23.10. Using the Journal
rsyslogd. The Journal was developed to address problems connected with traditional logging. It is closely integrated with the rest of the system, supports various logging technologies and access management for the log files.
journaldservice. It creates and maintains binary files called journals based on logging information that is received from the kernel, from user processes, from standard output, and standard error output of system services or via its native API. These journals are structured and indexed, which provides relatively fast seek times. Journal entries can carry a unique identifier. The
journaldservice collects numerous meta data fields for each log message. The actual journal files are secured, and therefore cannot be manually edited.
23.10.1. Viewing Log Files
/var/log/messages/but with certain improvements:
- the priority of entries is marked visually. Lines of error priority and higher are highlighted with red color and a bold font is used for lines with notice and warning priority
- the time stamps are converted for the local time zone of your system
- all logged data is shown, including rotated logs
- the beginning of a boot is tagged with a special line
Example 23.18. Example Output of journalctl
journalctl-- Logs begin at Thu 2013-08-01 15:42:12 CEST, end at Thu 2013-08-01 15:48:48 CEST. -- Aug 01 15:42:12 localhost systemd-journal: Allowing runtime journal files to grow to 49.7M. Aug 01 15:42:12 localhost kernel: Initializing cgroup subsys cpuset Aug 01 15:42:12 localhost kernel: Initializing cgroup subsys cpu [...]
journalctloutput is to use the
-noption that lists only the specified number of most recent log entries:
journalctldisplays the ten most recent entries.
journalctlcommand allows controlling the form of the output with the following syntax:
verbose, which returns full-structured entry items with all fields,
export, which creates a binary stream suitable for backups and network transfer, and
json, which formats entries as JSON data structures. For the full list of keywords, see the
Example 23.19. Verbose journalctl Output
-o verbose[...] Fri 2013-08-02 14:41:22 CEST [s=e1021ca1b81e4fc688fad6a3ea21d35b;i=55c;b=78c81449c920439da57da7bd5c56a770;m=27cc _BOOT_ID=78c81449c920439da57da7bd5c56a770 PRIORITY=5 SYSLOG_FACILITY=3 _TRANSPORT=syslog _MACHINE_ID=69d27b356a94476da859461d3a3bc6fd _HOSTNAME=localhost.localdomain _PID=562 _COMM=dbus-daemon _EXE=/usr/bin/dbus-daemon _CMDLINE=/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation _SYSTEMD_CGROUP=/system/dbus.service _SYSTEMD_UNIT=dbus.service SYSLOG_IDENTIFIER=dbus SYSLOG_PID=562 _UID=81 _GID=81 _SELINUX_CONTEXT=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 MESSAGE=[system] Successfully activated service 'net.reactivated.Fprint' _SOURCE_REALTIME_TIMESTAMP=1375447282839181 [...]
23.10.2. Access Control
rootprivileges can only see log files generated by them. The system administrator can add selected users to the adm group, which grants them access to complete log files. To do so, type as
journalctlcommand as the root user. Note that access control only works when persistent storage is enabled for Journal.
23.10.3. Using The Live View
journalctlshows the full list of entries, starting with the oldest entry collected. With the live view, you can supervise the log messages in real time as new entries are continuously printed as they appear. To start journalctl in live view mode, type:
23.10.4. Filtering Messages
journalctlcommand executed without parameters is often extensive, therefore you can use various filtering methods to extract information to meet your needs.
Filtering by Priority
Example 23.20. Filtering by Priority
Filtering by Time
-bwill not significantly reduce the output of
journalctl. In such cases, time-based filtering is more helpful:
--until, you can view only log messages created within a specified time range. You can pass values to these options in form of date or time or both as shown in the following example.
Example 23.21. Filtering by Time and Priority
systemdcan store, see the
systemd.journal-fields(7)manual page. This meta data is collected for each log message, without user intervention. Values are usually text-based, but can take binary and large values; fields can have multiple values assigned though it is not very common.
systemdis quite large, it is easy to forget the exact name of the field of interest. When unsure, type:
journalctlfieldname=value1 fieldname=value2 ...
ORcombination of the matches. Entries matching value1 or value2 are displayed.
journalctlfieldname1=value fieldname2=value ...
AND. Entries have to match both conditions to be shown.
ORcombination of matches for multiple fields:
journalctlfieldname1=value + fieldname2=value ...
Example 23.22. Advanced filtering
crond.serviceunder user with UID 70, use the following command:
_SYSTEMD_UNITfield, both results will be displayed, but only when matching the
_UID=70condition. This can be expressed simply as: (UID=70 and (avahi or cron)).
23.10.5. Enabling Persistent Storage
/run/log/journal/directory. This is sufficient to show recent log history with
journalctl. This directory is volatile, log data is not saved permanently. With the default configuration, syslog reads the journal logs and stores them in the
/var/log/directory. With persistent logging enabled, journal files are stored in
/var/log/journalwhich means they persist after reboot. Journal can then replace rsyslog for some users (but see the chapter introduction).
- Richer data is recorded for troubleshooting in a longer period of time
- For immediate troubleshooting, richer data is available after a reboot
- Server console currently reads data from journal, not log files
- Even with persistent storage the amount of data stored depends on free memory, there is no guarantee to cover a specific time span
- More disk space is needed for logs
journaldto apply the change: