1SDJOURNAL(1) SDJOURNAL(1)
2
3
4
6 sdjournal - Provide an interface to capture systemd journal entries.
7
9 sdjournal [ --help ] [ --version ] [ --extcap-interfaces ]
10 [ --extcap-dlts ] [ --extcap-interface=<interface> ]
11 [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ]
12 [ --start-from=<entry count> ]
13
15 sdjournal is an extcap tool that allows one to capture systemd journal
16 entries. It can be used to correlate system events with network
17 traffic.
18
19 Supported interfaces:
20
21 1. sdjournal
22
24 --help
25
26 Print program arguments.
27
28 --version
29
30 Print program version.
31
32 --extcap-interfaces
33
34 List available interfaces.
35
36 --extcap-interface=<interface>
37
38 Use specified interfaces.
39
40 --extcap-dlts
41
42 List DLTs of specified interface.
43
44 --extcap-config
45
46 List configuration options of specified interface.
47
48 --capture
49
50 Start capturing from specified interface and write raw packet data
51 to the location specified by --fifo.
52
53 --fifo=<path to file or pipe>
54
55 Save captured packet to file or send it through pipe.
56
57 --start-from=<entry count>
58
59 Start from the last <entry count> entries, similar to the "-n" or
60 "--lines" argument for the tail(1) command. Values prefixed with a
61 + sign start from the beginning of the journal, otherwise the count
62 starts from the end. The default value is 10. To include all
63 entries use +0.
64
66 To see program arguments:
67
68 sdjournal --help
69
70 To see program version:
71
72 sdjournal --version
73
74 To see interfaces:
75
76 sdjournal --extcap-interfaces
77
78 Only one interface (sdjournal) is supported.
79
80 Example output
81
82 interface {value=sdjournal}{display=systemd journal capture}
83
84 To see interface DLTs:
85
86 sdjournal --extcap-interface=sdjournal --extcap-dlts
87
88 Example output
89
90 dlt {number=147}{name=sdjournal}{display=USER0}
91
92 To see interface configuration options:
93
94 sdjournal --extcap-interface=sdjournal --extcap-config
95
96 Example output
97
98 arg {number=0}{call=--start-from}{display=Starting position}{type=string}
99 {tooltip=The journal starting position. Values with a leading "+" start from the beginning, similar to the "tail" command}
100
101 To capture:
102
103 sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture
104
105 To capture all entries since the system was booted:
106
107 sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture --start-from +0
108
109 Note
110 To stop capturing CTRL+C/kill/terminate application.
111
113 wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
114
116 sdjournal is part of the Wireshark distribution. The latest version of
117 Wireshark can be found at https://www.wireshark.org.
118
119 HTML versions of the Wireshark project man pages are available at
120 https://www.wireshark.org/docs/man-pages.
121
123 Original Author
124 Gerald Combs <gerald[AT]wireshark.org>
125
126
127
128 2021-11-25 SDJOURNAL(1)