; wlan0 | nm设备 (网络) |
NM_LOG_DOMAINS | 15 | DHCP4; DHCP6; DNS; WIFI SUSPEND; CORE; AUDIT… |
nm日志域 |
NM_LOG_LEVEL | 2 | INFO; WARN | nm日志等级 |
QT_CATEGORY | 3 | default; qt.qpa.xcb; qt.svg | qt类别 |
SEAT_ID | 1 | seat0 | seat id |
SESSION_ID | 6 | 5; c2; 2; c1; 7; c3 | 会话ID |
SHUTDOWN | 2 | power-off; reboot | 关闭 |
SIZE_LIMIT | 1 | 2147483648 | 大小限制 |
SLEEP | 1 | suspend | 休眠 |
THREAD_ID | 15 | 线程ID | |
TIMESTAMP_BOOTTIME | 11245 | 时间戳引导时间 | |
TIMESTAMP_MONOTONIC | 11245 | 时间戳单调 | |
UNIT | 148 | 单元 | |
UNIT_RESULT | 2 | resources; exit-code | 单元结果 |
USER_ID | 2 | toma; lightdm | 用户身份 |
USER_UNIT | 38 | 用户单元 | |
USERSPACE_USEC | 86 | 用户空间使用 |
具体使用可参照man page的举例:
https://szosoft.blogspot.com/2020/07/man-journalctl-cn.html#4
https://www.cnblogs.com/sztom/p/13385056.html#4