Rocky Linux 10
Sponsored Link

Journald : Basic Usage2025/07/25
 

This is Basic Usage of Journald that is the Log Management Service Daemon.

[1] By default, Journald is running and almost all logging data on the System are collected by Journald.
Therefore, if [Journald (systemd-journald.service, systemd-journald.socket, systemd-journald-dev-log.socket)] would be down, collecting of almost all logging data will also stop.
[root@dlp ~]#
systemctl status systemd-journald.service 

● systemd-journald.service - Journal Service
     Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static)
     Active: active (running) since Fri 2025-07-25 08:35:58 JST; 25s ago
 Invocation: ec0c8fc041cf4d53bdf33c217ed848f7
TriggeredBy: ○ systemd-journald-audit.socket
             ● systemd-journald.socket
             ● systemd-journald-dev-log.socket
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
   Main PID: 688 (systemd-journal)
     Status: "Processing requests..."
      Tasks: 1 (limit: 23135)
   FD Store: 15 (limit: 4224)
     Memory: 1.7M (peak: 4.6M)
        CPU: 41ms
.....
.....
[2] The default settings for journald can be viewed in [/usr/lib/systemd/journald.conf].
By default, all settings are commented, but the values listed are the default values.
If you want to override the default values, create [/etc/systemd/journald.conf] and set the values.
[root@dlp ~]#
cat /usr/lib/systemd/journald.conf 

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=0
#MaxFileSec=1month
#ForwardToSyslog=no
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#MaxLevelSocket=debug
#LineMax=48K
#ReadKMsg=yes
Audit=
[3] The place of stored logging data is set on [Storage=***] of [/usr/lib/systemd/journald.conf]. 
# parameters of [Storage=***]
#
# volatile   : stored only in memory : under the [/run/log/journal]
# persistent : stored on disk : under the [/var/log/journal]
#              but if impossible to write on disk like  early boot, fallback to memory
# auto       : stored on disk if [/var/log/journal] exists
#              if not exists, stored in memory
# none       : not stored all data
#              but forwarding to other targets like Syslog daemon if they are configured
#
# * storing in memory is not persistent, when system restarted, logging data are cleared

# on default settings of Rocky Linux, it's set [auto] and also
# [/var/log/journal] does not exist, so logging data are stored in [/run/log/journal]
[root@dlp ~]#
grep Storage /usr/lib/systemd/journald.conf

#Storage=auto
[root@dlp ~]#
ll -d /var/log/journal

ls: cannot access '/var/log/journal': No such file or directory
[root@dlp ~]#
ll /run/log/journal 

total 0
drwxr-s---+ 2 root systemd-journal 60 Jul 25 08:35 11b7ae1538764e02baf69001e45bbd9b


# [/run/log] on Rocky Linux is [tmpfs] filesystem
# [tmpfs] is on memory
# for [tmpfs] partition size, it's set as half of physical memory size if not set manually
# the size is not kept always on memory but it's used dynamically as needed
[root@dlp ~]#
df -h /run/log 

Filesystem      Size  Used Avail Use% Mounted on
tmpfs           731M  8.6M  722M   2% /run
# if you'd like to change stored place to disk, create the [/var/log/journal] directory

[root@dlp ~]#
mkdir /var/log/journal

[root@dlp ~]#
systemctl restart systemd-journald.service \
systemd-journald.socket \
systemd-journal-flush.service
[root@dlp ~]#
ll /run/log/journal

total 0
[root@dlp ~]#
ll /var/log/journal 

total 0
drwxr-xr-x. 2 root root 28 Jul 25 08:39 11b7ae1538764e02baf69001e45bbd9b


# * Note
# on default settings of Rocky Linux, Rsyslog which is the syslog daemon is also running and 
# it stores logging data received from Journald in [/var/log] directory
# so logging data are stored on disk even if not change storage setting of Journald
# Rsyslog imports logging data from Journald with Rsyslog [imjournal] module, so
# [ForwardToSyslog=***] parameters on Journald does not influence to sending data to Rsyslog
[4] To show stored logging data by Journald, it's possible with [journalctl] command.
# show all data without any option : results are send to [less] command
# if not send to [less], add [--no-pager] option
# if use pager and would like to display all content of a line, send to [more] command

[root@dlp ~]#
journalctl 

Jul 25 08:35:56 localhost kernel: Linux version 6.12.0-55.18.1.el10_0.x86_64 (mockbuild@iad1-prod-build001.bld.equ.rockylinux.o>
Jul 25 08:35:56 localhost kernel: Command line: BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.12.0-55.18.1.el10_0.x86_64 root=/dev/mapper/rl->
Jul 25 08:35:56 localhost kernel: BIOS-provided physical RAM map:
.....
.....
# [-u UNIT] : show logs of a specific UNIT

[root@dlp ~]#
journalctl -u sshd.service 

Jul 25 08:36:00 dlp.srv.world systemd[1]: Starting sshd.service - OpenSSH server daemon...
Jul 25 08:36:00 dlp.srv.world (sshd)[899]: sshd.service: Referenced but unset environment variable evaluates to an empty string>
Jul 25 08:36:00 dlp.srv.world sshd[899]: Server listening on 0.0.0.0 port 22.
Jul 25 08:36:00 dlp.srv.world sshd[899]: Server listening on :: port 22.
Jul 25 08:36:00 dlp.srv.world systemd[1]: Started sshd.service - OpenSSH server daemon.
.....
.....
[root@dlp ~]#
journalctl -u systemd-tmpfiles-clean.timer 

Jul 25 08:35:59 dlp.srv.world systemd[1]: Started systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories.
.....
.....
# [-k] : show logs of kernel message

[root@dlp ~]#
journalctl -k 

Jul 25 08:35:56 localhost kernel: Linux version 6.12.0-55.18.1.el10_0.x86_64 (mockbuild@iad1-prod-build001.bld.equ.rockylinux.o>
Jul 25 08:35:56 localhost kernel: Command line: BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.12.0-55.18.1.el10_0.x86_64 root=/dev/mapper/rl->
Jul 25 08:35:56 localhost kernel: BIOS-provided physical RAM map:
Jul 25 08:35:56 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Jul 25 08:35:56 localhost kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
.....
.....
# [-p Priority] : show logs of a specific priority

[root@dlp ~]#
journalctl -p err 

Jul 25 08:36:00 dlp.srv.world kernel: Warning: Unmaintained driver is detected: ip_set
.....
.....
# [-g PATTERN] : show logs that include specific word [PATTERN] in [MESSAGE] field

[root@dlp ~]#
journalctl -g "sealert" 

Jul 25 10:55:11 dlp.srv.world setroubleshoot[1998]: SELinux is preventing /usr/>
.....
.....
# [-S DATE] : show logs Since DATE
# [-U DATE] : show logs Until DATE

[root@dlp ~]#
journalctl -S "2025-07-20 00:00:00" -U "2025-07-25 23:59:59" 

Jul 25 08:35:56 localhost kernel: Linux version 6.12.0-55.18.1.el10_0.x86_64 (mockbuild@iad1-prod-build001.bld.equ.rockylinux.o>
Jul 25 08:35:56 localhost kernel: Command line: BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.12.0-55.18.1.el10_0.x86_64 root=/dev/mapper/rl->
Jul 25 08:35:56 localhost kernel: BIOS-provided physical RAM map:
Jul 25 08:35:56 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Jul 25 08:35:56 localhost kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
.....
.....
# show help

[root@dlp ~]#
journalctl --help 

journalctl [OPTIONS...] [MATCHES...]

Query the journal.

Options:
     --system                Show the system journal
     --user                  Show the user journal for the current user
.....
.....
Matched Content