23.10. Using the Journal
rsyslogd
. The Journal was developed to address problems connected with traditional logging. It is closely integrated with the rest of the system, supports various logging technologies and access management for the log files.
journald
service. It creates and maintains binary files called journals based on logging information that is received from the kernel, from user processes, from standard output, and standard error output of system services or via its native API. These journals are structured and indexed, which provides relatively fast seek times. Journal entries can carry a unique identifier. The journald
service collects numerous meta data fields for each log message. The actual journal files are secured, and therefore cannot be manually edited.
23.10.1. Viewing Log Files
root
:
journalctl
/var/log/messages/
but with certain improvements:
- the priority of entries is marked visually. Lines of error priority and higher are highlighted with red color and a bold font is used for lines with notice and warning priority
- the time stamps are converted for the local time zone of your system
- all logged data is shown, including rotated logs
- the beginning of a boot is tagged with a special line
Example 23.18. Example Output of journalctl
# journalctl
-- Logs begin at Thu 2013-08-01 15:42:12 CEST, end at Thu 2013-08-01 15:48:48 CEST. --
Aug 01 15:42:12 localhost systemd-journal[54]: Allowing runtime journal files to grow to 49.7M.
Aug 01 15:42:12 localhost kernel: Initializing cgroup subsys cpuset
Aug 01 15:42:12 localhost kernel: Initializing cgroup subsys cpu
[...]
journalctl
output is to use the -n
option that lists only the specified number of most recent log entries:
journalctl
-n
Number
journalctl
displays the ten most recent entries.
journalctl
command allows controlling the form of the output with the following syntax:
journalctl
-o
form
verbose
, which returns full-structured entry items with all fields, export
, which creates a binary stream suitable for backups and network transfer, and json
, which formats entries as JSON data structures. For the full list of keywords, see the journalctl(1)
manual page.
Example 23.19. Verbose journalctl Output
#journalctl
-o verbose
[...] Fri 2013-08-02 14:41:22 CEST [s=e1021ca1b81e4fc688fad6a3ea21d35b;i=55c;b=78c81449c920439da57da7bd5c56a770;m=27cc _BOOT_ID=78c81449c920439da57da7bd5c56a770 PRIORITY=5 SYSLOG_FACILITY=3 _TRANSPORT=syslog _MACHINE_ID=69d27b356a94476da859461d3a3bc6fd _HOSTNAME=localhost.localdomain _PID=562 _COMM=dbus-daemon _EXE=/usr/bin/dbus-daemon _CMDLINE=/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation _SYSTEMD_CGROUP=/system/dbus.service _SYSTEMD_UNIT=dbus.service SYSLOG_IDENTIFIER=dbus SYSLOG_PID=562 _UID=81 _GID=81 _SELINUX_CONTEXT=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 MESSAGE=[system] Successfully activated service 'net.reactivated.Fprint' _SOURCE_REALTIME_TIMESTAMP=1375447282839181 [...]
systemd.journal-fields(7)
manual page.
23.10.2. Access Control
root
privileges can only see log files generated by them. The system administrator can add selected users to the adm group, which grants them access to complete log files. To do so, type as root
:
usermod
-a
-G
adm username
journalctl
command as the root user. Note that access control only works when persistent storage is enabled for Journal.
23.10.3. Using The Live View
journalctl
shows the full list of entries, starting with the oldest entry collected. With the live view, you can supervise the log messages in real time as new entries are continuously printed as they appear. To start journalctl in live view mode, type:
journalctl
-f
23.10.4. Filtering Messages
journalctl
command executed without parameters is often extensive, therefore you can use various filtering methods to extract information to meet your needs.
Filtering by Priority
journalctl
-p
priority
debug
(7), info
(6), notice
(5), warning
(4), err
(3), crit
(2), alert
(1), and emerg
(0).
Example 23.20. Filtering by Priority
journalctl
-p err
Filtering by Time
journalctl
-b
-b
will not significantly reduce the output of journalctl
. In such cases, time-based filtering is more helpful:
journalctl
--since
=value--until
=value
--since
and --until
, you can view only log messages created within a specified time range. You can pass values to these options in form of date or time or both as shown in the following example.
Example 23.21. Filtering by Time and Priority
journalctl
-p warning
--since="2013-3-16 23:59:59"
Advanced Filtering
systemd
can store, see the systemd.journal-fields(7)
manual page. This meta data is collected for each log message, without user intervention. Values are usually text-based, but can take binary and large values; fields can have multiple values assigned though it is not very common.
journalctl
-F
fieldname
journalctl
fieldname=value
Note
systemd
is quite large, it is easy to forget the exact name of the field of interest. When unsure, type:
journalctl
journalctl
fieldname=
journalctl
-F
fieldname.
journalctl
fieldname=value1 fieldname=value2 ...
OR
combination of the matches. Entries matching value1 or value2 are displayed.
journalctl
fieldname1=value fieldname2=value ...
AND
. Entries have to match both conditions to be shown.
OR
combination of matches for multiple fields:
journalctl
fieldname1=value + fieldname2=value ...
Example 23.22. Advanced filtering
avahi-daemon.service
or crond.service
under user with UID 70, use the following command:
journalctl
_UID=70
_SYSTEMD_UNIT=avahi-daemon.service
_SYSTEMD_UNIT=crond.service
_SYSTEMD_UNIT
field, both results will be displayed, but only when matching the _UID=70
condition. This can be expressed simply as: (UID=70 and (avahi or cron)).
journalctl
-f
fieldname=value ...
23.10.5. Enabling Persistent Storage
/run/log/journal/
directory. This is sufficient to show recent log history with journalctl
. This directory is volatile, log data is not saved permanently. With the default configuration, syslog reads the journal logs and stores them in the /var/log/
directory. With persistent logging enabled, journal files are stored in /var/log/journal
which means they persist after reboot. Journal can then replace rsyslog for some users (but see the chapter introduction).
- Richer data is recorded for troubleshooting in a longer period of time
- For immediate troubleshooting, richer data is available after a reboot
- Server console currently reads data from journal, not log files
- Even with persistent storage the amount of data stored depends on free memory, there is no guarantee to cover a specific time span
- More disk space is needed for logs
root
type:
mkdir
-p
/var/log/journal/
journald
to apply the change:
systemctl
restart
systemd-journald