How do you get the original logging text from journald without the extra date, time and process information prefixed?

As I’m sure lots of programmers will do, if I’m really digging deep into some weird behavior during development I’ll be cranking the logging up to 11. Often these log lines get left in place and can be turned on in production if so required.

I recently had need to do this as I was hoping to re-parse some log data into valid SIP packets. Turning up the log level revealed the packets as expected, but not quite as usable as remembered. The output from journald gave all my neat packet lines but prefixed with date, time and process information.

For example, the opening packet line:

  INVITE sip:[email protected] SIP/2.0

Had become:

  Jun 01 16:05:31 devco gg-scs-processor[10048]: INVITE sip:[email protected] SIP/2.0

Not the end of the world, I started crafting some sed command to ditch the unwanted prefix when it occurred to me that journald can output JSON with the original message in its own field. That means it can probably just output the original message in a plain text format. The prefix is clearly not stored permanently on the front of the log line.

A look at the man page shows this is indeed possible:

   -o, --output=
       Controls the formatting of the journal entries that are shown. Takes one of the following options:

       short
           is the default and generates an output that is mostly identical to the formatting of classic syslog files, showing one line per journal entry.

        [...]

       json-pretty
           formats entries as JSON data structures, but formats them in multiple lines in order to make them more readable by humans.

        [...]

       cat
           generates a very terse output, only showing the actual message of each journal entry with no metadata, not even a timestamp.

I left in json-pretty above as I hadn’t realised that was an available option before, however it’s the cat output we are interested in. A quick argument adjustment to my journalctl command and suddenly my data is available in a plain format just as required.

I think this is the most useful thing I’ve discovered with journald since I realised that since and until can take relative time values.

A Blog Programming Note

I typed this up, went to preview it in the browser and realised whilst looking at the listings page that I haven’t published anything yet in 2020! My _drafts folder tells me that if I want to put out blog posts consistently I had best stick to the point and avoid long write-ups which tend to take me months to finish, if they get finished at all. The email sign up for this blog used to say “…posts every 2 to 3 weeks”, not quite!