sdjournal man page

sdjournal — Provide an interface to capture systemd journal entries.

Synopsis

sdjournal--help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --start-from=<entry count> ]

Description

sdjournal is an extcap tool that allows one to capture systemd journal entries. It can be used to correlate system events with network traffic.

Supported interfaces:

1. sdjournal

Options

--help

Print program arguments.

--version

Print program version.

--extcap-interfaces

List available interfaces.

--extcap-interface=<interface>

Use specified interfaces.

--extcap-dlts

List DLTs of specified interface.

--extcap-config

List configuration options of specified interface.

--capture

Start capturing from specified interface and write raw packet data to the location specified by --fifo.

--fifo=<path to file or pipe>

Save captured packet to file or send it through pipe.

--start-from=<entry count>

Start from the last <entry count> entries, similar to the “-n” or “--lines” argument for the tail(1) command. Values prefixed with a + sign start from the beginning of the journal, otherwise the count starts from the end. The default value is 10. To include all entries use +0.

Examples

To see program arguments:

    sdjournal --help

To see program version:

    sdjournal --version

To see interfaces:

    sdjournal --extcap-interfaces

Only one interface (sdjournal) is supported.

  Output:
    interface {value=sdjournal}{display=systemd journal capture}

To see interface DLTs:

    sdjournal --extcap-interface=sdjournal --extcap-dlts

  Output:
    dlt {number=147}{name=sdjournal}{display=USER0}

To see interface configuration options:

    sdjournal --extcap-interface=sdjournal --extcap-config

  Output:

    arg {number=0}{call=--start-from}{display=Starting position}{type=string}
        {tooltip=The journal starting position. Values with a leading "+" start from the beginning, similar to the "tail" command}

To capture:

    sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture

To capture all entries since the system was booted:

    sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture --start-from +0

NOTE: To stop capturing CTRL+C/kill/terminate application.

See Also

wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)

Notes

sdjournal is part of the Wireshark distribution.  The latest version of Wireshark can be found at <https://www.wireshark.org>.

HTML versions of the Wireshark project man pages are available at: <https://www.wireshark.org/docs/man-pages>.

Authors

  Original Author
  -------- ------
  Gerald Combs             <gerald[AT]wireshark.org>

Info

2019-10-30 3.0.5 The Wireshark Network Analyzer