Debian 12 bookworm
Sponsored Link

Journald : Basic Usage2023/07/17
 
This is Basic Usage of Journald that is the Log Management Service Daemon.
[1] By default, Journald is running and many logging data on the System are collected by Journald.
Therefore, if [Journald (systemd-journald.service systemd-journald.socket systemd-journald-dev-log.socket)] would be down, collecting of many logging data will also stop.
root@dlp:~#
systemctl status systemd-journald.service 

*  systemd-journald.service - Journal Service
     Loaded: loaded (/lib/systemd/system/systemd-journald.service; static)
     Active: active (running) since Sun 2023-07-16 21:33:17 CDT; 1min 9s ago
TriggeredBy: *  systemd-journald-dev-log.socket
             *  systemd-journald.socket
             *  systemd-journald-audit.socket
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
   Main PID: 247 (systemd-journal)
     Status: "Processing requests..."
      Tasks: 1 (limit: 4639)
     Memory: 12.5M
        CPU: 64ms
     CGroup: /system.slice/systemd-journald.service
             +-- 247 /lib/systemd/systemd-journald
.....
.....
[2] It's possible to change settings of Journald on [/etc/systemd/journald.conf].
All options are commented out by default, however they are the default parameters of Journald on Ubuntu.
root@dlp:~#
cat /etc/systemd/journald.conf 

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#Audit=no
[3] The place of stored logging data is set on [Storage=***] of [/etc/systemd/journald.conf].
For the place of stored logging data, if syslog service like Rsyslog are installed and running, they are also stored in conventional files like [/var/log/syslog] and so on by syslog service with the setting [ForwardToSyslog=yes] on Journald. 
# parameters of [Storage=***]
#
# volatile   : stored only in memory : under the [/run/log/journal]
# persistent : stored on disk : under the [/var/log/journal]
#              but if impossible to write on disk like  early boot, fallback to memory
# auto       : stored on disk if [/var/log/journal] exists
#              if not exists, stored in memory
# none       : not stored all data
#              but forwarding to other targets like Syslog daemon if they are configured
#
# * storing in memory is not persistent, when system restarted, logging data are cleared

# on default settings of Ubuntu, it's set [auto] and also
# [/var/log/journal] exists, so logging data are stored in [/var/log/journal]
root@dlp:~#
grep Storage /etc/systemd/journald.conf

#Storage=auto
root@dlp:~#
ll -d /var/log/journal 

drwxr-sr-x+ 3 root systemd-journal 4096 Jun 11 19:31 /var/log/journal
root@dlp:~#
ll -Rh /var/log/journal 

/var/log/journal:
total 4.0K
drwxr-sr-x+ 2 root systemd-journal 4.0K Jul 16 21:33 43401112bd4a4907802ec262beae4c1e

/var/log/journal/43401112bd4a4907802ec262beae4c1e:
total 24M
-rw-r-----+ 1 root systemd-journal 7.8M Jul 16 21:31 system@d67bec8e5dce448da411f7cecbff0bc4-0000000000000001-0005fde3d7d21d0b.journal
-rw-r-----+ 1 root systemd-journal 4.4M Jul 16 21:33 system@d67bec8e5dce448da411f7cecbff0bc4-0000000000002870-000600a59826d27a.journal
-rw-r-----+ 1 root systemd-journal 8.0M Jul 16 21:41 system.journal
-rw-r-----+ 1 root systemd-journal 3.6M Jul 16 21:31 user-1000@c9a3774ace2e4c27a815b13353f78599-0000000000000869-0005fde58282409c.journal
[4] To show stored logging data by Journald, it's possible with [journalctl] command.
# show all data without any option : results are send to [less] command
# if not send to [less], add [--no-pager] option

root@dlp:~#
journalctl 

Jun 11 19:31:43 debian kernel: Linux version 6.1.0-9-amd64 (debian-kernel@lists>
Jun 11 19:31:43 debian kernel: Command line: BOOT_IMAGE=/vmlinuz-6.1.0-9-amd64 >
Jun 11 19:31:43 debian kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 fl>
Jun 11 19:31:43 debian kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE re>
Jun 11 19:31:43 debian kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX re>
Jun 11 19:31:43 debian kernel: x86/fpu: Supporting XSAVE feature 0x020: 'AVX-51>
Jun 11 19:31:43 debian kernel: x86/fpu: Supporting XSAVE feature 0x040: 'AVX-51>
Jun 11 19:31:43 debian kernel: x86/fpu: Supporting XSAVE feature 0x080: 'AVX-51>
Jun 11 19:31:43 debian kernel: x86/fpu: Supporting XSAVE feature 0x200: 'Protec>
Jun 11 19:31:43 debian kernel: x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]>
.....
.....
# [-u UNIT] : show logs of a specific UNIT

root@dlp:~#
journalctl -u cron.service 

Jun 11 19:31:45 debian systemd[1]: Started cron.service - Regular background pr>
Jun 11 19:31:45 debian cron[430]: (CRON) INFO (pidfile fd = 3)
Jun 11 19:31:45 debian cron[430]: (CRON) INFO (Running @reboot jobs)
Jun 11 19:31:56 debian systemd[1]: Stopping cron.service - Regular background p>
Jun 11 19:31:56 debian systemd[1]: cron.service: Deactivated successfully.
Jun 11 19:31:56 debian systemd[1]: Stopped cron.service - Regular background pr>
-- Boot 779ed26ef6764403be0149fac47542de --
Jun 11 21:30:43 debian systemd[1]: Started cron.service - Regular background pr>
Jun 11 21:30:43 debian cron[432]: (CRON) INFO (pidfile fd = 3)
.....
.....
root@dlp:~#
journalctl -u systemd-tmpfiles-clean.timer 

Jun 11 19:31:45 debian systemd[1]: Started systemd-tmpfiles-clean.timer - Daily>
Jun 11 19:31:56 debian systemd[1]: systemd-tmpfiles-clean.timer: Deactivated su>
Jun 11 19:31:56 debian systemd[1]: Stopped systemd-tmpfiles-clean.timer - Daily>
-- Boot 779ed26ef6764403be0149fac47542de --
Jun 11 21:30:43 debian systemd[1]: Started systemd-tmpfiles-clean.timer - Daily>
Jun 11 21:46:58 debian systemd[1]: systemd-tmpfiles-clean.timer: Deactivated su>
.....
.....
# [-k] : show logs of kernel message

root@dlp:~#
journalctl -k 

Jul 16 21:33:17 dlp.srv.world kernel: Linux version 6.1.0-9-amd64 (debian-kerne>
Jul 16 21:33:17 dlp.srv.world kernel: Command line: BOOT_IMAGE=/vmlinuz-6.1.0-9>
Jul 16 21:33:17 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x001: >
Jul 16 21:33:17 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x002: >
Jul 16 21:33:17 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x004: >
Jul 16 21:33:17 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x020: >
Jul 16 21:33:17 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x040: >
.....
.....
# [-p Priority] : show logs of a specific priority

root@dlp:~#
journalctl -p err 

Jul 02 19:16:21 debian kernel: watchdog: watchdog0: watchdog did not stop!
-- Boot 9f58482cc1cd4a4fa315738ad62f9c70 --
Jul 16 21:33:07 dlp.srv.world dhclient[463]: receive_packet failed on enp1s0: N>
Jul 16 21:33:07 dlp.srv.world kernel: watchdog: watchdog0: watchdog did not sto>
.....
.....
# [-g PATTERN] : show logs that include specific word [PATTERN] in [MESSAGE] field

root@dlp:~#
journalctl -g "apparmor" 

Jun 11 19:31:43 debian kernel: AppArmor: AppArmor initialized
Jun 11 19:31:43 debian kernel: AppArmor: AppArmor Filesystem Enabled
Jun 11 19:31:43 debian kernel: AppArmor: AppArmor sha1 policy hashing enabled
Jun 11 19:31:43 debian kernel: evm: security.apparmor
Jun 11 19:31:43 debian systemd[1]: systemd 252.6-1 running in system mode (+PAM>
Jun 11 19:31:44 debian systemd[1]: Starting apparmor.service - Load AppArmor pr>
Jun 11 19:31:44 debian apparmor.systemd[405]: Restarting AppArmor
Jun 11 19:31:44 debian apparmor.systemd[405]: Reloading AppArmor profiles
Jun 11 19:31:44 debian audit[421]: AVC apparmor="STATUS" operation="profile_loa>
Jun 11 19:31:44 debian kernel: audit: type=1400 audit(1686529904.888:2): apparm>
.....
.....
# [-S DATE] : show logs Since DATE
# [-U DATE] : show logs Until DATE

root@dlp:~#
journalctl -S "2023-07-16 00:00:00" -U "2023-07-17 23:59:59" 

Jul 16 21:31:22 debian kernel: Linux version 6.1.0-9-amd64 (debian-kernel@lists>
Jul 16 21:31:22 debian kernel: Command line: BOOT_IMAGE=/vmlinuz-6.1.0-9-amd64 >
Jul 16 21:31:22 debian kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 fl>
Jul 16 21:31:22 debian kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE re>
Jul 16 21:31:22 debian kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX re>
Jul 16 21:31:22 debian kernel: x86/fpu: Supporting XSAVE feature 0x020: 'AVX-51>
Jul 16 21:31:22 debian kernel: x86/fpu: Supporting XSAVE feature 0x040: 'AVX-51>
.....
.....
# show help

root@dlp:~#
journalctl --help 

journalctl [OPTIONS...] [MATCHES...]

Query the journal.

Options:
     --system                Show the system journal
     --user                  Show the user journal for the current user
  -M --machine=CONTAINER     Operate on local container
  -S --since=DATE            Show entries not older than the specified date
.....
.....
Matched Content