1SDJOURNAL(1)                                                      SDJOURNAL(1)
2
3
4

NAME

6       sdjournal - Provide an interface to capture systemd journal entries.
7

SYNOPSIS

9       sdjournal [ --help ] [ --version ] [ --extcap-interfaces ]
10       [ --extcap-dlts ] [ --extcap-interface=<interface> ]
11       [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ]
12       [ --start-from=<entry count> ]
13

DESCRIPTION

15       sdjournal is an extcap tool that allows one to capture systemd journal
16       entries. It can be used to correlate system events with network
17       traffic.
18
19       Supported interfaces:
20
21        1. sdjournal
22

OPTIONS

24       --help
25
26           Print program arguments.
27
28       --version
29
30           Print program version.
31
32       --extcap-interfaces
33
34           List available interfaces.
35
36       --extcap-interface=<interface>
37
38           Use specified interfaces.
39
40       --extcap-dlts
41
42           List DLTs of specified interface.
43
44       --extcap-config
45
46           List configuration options of specified interface.
47
48       --capture
49
50           Start capturing from specified interface and write raw packet data
51           to the location specified by --fifo.
52
53       --fifo=<path to file or pipe>
54
55           Save captured packet to file or send it through pipe.
56
57       --start-from=<entry count>
58
59           Start from the last <entry count> entries, similar to the "-n" or
60           "--lines" argument for the tail(1) command. Values prefixed with a
61           + sign start from the beginning of the journal, otherwise the count
62           starts from the end. The default value is 10. To include all
63           entries use +0.
64

EXAMPLES

66       To see program arguments:
67
68           sdjournal --help
69
70       To see program version:
71
72           sdjournal --version
73
74       To see interfaces:
75
76           sdjournal --extcap-interfaces
77
78       Only one interface (sdjournal) is supported.
79
80       Example output
81
82           interface {value=sdjournal}{display=systemd journal capture}
83
84       To see interface DLTs:
85
86           sdjournal --extcap-interface=sdjournal --extcap-dlts
87
88       Example output
89
90           dlt {number=147}{name=sdjournal}{display=USER0}
91
92       To see interface configuration options:
93
94           sdjournal --extcap-interface=sdjournal --extcap-config
95
96       Example output
97
98           arg {number=0}{call=--start-from}{display=Starting position}{type=string}
99               {tooltip=The journal starting position. Values with a leading "+" start from the beginning, similar to the "tail" command}
100
101       To capture:
102
103           sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture
104
105       To capture all entries since the system was booted:
106
107           sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture --start-from +0
108
109           Note
110           To stop capturing CTRL+C/kill/terminate the application.
111

SEE ALSO

113       wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
114

NOTES

116       sdjournal is part of the Wireshark distribution. The latest version of
117       Wireshark can be found at https://www.wireshark.org.
118
119       HTML versions of the Wireshark project man pages are available at
120       https://www.wireshark.org/docs/man-pages.
121

AUTHORS

123       Original Author
124       Gerald Combs <gerald[AT]wireshark.org>
125
126
127
128                                  2023-08-31                      SDJOURNAL(1)
Impressum