2020-07-29

journalctl-field-filter

1. 日志的查询1: 通常的时间+grep过滤.
2. 日志的查询2: field filter 字段过滤.
 2.1 -F, -N命令
 2.2 man systemd.journal-fields
 2.3 本机可用字段及数据

1. 日志的查询1: 通常的时间+grep过滤.

$ sudo journalctl -S 12:18:00 -U 12:36:00 -o short-iso -o with-unit
$ sudo journalctl -S "2020-07-27 23:18:00" -U 2:36:00 -o short-iso -o with-unit
 + | grep -i 忽略大小写; -E "a|b|c" or; -w 单词匹配; -v 不包含;

2. 日志的查询2: field filter 字段过滤.

2.1 -F, -N命令

有那些fields字段及数据可用, 可使用 -F, -N命令查询. 看看help和man page的描述.
  • --help
    • -N, --fields  List all field names currently used 列出当前使用的所有字段名称
    • -F, --field=  List all values that a specified field takes 列出指定字段所需的所有值
  • man page
    • -N, --fields  Print all field names currently used in all entries of the journal. 打印当前在日记帐所有条目中使用的所有字段名称。
    • -F, --field=  Print all possible data values the specified field can take in all entries of the journal. 打印指定字段可以在日记帐的所有条目中使用的所有可能的数据值。

2.2 man systemd.journal-fields

https://jlk.fjfi.cvut.cz/arch/manpages/man/systemd.journal-fields.7.en
NAME: systemd.journal-fields - Special journal fields 特殊日志字段
DESCRIPTION:
Entries in the journal (as written by systemd-journald.service(8)) resemble a UNIX process environment block in syntax but with fields that may include binary data.
Primarily, fields are formatted UTF-8 text strings, and binary encoding is used only where formatting as UTF-8 text strings makes little sense.
New fields may freely be defined by applications, but a few fields have special meanings.
All fields with special meanings are optional.
In some cases, fields may appear more than once per entry.
日志中的条目(由systemd-journald.service(8)编写)的语法类似于UNIX进程环境块, 但其字段可能包含二进制数据。
首先, 字段是格式化的UTF-8文本字符串, 并且仅在格式化为UTF-8文本字符串意义不大的情况下才使用二进制编码。
应用程序可以自由定义新字段, 但是一些字段具有特殊含义。
具有特殊含义的所有字段都是可选的。
在某些情况下, 每个条目中的字段可能会出现多次。
SEE ALSO: systemd(1), systemd-journald.service(8), journalctl(1), journald.conf(5), sd-journal(3), coredumpctl(1), systemd.directives(7)
NOTES:
1. Journal Export Format https://www.freedesktop.org/wiki/Software/systemd/export
2. Journal JSON Format https://www.freedesktop.org/wiki/Software/systemd/json

特殊日志字段列表
fields=sssystemd.journal-fields - Special journal fieldssystemd.journal-fields-特殊期刊领域|wc -lkey
USER JOURNAL FIELDSUser fields are fields that are directly passed from clients and stored in the journal.用户字段是直接从客户端传递并存储在日记中的字段。

MESSAGE1The human-readable message string for this entry.
This is supposed to be the primary text shown to the user.
It is usually not translated (but might be in some cases), and is not supposed to be parsed for metadata.
此条目的人类可读消息字符串。
这应该是显示给用户的主要文本。
它通常不翻译(但在某些情况下可能会翻译), 并且不应解析为元数据。
0消息
MESSAGE_ID2A 128-bit message identifier ID for recognizing certain message types, if this is desirable.
This should contain a 128-bit ID formatted as a lower-case hexadecimal string, without any separating dashes or suchlike.
This is recommended to be a UUID-compatible ID, but this is not enforced, and formatted differently.
Developers can generate a new ID for this purpose with systemd-id128 new.
如果需要, 用于识别某些消息类型的128位消息标识符ID。
它应包含一个格式为小写十六进制字符串的128位ID, 且没有任何破折号等。
建议将其设置为与UUID兼容的ID, 但这不是强制性的, 并且格式不同。
为此, 开发人员可以使用systemd-id128 new生成新的ID。
0消息ID
PRIORITY3A priority value between 0 ("emerg") and 7 ("debug") formatted as a decimal string.
This field is compatible with syslog's priority concept.
优先级值介于0("emerg”)和7("debug”)之间, 格式为十进制字符串。
该字段与syslog的优先级概念兼容。
7优先级
CODE_FILE4The code location generating this message, if known.
Contains the source filename, the line number and the function name.
生成此消息的代码位置(如果已知)。
包含源文件名, 行号和函数名。
47源文件名
CODE_LINE127代码行号
CODE_FUNC42函数名
ERRNO5The low-level Unix error number causing this entry, if any.
Contains the numeric value of errno(3) formatted as a decimal string.
导致该条目的低级Unix错误号(如果有)。
包含格式为十进制字符串的errno(3)的数值。
1错误编号
INVOCATION_ID6A randomized, unique 128-bit ID identifying each runtime cycle of the unit.
This is different from _SYSTEMD_INVOCATION_ID in that it is only used for messages coming from systemd code
(e.g. logs from the system/user manager or from forked processes performing systemd-related setup).
一个随机的, 唯一的128位ID, 用于标识该设备的每个运行周期。
这与_SYSTEMD_INVOCATION_ID的不同之处在于, 它仅用于来自系统代码的消息
(例如, 来自系统/用户管理器的日志或执行与systemd相关的设置的分支进程的日志)。
2707调用ID
USER_INVOCATION_ID1425用户调用ID
SYSLOG_FACILITY7Syslog compatibility fields containing the facility (formatted as decimal string), the identifier string (i.e. "tag"), the client PID, and the timestamp as specified in the original datagram.
(Note that the tag is usually derived from glibc's program_invocation_short_name variable, see program_invocation_short_name(3).)
Note that the journal service does not validate the values of any structured journal fields whose name is not prefixed with an underscore, and this includes any syslog related fields such as these.
Hence, applications that supply a facility, PID, or log level are expected to do so properly formatted, i.e. as numeric integers formatted as decimal strings.
Syslog兼容性字段包含原始数据报中指定的功能(格式为十进制字符串), 标识符字符串(即"标签”), 客户端PID和时间戳。
(请注意, 标记通常是从glibc的program_invocation_short_name变量派生的, 请参阅program_invocation_short_name(3)。)
请注意, 日志服务不会验证名称不带下划线前缀的任何结构化日志字段的值, 并且包括与系统日志相关的所有信息诸如此类的字段。
因此, 提供功能, PID或日志级别的应用程序应以正确的格式进行格式化, 即以整数格式设置为十进制字符串。
6syslog设施
SYSLOG_IDENTIFIER48syslog标识符
SYSLOG_PID140syslog pid
SYSLOG_TIMESTAMP74168syslog时间戳
SYSLOG_RAW8The original contents of the syslog line as received in the syslog datagram.
This field is only included if the MESSAGE= field was modified compared to the original payload or the timestamp could not be located properly and is not included in SYSLOG_TIMESTAMP=.
Message truncation occurs when when the message contains leading or trailing whitespace (trailing and leading whitespace is stripped), or it contains an embedded NUL byte (the NUL byte and anything after it is not included).
Thus, the original syslog line is either stored as SYSLOG_RAW= or it can be recreated based on the stored priority and facility, timestamp, identifier, and the message payload in MESSAGE=.
syslog数据报中收到的syslog行的原始内容。
仅当与原始有效负载相比修改了MESSAGE=字段或时间戳无法正确定位并且未包含在SYSLOG_TIMESTAMP=中时, 才包含此字段。
当消息包含前导或尾随空白(尾随和前导空格被剥离)或消息包含嵌入式NUL字节(不包括NUL字节及其后的任何内容)时, 消息截断就会发生。
因此, 原始syslog行要么存储为SYSLOG_RAW=, 要么可以基于MESSAGE=中存储的优先级和功能, 时间戳, 标识符和消息有效负载来重新创建。
1686syslog原始内容
TRUSTED JOURNAL FIELDSFields prefixed with an underscore are trusted fields, i.e. fields that are implicitly added by the journal and cannot be altered by client code.带有下划线前缀的字段是受信任的字段, 即日志隐式添加的字段, 不能由客户端代码更改。

_PID9The process, user, and group ID of the process the journal entry originates from formatted as a decimal string.
Note that entries obtained via "stdout" or "stderr" of forked processes will contain credentials valid for a parent process (that initiated the connection to systemd-journald).
日记帐分录源自的流程, 用户和流程的组ID, 格式为十进制字符串。
请注意, 通过分叉进程的"stdout”或"stderr”获得的条目将包含对父进程(启动了与systemd-journald的连接)有效的凭据。
13362pid
_UID8uid
_GID8gid
_COMM10The name, the executable path, and the command line of the process the journal entry originates from.日记帐分录所源自的进程的名称, 可执行路径和命令行。52命令名
_EXE46可执行路径
_CMDLINE579命令行
_CAP_EFFECTIVE11The effective capabilities(7) of the process the journal entry originates from.日记帐分录所源自的过程的有效功能(7)。12有效功能
_AUDIT_SESSION12The session and login UID of the process the journal entry originates from, as maintained by the kernel audit subsystem.日记帐分录所源自的进程的会话和登录UID, 由内核审计子系统维护。9会话(审计)
_AUDIT_LOGINUID3登录ID(审计)
_SYSTEMD_CGROUP13The control group path in the systemd hierarchy, the the systemd slice unit name, the systemd unit name, the unit name in the systemd user manager (if any), the systemd session ID (if any), and the owner UID of the systemd user unit or systemd session (if any) of the process the journal entry originates from.systemd层次结构中的控制组路径, systemd切片单元名称, systemd单元名称, systemd用户管理器中的单元名称(如果有), systemd会话ID(如果有)以及systemd的所有者UID 日记帐分录所源自的过程的用户单元或系统会话(如果有)。55系统控制组路径
_SYSTEMD_SLICE6系统切片单元名
_SYSTEMD_UNIT42系统单元名称
_SYSTEMD_USER_UNIT9系统用户单元
_SYSTEMD_USER_SLICE1系统用户切片
_SYSTEMD_SESSION6系统会话
_SYSTEMD_OWNER_UID2系统所有者uid
_SELINUX_CONTEXT14The SELinux security context (label) of the process the journal entry originates from.日记帐分录所源自的过程的SELinux安全性上下文(标签)。

_SOURCE_REALTIME_TIMESTAMP15The earliest trusted timestamp of the message, if any is known that is different from the reception time of the journal.
This is the time in microseconds since the epoch UTC, formatted as a decimal string.
消息的最早受信任时间戳(如果已知)与日志的接收时间不同。
这是自纪元UTC以来的时间(以毫秒为单位), 格式为十进制字符串。
0源实时时间戳
_BOOT_ID16The kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string.生成消息的启动的内核启动ID, 格式为128位十六进制字符串。31开机编号
_MACHINE_ID17The machine ID of the originating host, as available in machine-id(5).原始主机的机器ID, 如在machine-id(5)中可用。1机器编号
_SYSTEMD_INVOCATION_ID18The invocation ID for the runtime cycle of the unit the message was generated in, as available to processes of the unit in $INVOCATION_ID (see systemd.exec(5)).生成消息的单元的运行周期的调用ID, 可用于$INVOCATION_ID中的单元进程(请参阅systemd.exec(5))。530系统调用ID
_HOSTNAME19The name of the originating host.发起主机的名称。1主机名
_TRANSPORT20How the entry was received by the journal service. Valid transports are:日记服务如何接收条目。有效的传输方式是:6传输方式
audit
for those read from the kernel audit subsystem对于那些从内核审计子系统读取的内容

driver
for internally generated messages用于内部生成的消息

syslog
for those received via the local syslog socket with the syslog protocol对于通过本地syslog套接字通过syslog协议接收的消息

journal
for those received via the native journal protocol对于通过本机日记协议接收的邮件

stdout
for those read from a service's standard output or error output用于从服务的标准输出或错误输出中读取的内容

kernel
for those read from the kernel对于那些从内核中读取的内容

_STREAM_ID21Only applies to "_TRANSPORT=stdout" records: specifies a randomized 128bit ID assigned to the stream connection when it was first created.
This ID is useful to reconstruct individual log streams from the log records: all log records carrying the same stream ID originate from the same stream.
仅适用于"_TRANSPORT=stdout”记录:指定首次创建时分配给流连接的随机128位ID。
此ID对于从日志记录重构单个日志流很有用:所有带有相同流ID的日志记录都源自同一流。
440流ID
_LINE_BREAK22Only applies to "_TRANSPORT=stdout" records: indicates that the log message in the standard output/error stream was not terminated with a normal newline character ("\n", i.e. ASCII 10).
Specifically, when set this field is one of nul (in case the line was terminated by a NUL byte), line-max (in case the maximum log line length was reached, as configured with LineMax= in journald.conf(5)) or eof (if this was the last log record of a stream and the stream ended without a final newline character).
Note that this record is not generated when a normal newline character was used for marking the log line end.
仅适用于"_TRANSPORT=stdout”记录:指示标准输出/错误流中的日志消息未以普通换行符("\ n”, 即ASCII 10)终止。
具体来说, 当设置此字段为nul(如果行以NUL字节终止)时, 为line-max(如果达到最大日志行长度, 如journald.conf(5)中的LineMax=配置), 则为其中之一。或eof(如果这是流的最后一个日志记录, 并且流结束时没有最后的换行符)。
请注意, 当使用常规换行符标记日志行结束时, 不会生成此记录。
1非常规换行
_NAMESPACE23If this file was written by a systemd-journald instance managing a journal namespace that is not the default, this field contains the namespace identifier.
See systemd-journald.service(8) for details about journal namespaces.
如果此文件是由管理默认名称的日记命名空间的systemd-journald实例编写的, 则此字段包含命名空间标识符。
有关日记名称空间的详细信息, 请参见systemd-journald.service(8)。


KERNEL JOURNAL FIELDSKernel fields are fields that are used by messages originating in the kernel and stored in the journal.内核字段是源于内核并存储在日志中的消息所使用的字段。

_KERNEL_DEVICE24The kernel device name.
If the entry is associated to a block device, the major and minor of the device node, separated by ":" and prefixed by "b".
Similar for character devices but prefixed by "c".
For network devices, this is the interface index prefixed by "n".
For all other devices, this is the subsystem name prefixed by "+", followed by ":", followed by the kernel device name.
内核设备名称。
如果条目与块设备相关联, 则设备节点的主节点和次节点用":”分隔并以"b”作为前缀。
与字符设备类似, 但以"c”为前缀。
对于网络设备, 这是前缀为"n”的接口索引。
对于所有其他设备, 这是子系统名称, 前缀为"+”, 后跟":”, 后跟内核设备名。
126内核设备
_KERNEL_SUBSYSTEM25The kernel subsystem name.内核子系统名称。16内核子系统
_UDEV_SYSNAME26The kernel device name as it shows up in the device tree below /sys.显示在/ sys下的设备树中的内核设备名称。95/sys下内核设备
_UDEV_DEVNODE27The device node path of this device in /dev.该设备在/ dev中的设备节点路径。42/dev设备节点路径
_UDEV_DEVLINK28Additional symlink names pointing to the device node in /dev. This field is frequently set more than once per entry.指向/ dev中设备节点的其他符号链接名称。经常为每个条目设置一次以上此字段。

ADDRESS FIELDSDuring serialization into external formats, such as the Journal Export Format[1] or the Journal JSON Format[2], the addresses of journal entries are serialized into fields prefixed with double underscores.
Note that these are not proper fields when stored in the journal but for addressing metadata of entries.
They cannot be written as part of structured log entries via calls such as sd_journal_send(3).
They may also not be used as matches for sd_journal_add_match(3)
在序列化为外部格式(例如"日记帐导出格式”[1]或"日记JSON格式[2]”)期间, 日记帐分录的地址被序列化为带有双下划线前缀的字段。
请注意, 当存储在日志中时, 这些字段不是正确的字段, 而是用于处理条目的元数据。
不能通过诸如sd_journal_send(3)之类的调用将它们写为结构化日志条目的一部分。
它们也可能不用作sd_journal_add_match(3)的匹配项


__CURSOR29The cursor for the entry.
A cursor is an opaque text string that uniquely describes the position of an entry in the journal and is portable across machines, platforms and journal files.
条目的光标。
游标是一个不透明的文本字符串, 它唯一描述日记中条目的位置, 并且可以在计算机, 平台和日记文件之间移植。


__REALTIME_TIMESTAMP30The wallclock time (CLOCK_REALTIME) at the point in time the entry was received by the journal, in microseconds since the epoch UTC, formatted as a decimal string.
This has different properties from "_SOURCE_REALTIME_TIMESTAMP=", as it is usually a bit later but more likely to be monotonic.
日志接收到该条目的时间点的挂钟时间(CLOCK_REALTIME), 从纪元UTC开始以毫秒为单位, 格式为十进制字符串。
它具有与"_SOURCE_REALTIME_TIMESTAMP="不同的属性, 因为它通常会稍晚一些, 但更有可能是单调的。


__MONOTONIC_TIMESTAMP31The monotonic time (CLOCK_MONOTONIC) at the point in time the entry was received by the journal in microseconds, formatted as a decimal string.
To be useful as an address for the entry, this should be combined with the boot ID in "_BOOT_ID=".
日志接收条目的时间点的单调时间(CLOCK_MONOTONIC), 以微秒为单位, 格式为十进制字符串。
为了用作条目的地址, 应将其与"_BOOT_ID="中的引导ID结合使用。


FIELDS TO LOG ON BEHALF OF A DIFFERENT PROGRAMFields in this section are used by programs to specify that they are logging on behalf of another program or unit.程序使用本节中的字段来指定它们代表另一个程序或单元进行记录。



Fields used by the systemd-coredump coredump kernel helper:systemd-coredump coredump内核助手使用的字段:

COREDUMP_UNIT32Used to annotate messages containing coredumps from system and session units. See coredumpctl(1).用于注释包含来自系统和会话单元的核心转储的消息。 参见coredumpctl(1)。2核心转储单元
COREDUMP_USER_UNIT



Privileged programs (currently UID 0) may attach OBJECT_PID= to a message.
This will instruct systemd-journald to attach additional fields on behalf of the caller:
特权程序(当前UID为0)可以将OBJECT_PID=附加到消息。
这将指示systemd-journald代表调用方附加其他字段:


OBJECT_PID=PID33PID of the program that this message pertains to.此消息所属程序的PID。

OBJECT_UID34These are additional fields added automatically by systemd-journald.
Their meaning is the same as _UID=, _GID=, _COMM=, _EXE=, _CMDLINE=, _AUDIT_SESSION=, _AUDIT_LOGINUID=, _SYSTEMD_CGROUP=, _SYSTEMD_SESSION=, _SYSTEMD_UNIT=, _SYSTEMD_USER_UNIT=, and _SYSTEMD_OWNER_UID= as described above, except that the process identified by PID is described, instead of the process which logged the message.
这些是systemd-journald自动添加的其他字段。
它们的含义与_UID=, _GID=, _COMM=, _EXE=, _CMDLINE=, _AUDIT_SESSION=, _AUDIT_LOGINUID=, _SYSTEMD_CGROUP=, _SYSTEMD_SESSION=, _SYSTEMD_UNIT=, _ SYSTEMD_USER_一样, _SYSTEMD_USER_ 描述了由PID标识的内容, 而不是记录该消息的过程。


OBJECT_GID

OBJECT_COMM

OBJECT_EXE

OBJECT_CMDLINE

OBJECT_AUDIT_SESSION

OBJECT_AUDIT_LOGINUID

OBJECT_SYSTEMD_CGROUP

OBJECT_SYSTEMD_SESSION

OBJECT_SYSTEMD_OWNER_UID

OBJECT_SYSTEMD_UNIT

OBJECT_SYSTEMD_USER_UNIT

2.3 本机可用字段及数据

具体可用的字段名称及可能的数据都取自本机的日志文件内容. 就是说每台电脑都不一样, 只能自己查询才知道. 如下查出本机当前可用的字段有160个.
$ sudo journalctl -N |wc -l
160
每个字段又有多个数值可选. 这使得日志的过滤更精细.
收集可用数值的数量:
$ sudo journalctl -F _AUDIT_FIELD_RES  |wc -l >> temp.txt
参照以上将160个字段列出来, 160行命令, 直接复制, 粘贴到终端即可执行, 依次将可用数值的数量写入temp.txt文件.

本机当前的可用字段列表...
tyssjournalctl -N-F |wc -l-F … 可用数据举例关键字
USER JOURNAL FIELDS1MESSAGE0
消息
2MESSAGE_ID0
消息ID
3PRIORITY7
优先级
4CODE_FILE47
源文件名
CODE_FUNC42
函数名
CODE_LINE127
代码行号
5ERRNO1105错误编号
6INVOCATION_ID2707
调用ID
USER_INVOCATION_ID1425
用户调用ID
7SYSLOG_FACILITY6
syslog设施
SYSLOG_IDENTIFIER48
syslog标识符
SYSLOG_PID140
syslog pid
SYSLOG_TIMESTAMP74168
syslog时间戳
8SYSLOG_RAW1686
syslog原始内容
TRUSTED JOURNAL FIELDS9_GID8
gid
_PID13362
pid
_UID8
uid
10_CMDLINE579
命令行
_COMM52
命令名
_EXE46
可执行路径
11_CAP_EFFECTIVE12
有效功能
12_AUDIT_LOGINUID31001; 620;..登录ID(审计)
_AUDIT_SESSION9
会话(审计)
13_SYSTEMD_CGROUP55
系统控制组路径
_SYSTEMD_OWNER_UID21001; 620系统所有者uid
_SYSTEMD_SESSION65; c2; 2; c1; 7; c3系统会话
_SYSTEMD_SLICE6user-1001.slice; user-620.slice…系统切片单元名
_SYSTEMD_UNIT42
系统单元名称
_SYSTEMD_USER_SLICE1-.slice系统用户切片
_SYSTEMD_USER_UNIT9gvfs-daemon.service; thunar.service系统用户单元
15_SOURCE_REALTIME_TIMESTAMP0
源实时时间戳
16_BOOT_ID31
开机编号
17_MACHINE_ID1213df5b115df44afa70277ddc24726ef机器编号
18_SYSTEMD_INVOCATION_ID530
系统调用ID
19_HOSTNAME1tompc主机名
20_TRANSPORT6syslog; stdout; audit; journal; driver; kernel传输方式
21_STREAM_ID440
流ID
22_LINE_BREAK1eof非常规换行
KERNEL JOURNAL FIELDS24_KERNEL_DEVICE126
内核设备
25_KERNEL_SUBSYSTEM16
内核子系统
26_UDEV_SYSNAME95
/sys下内核设备
27_UDEV_DEVNODE42
/dev设备节点路径

32COREDUMP_UNIT2session-2.scope; session-5.scope核心转储单元

journalctl -N-F |wc -l-F … 可用数据举例关键字
_AUDIT_FIELD_A05
审计字段a0
_AUDIT_FIELD_A1165
审计字段a1
_AUDIT_FIELD_A25
审计字段a2
_AUDIT_FIELD_A3187
审计字段a3
_AUDIT_FIELD_ARCH1c000003e审计 字段 arch
_AUDIT_FIELD_AUDIT_ENABLED11审计 字段 审计 已启用
_AUDIT_FIELD_AUDIT_PID11审计 字段 审计 pid
_AUDIT_FIELD_DEV2wlp16s0, wlan0审计 字段 设备 (无线网络)
_AUDIT_FIELD_EXIT5
审计 字段 退出
_AUDIT_FIELD_ITEMS10审计字段项目
_AUDIT_FIELD_KEY1(null)审计字段密钥
_AUDIT_FIELD_OLD8
审计领域旧
_AUDIT_FIELD_OLD_PROM20; 256审计字段旧 prom
_AUDIT_FIELD_PROM20; 256审计字段舞会
_AUDIT_FIELD_OP3UNLOAD; LOAD; set审计 字段 操作
_AUDIT_FIELD_PROG_ID78
审计字段程序编号
_AUDIT_FIELD_RES11审计字段资源
_AUDIT_FIELD_SGID3985; 620; 0审计领域 组id
_AUDIT_FIELD_SIG111审计字段信号
_AUDIT_FIELD_SUCCESS1yes审计字段成功
_AUDIT_FIELD_SUID31001; 620; 0审计字段suid
_AUDIT_FIELD_SYSCALL454; 321; 1; 44审计字段系统调用
_AUDIT_ID31545
审计编号
_AUDIT_TYPE22
审计类型
_AUDIT_TYPE_NAME22
审计类型名称
_EGID3985; 620; 0egid
_EUID31001; 620; 0euid
_FSGID3985; 620; 0fsgid
_FSUID31001; 620; 0fsuid
_PPID45
ppid
_SOURCE_MONOTONIC_TIMESTAMP10103
源单调时间戳
_TTY5pts2; pts0; (none); pts1; Pts3tty
AUDIT_FIELD_ACCT9root, toma, lightdm, pcp, couchdb,审计 字段 acct
AUDIT_FIELD_ADDR1?审计 字段 addr
AUDIT_FIELD_COMM2systemd-update-utmp; systemd审计 字段 comm
AUDIT_FIELD_EXE7/usr/bin/unix_chkpwd
/usr/bin/sudo…
审计字段exe
AUDIT_FIELD_GRANTORS11pam…审计字段授予者
AUDIT_FIELD_HOSTNAME2tompc; ?审计字段主机名
AUDIT_FIELD_ID7
审计字段编号
AUDIT_FIELD_NAME2"China-cHen"; "China-cHen_5G"审计字段名称 (无线网络)
AUDIT_FIELD_OP10PAM:unix_chkpwd; logout; login…审计 字段 操作
AUDIT_FIELD_PID7
审计字段pid
AUDIT_FIELD_RES2failed; success审计字段资源
AUDIT_FIELD_RESULT1success审计字段结果
AUDIT_FIELD_TERMINAL10/dev/pts/3
/dev/tty7
审计字段终端
AUDIT_FIELD_UID11001审计字段uid
AUDIT_FIELD_UNIT67
审计字段单元
AUDIT_FIELD_UUID2
审计字段uuid
AVAILABLE24
可用的
AVAILABLE_PRETTY52.4G; 2.5G; 389.6M; 2.2G; 2.3G可用漂亮
COMMAND1ExecStart命令
COREDUMP_CGROUP2/user.slice/user-1001.slice/session-2.scope
/user.slice/user-1001.slice/session-5.scope
核心转储cgroup
COREDUMP_CMDLINE10
coredump 命令行
COREDUMP_COMM3chromium; xfce4-session; plumacoredump comm
COREDUMP_CWD1/home/toma核心转储 cwd
COREDUMP_ENVIRON7826
核心转储环境 (有空行)
COREDUMP_EXE3/usr/lib/chromium/chromium
/usr/bin/xfce4-session
/usr/bin/pluma
核心转储 exe
COREDUMP_FILENAME14
coredump文件名
COREDUMP_GID1985核心转储 gid
COREDUMP_HOSTNAME1tompccoredump主机名
COREDUMP_OPEN_FDS11545
核心转储开放fds
COREDUMP_OWNER_UID11001coredump所有者uid
COREDUMP_PID14
coredump pid
COREDUMP_PROC_CGROUP140
coredump proc cgroup
COREDUMP_PROC_LIMITS18
coredump 进程限制(表)
COREDUMP_PROC_MAPS19025
coredump proc映射
COREDUMP_PROC_MOUNTINFO370
coredump proc mountinfo
COREDUMP_PROC_STATUS784
coredump proc状态
COREDUMP_RLIMIT1
核心转储限制
COREDUMP_ROOT1/核心转储根
COREDUMP_SESSION22; 5核心转储会话
COREDUMP_SIGNAL111核心转储信号
COREDUMP_SIGNAL_NAME1SIGSEGV核心转储信号名称
COREDUMP_SLICE1user-1001.slice核心转储切片
COREDUMP_TIMESTAMP14
核心转储时间戳
COREDUMP_TRUNCATED11核心转储被截断
COREDUMP_UID11001核心转储
CURRENT_USE24
当前使用
CURRENT_USE_PRETTY23
当前使用的漂亮
DEVICE1controlC0设备
DISK_AVAILABLE27
可用磁盘
DISK_AVAILABLE_PRETTY8
磁盘可用漂亮
DISK_KEEP_FREE2
磁盘保持空闲
DISK_KEEP_FREE_PRETTY21.4G; 198.8M磁盘保持自由漂亮
EXIT_CODE1exited退出码
EXIT_STATUS11退出状态
GLIB_DOMAIN5udisks; tumblerd; xfconfd; tumbler; Gdkglib域
GLIB_OLD_LOG_API11glib旧日志api
JOB_ID1542
工作编号
JOB_RESULT2done; failed工作结果
JOB_TYPE4stop; start; restart; reload工作类型
JOURNAL_NAME2System Journal; Runtime Journal日志名称
JOURNAL_PATH2/var/log/journal/…
/run/log/journal/…
日志路径
KERNEL_USEC23
内核用例
LEADER41
领导
LIMIT23211776000; 416927744限制
LIMIT_PRETTY22.9G; 397.6M极限漂亮
MAX_USE23211776000; 416927744最大使用
MAX_USE_PRETTY22.9G; 397.6M最大使用率
N_RESTARTS5
n重新启动
NM_DEVICE4wlp16s0; enp0s25; lo; wlan0nm设备 (网络)
NM_LOG_DOMAINS15DHCP4; DHCP6; DNS; WIFI
SUSPEND; CORE; AUDIT…
nm日志域
NM_LOG_LEVEL2INFO; WARNnm日志等级
QT_CATEGORY3default; qt.qpa.xcb; qt.svgqt类别
SEAT_ID1seat0seat id
SESSION_ID65; c2; 2; c1; 7; c3会话ID
SHUTDOWN2power-off; reboot关闭
SIZE_LIMIT12147483648大小限制
SLEEP1suspend休眠
THREAD_ID15
线程ID
TIMESTAMP_BOOTTIME11245
时间戳引导时间
TIMESTAMP_MONOTONIC11245
时间戳单调
UNIT148
单元
UNIT_RESULT2resources; exit-code单元结果
USER_ID2toma; lightdm用户身份
USER_UNIT38
用户单元
USERSPACE_USEC86
用户空间使用

具体使用可参照man page的举例:
https://szosoft.blogspot.com/2020/07/man-journalctl-cn.html#4
https://www.cnblogs.com/sztom/p/13385056.html#4


没有评论:

发表评论

Diode

导航 (返回顶部) 1. Diode 1.1 Diode 概述 1.2 肖克利二极管方程 1.3 缩写 Abbreviations 2. 主要功能 2.1 单向电流 (Unidirectional current flow) 2.2 阈值电压 (Threshold...