Debian 11 Bullseye
Sponsored Link

Journald : Basic Usage2021/09/23

 
This is Basic Usage of Journald that is the Log Management Service Daemon.
[1] By default, Journald is running and many logging data on the System are collected by Journald.
Therefore, if [Journald (systemd-journald.service systemd-journald.socket systemd-journald-dev-log.socket)] would be down, collecting of many logging data will also stop.
root@dlp:~#
systemctl status systemd-journald.service

*  systemd-journald.service - Journal Service
     Loaded: loaded (/lib/systemd/system/systemd-journald.service; static)
     Active: active (running) since Wed 2021-09-22 19:31:44 CDT; 2h 17min ago
TriggeredBy: * systemd-journald-audit.socket
             * systemd-journald-dev-log.socket
             * systemd-journald.socket
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
   Main PID: 235 (systemd-journal)
     Status: "Processing requests..."
      Tasks: 1 (limit: 4675)
     Memory: 15.0M
        CPU: 131ms
[2] It's possible to change settings of Journald on [/etc/systemd/journald.conf].
All options are commented out by default, however they are the default parameters of Journald on Debian 11.
root@dlp:~#
cat /etc/systemd/journald.conf

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#Audit=no
[3] The place of stored logging data is set on [Storage=***] of [/etc/systemd/journald.conf].
For the place of stored logging data, they are also stored in conventional files like [/var/log/syslog] and so on by Rsyslogd with the setting [ForwardToSyslog=yes] on Journald.
# parameters of [Storage=***]
#
# volatile   : stored only in memory : under the [/run/log/journal]
# persistent : stored on disk : under the [/var/log/journal]
#              but if impossible to write on disk like  early boot, fallback to memory
# auto       : stored on disk if [/var/log/journal] exists
#              if not exists, stored in memory
# none       : not stored all data
#              but forwarding to other targets like Syslog daemon if they are configured
#
# * storing in memory is not persistent, when system restarted, logging data are cleared

# on default settings of Debian 11, it's set [auto] and also
# [/var/log/journal] exists, so logging data are stored in [/var/log/journal]

root@dlp:~#
grep Storage /etc/systemd/journald.conf

#Storage=auto
root@dlp:~#
ll -d /var/log/journal

drwxr-sr-x+ 3 root systemd-journal 4096 Aug 16 01:29 /var/log/journal

root@dlp:~#
ll -Rh /var/log/journal

/var/log/journal:
total 4.0K
drwxr-sr-x+ 2 root systemd-journal 4.0K Sep 22 19:31 6d96b40f1a954b7cbd42a163bc9e82af

/var/log/journal/6d96b40f1a954b7cbd42a163bc9e82af:
total 57M
-rw-r-----+ 1 root systemd-journal 8.0M Aug 16 21:29 system@c98557962af340efb600ccd36f4dbfb0-0000000000000001-0005c9a7535c72c7.journal
-rw-r-----+ 1 root systemd-journal 8.0M Sep 22 18:38 system@c98557962af340efb600ccd36f4dbfb0-0000000000001310-0005c9b81768bef9.journal
-rw-r-----+ 1 root systemd-journal 8.0M Sep 22 19:31 system@c98557962af340efb600ccd36f4dbfb0-0000000000001656-0005cc9e023814c2.journal
-rw-r-----+ 1 root systemd-journal 8.0M Sep 22 22:22 system.journal
-rw-r-----+ 1 root systemd-journal 8.0M Aug 16 21:29 user-1000@b01c0c9bfd2c451faf49e166e7738756-0000000000000322-0005c9a7540ff542.journal
-rw-r-----+ 1 root systemd-journal 8.0M Sep 22 19:31 user-1001@8302bc9870d949f69bc87d3aa26902b2-0000000000001b35-0005cc9eadea0637.journal
-rw-r-----+ 1 root systemd-journal 8.0M Sep 22 19:36 user-1001.journal
[4] To show stored logging data by Journald, it's possible with [journalctl] command.
# show all data without any option : results are send to [less] command
# if not send to [less], add [--no-pager] option

root@dlp:~#
journalctl

-- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:>
Aug 16 01:29:38 debian kernel: Linux version 5.10.0-8-amd64 (debian-kernel@list>
Aug 16 01:29:38 debian kernel: Command line: BOOT_IMAGE=/vmlinuz-5.10.0-8-amd64>
Aug 16 01:29:38 debian kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 fl>
Aug 16 01:29:38 debian kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE re>
Aug 16 01:29:38 debian kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX re>
.....
.....

# [-u UNIT] : show logs of a specific UNIT

root@dlp:~#
journalctl -u cron.service

-- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:>
Aug 16 01:29:40 debian systemd[1]: Started Regular background program processin>
Aug 16 01:29:40 debian cron[375]: (CRON) INFO (pidfile fd = 3)
Aug 16 01:29:40 debian cron[375]: (CRON) INFO (Running @reboot jobs)
Aug 16 01:32:07 debian systemd[1]: Stopping Regular background program processi>
Aug 16 01:32:07 debian systemd[1]: cron.service: Succeeded.
.....
.....

root@dlp:~#
journalctl -u systemd-tmpfiles-clean.timer

-- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:>
Aug 16 01:29:40 debian systemd[1]: Started Daily Cleanup of Temporary Directori>
Aug 16 01:32:07 debian systemd[1]: systemd-tmpfiles-clean.timer: Succeeded.
Aug 16 01:32:07 debian systemd[1]: Stopped Daily Cleanup of Temporary Directori>
.....
.....

# [-k] : show logs of kernel message

root@dlp:~#
journalctl -k

-- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:>
Sep 22 19:31:44 dlp.srv.world kernel: Linux version 5.10.0-8-amd64 (debian-kern>
Sep 22 19:31:44 dlp.srv.world kernel: Command line: BOOT_IMAGE=/vmlinuz-5.10.0->
Sep 22 19:31:44 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x001: >
Sep 22 19:31:44 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x002: >
Sep 22 19:31:44 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x004: >
.....
.....

# [-p Priority] : show logs of a specific priority

root@dlp:~#
journalctl -p err

-- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:>
Aug 16 21:29:18 debian kernel: watchdog: watchdog0: watchdog did not stop!
-- Boot 18eec54b205e4c6b82a225ab14159385 --
Sep 22 18:38:54 dlp.srv.world dhclient[456]: receive_packet failed on enp1s0: N>
Sep 22 18:38:54 dlp.srv.world kernel: watchdog: watchdog0: watchdog did not sto>
-- Boot ee96107c56db424185e3fce8408c5d9b --
Sep 22 19:31:38 dlp.srv.world kernel: watchdog: watchdog0: watchdog did not sto>
.....
.....

# [-g PATTERN] : show logs that include specific word [PATTERN] in [MESSAGE] field

root@dlp:~#
journalctl -g "apparmor"

-- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:>
Aug 16 01:29:38 debian kernel: AppArmor: AppArmor initialized
Aug 16 01:29:38 debian kernel: AppArmor: AppArmor Filesystem Enabled
Aug 16 01:29:38 debian kernel: AppArmor: AppArmor sha1 policy hashing enabled
Aug 16 01:29:38 debian systemd[1]: systemd 247.3-6 running in system mode. (+PA>
Aug 16 01:29:39 debian systemd[1]: Starting Load AppArmor profiles...
Aug 16 01:29:39 debian apparmor.systemd[355]: Restarting AppArmor
Aug 16 01:29:39 debian apparmor.systemd[355]: Reloading AppArmor profiles
Aug 16 01:29:39 debian audit[372]: AVC apparmor="STATUS" operation="profile_loa>
Aug 16 01:29:39 debian kernel: audit: type=1400 audit(1629095379.952:2): apparm>
Aug 16 01:29:39 debian audit[373]: AVC apparmor="STATUS" operation="profile_loa>
.....
.....

# [-S DATE] : show logs Since DATE
# [-U DATE] : show logs Until DATE

root@dlp:~#
journalctl -S "2021-09-20 00:00:00" -U "2021-09-25 23:59:59"

-- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:>
Sep 22 18:38:17 debian kernel: Linux version 5.10.0-8-amd64 (debian-kernel@list>
Sep 22 18:38:17 debian kernel: Command line: BOOT_IMAGE=/vmlinuz-5.10.0-8-amd64>
Sep 22 18:38:17 debian kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 fl>
Sep 22 18:38:17 debian kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE re>
Sep 22 18:38:17 debian kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX re>
Sep 22 18:38:17 debian kernel: x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]>
.....
.....

# show help

root@dlp:~#
journalctl --help --no-pager

journalctl [OPTIONS...] [MATCHES...]

Query the journal.

Options:
     --system                Show the system journal
     --user                  Show the user journal for the current user
  -M --machine=CONTAINER     Operate on local container
  -S --since=DATE            Show entries not older than the specified date
.....
.....
Matched Content