Journald : Basic Usage2022/08/30 |
This is Basic Usage of Journald that is the Log Management Service Daemon.
|
|
[1] | By default, Journald is running and many logging data on the System are collected by Journald. Therefore, if [Journald (systemd-journald.service systemd-journald.socket systemd-journald-dev-log.socket)] would be down, collecting of many logging data will also stop. |
root@dlp:~# systemctl status systemd-journald.service * systemd-journald.service - Journal Service Loaded: loaded (/lib/systemd/system/systemd-journald.service; static) Active: active (running) since Tue 2022-08-30 00:42:37 UTC; 10min ago TriggeredBy: * systemd-journald-dev-log.socket * systemd-journald-audit.socket * systemd-journald.socket Docs: man:systemd-journald.service(8) man:journald.conf(5) Main PID: 386 (systemd-journal) Status: "Processing requests..." Tasks: 1 (limit: 4579) Memory: 20.4M CPU: 162ms CGroup: /system.slice/systemd-journald.service |
[2] | It's possible to change settings of Journald on [/etc/systemd/journald.conf]. All options are commented out by default, however they are the default parameters of Journald on Ubuntu. |
root@dlp:~# cat /etc/systemd/journald.conf [Journal] #Storage=auto #Compress=yes #Seal=yes #SplitMode=uid #SyncIntervalSec=5m #RateLimitIntervalSec=30s #RateLimitBurst=10000 #SystemMaxUse= #SystemKeepFree= #SystemMaxFileSize= #SystemMaxFiles=100 #RuntimeMaxUse= #RuntimeKeepFree= #RuntimeMaxFileSize= #RuntimeMaxFiles=100 #MaxRetentionSec= #MaxFileSec=1month #ForwardToSyslog=yes #ForwardToKMsg=no #ForwardToConsole=no #ForwardToWall=yes #TTYPath=/dev/console #MaxLevelStore=debug #MaxLevelSyslog=debug #MaxLevelKMsg=notice #MaxLevelConsole=info #MaxLevelWall=emerg #LineMax=48K #ReadKMsg=yes #Audit=no |
[3] | The place of stored logging data is set on [Storage=***] of [/etc/systemd/journald.conf]. For the place of stored logging data, they are also stored in conventional files like [/var/log/syslog] and so on by Rsyslogd with the setting [ForwardToSyslog=yes] on Journald. |
# parameters of [Storage=***] # # volatile : stored only in memory : under the [/run/log/journal] # persistent : stored on disk : under the [/var/log/journal] # but if impossible to write on disk like early boot, fallback to memory # auto : stored on disk if [/var/log/journal] exists # if not exists, stored in memory # none : not stored all data # but forwarding to other targets like Syslog daemon if they are configured # # * storing in memory is not persistent, when system restarted, logging data are cleared # on default settings of Ubuntu, it's set [auto] and also # [/var/log/journal] exists, so logging data are stored in [/var/log/journal]
root@dlp:~#
root@dlp:~# grep Storage /etc/systemd/journald.conf #Storage=auto ll -d /var/log/journal drwxr-sr-x+ 3 root systemd-journal 4096 Apr 22 13:30 /var/log/journal/root@dlp:~# ll -Rh /var/log/journal /var/log/journal: total 12K drwxr-sr-x+ 3 root systemd-journal 4.0K Apr 22 13:30 ./ drwxrwxr-x 10 root syslog 4.0K Aug 30 00:42 ../ drwxr-sr-x+ 2 root systemd-journal 4.0K Aug 30 00:43 73bbfaf5e3cd467082d8f6731752bfb2/ /var/log/journal/73bbfaf5e3cd467082d8f6731752bfb2: total 73M drwxr-sr-x+ 2 root systemd-journal 4.0K Aug 30 00:43 ./ drwxr-sr-x+ 3 root systemd-journal 4.0K Apr 22 13:30 ../ -rw-r-----+ 1 root systemd-journal 16M Aug 30 00:53 system.journal -rw-r-----+ 1 root systemd-journal 8.0M Apr 25 01:40 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000000001-0005dd3e3b6de698.journal' -rw-r-----+ 1 root systemd-journal 16M May 9 03:49 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000000ec8-0005dd70a996cb45.journal' -rw-r-----+ 1 root systemd-journal 8.0M Jul 6 01:27 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000003c3a-0005de8c19674e83.journal' -rw-r-----+ 1 root systemd-journal 8.0M Aug 10 06:37 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000004a3c-0005e318df19edb6.journal' -rw-r-----+ 1 root systemd-journal 8.0M Aug 30 00:47 user-1000.journal -rw-r-----+ 1 root systemd-journal 8.0M Apr 25 01:40 'user-1000@5aa0bbef60624f32a8a705f2a65217e4-0000000000000488-0005dd3e3ee2f335.journal' |
[4] | To show stored logging data by Journald, it's possible with [journalctl] command. |
# show all data without any option : results are send to [less] command # if not send to [less], add [--no-pager] option root@dlp:~# journalctl Apr 22 13:30:38 localhost kernel: Linux version 5.15.0-25-generic (buildd@ubunt> Apr 22 13:30:38 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-5.15.0-25-> Apr 22 13:30:38 localhost kernel: KERNEL supported cpus: Apr 22 13:30:38 localhost kernel: Intel GenuineIntel Apr 22 13:30:38 localhost kernel: AMD AuthenticAMD Apr 22 13:30:38 localhost kernel: Hygon HygonGenuine Apr 22 13:30:38 localhost kernel: Centaur CentaurHauls Apr 22 13:30:38 localhost kernel: zhaoxin Shanghai ..... ..... # [-u UNIT] : show logs of a specific UNIT root@dlp:~# journalctl -u cron.service Apr 22 13:31:15 localhost systemd[1]: Started Regular background program proces> Apr 22 13:31:15 localhost cron[784]: (CRON) INFO (pidfile fd = 3) Apr 22 13:31:15 localhost cron[784]: (CRON) INFO (Running @reboot jobs) Apr 22 13:33:16 localhost systemd[1]: Stopping Regular background program proce> Apr 22 13:33:16 localhost systemd[1]: cron.service: Deactivated successfully. Apr 22 13:33:16 localhost systemd[1]: Stopped Regular background program proces> ..... .....root@dlp:~# journalctl -u systemd-tmpfiles-clean.timer Apr 22 13:31:15 localhost systemd[1]: Started Daily Cleanup of Temporary Direct> Apr 22 13:33:16 localhost systemd[1]: systemd-tmpfiles-clean.timer: Deactivated> Apr 22 13:33:16 localhost systemd[1]: Stopped Daily Cleanup of Temporary Direct> ..... ..... # [-k] : show logs of kernel message root@dlp:~# journalctl -k Aug 30 00:42:37 dlp.srv.world kernel: Linux version 5.15.0-25-generic (buildd@u> Aug 30 00:42:37 dlp.srv.world kernel: Command line: BOOT_IMAGE=/vmlinuz-5.15.0-> Aug 30 00:42:37 dlp.srv.world kernel: KERNEL supported cpus: Aug 30 00:42:37 dlp.srv.world kernel: Intel GenuineIntel Aug 30 00:42:37 dlp.srv.world kernel: AMD AuthenticAMD Aug 30 00:42:37 dlp.srv.world kernel: Hygon HygonGenuine ..... ..... # [-p Priority] : show logs of a specific priority root@dlp:~# journalctl -p err Aug 10 06:41:45 localhost kernel: mtd device must be supplied (device name is e> -- Boot a840f56ef63a4e8c8cccd148103ab577 -- Aug 11 00:20:17 localhost kernel: mtd device must be supplied (device name is e> -- Boot 4e040cbb0df542ff8a4615b3beb0d399 -- ..... ..... # [-g PATTERN] : show logs that include specific word [PATTERN] in [MESSAGE] field root@dlp:~# journalctl -g "apparmor" Apr 22 13:30:38 localhost kernel: AppArmor: AppArmor initialized Apr 22 13:30:38 localhost kernel: AppArmor: AppArmor Filesystem Enabled Apr 22 13:30:38 localhost kernel: AppArmor: AppArmor sha1 policy hashing enabled Apr 22 13:30:38 localhost kernel: evm: security.apparmor Apr 22 13:30:38 localhost systemd[1]: systemd 249.11-0ubuntu3 running in system> Apr 22 13:30:39 localhost systemd[1]: Starting Load AppArmor profiles... Apr 22 13:30:39 localhost apparmor.systemd[518]: Restarting AppArmor Apr 22 13:30:39 localhost apparmor.systemd[518]: Reloading AppArmor profiles Apr 22 13:30:39 localhost audit[546]: AVC apparmor="STATUS" operation="profile_> Apr 22 13:30:39 localhost audit[546]: AVC apparmor="STATUS" operation="profile_> Apr 22 13:30:39 localhost kernel: audit: type=1400 audit(1650634239.264:2): app> Apr 22 13:30:39 localhost kernel: audit: type=1400 audit(1650634239.264:3): app> ..... ..... # [-S DATE] : show logs Since DATE # [-U DATE] : show logs Until DATE root@dlp:~# journalctl -S "2022-08-01 00:00:00" -U "2022-08-30 23:59:59" Aug 10 06:37:12 localhost kernel: Linux version 5.15.0-25-generic (buildd@ubunt> Aug 10 06:37:12 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-5.15.0-25-g> Aug 10 06:37:12 localhost kernel: KERNEL supported cpus: Aug 10 06:37:12 localhost kernel: Intel GenuineIntel Aug 10 06:37:12 localhost kernel: AMD AuthenticAMD Aug 10 06:37:12 localhost kernel: Hygon HygonGenuine Aug 10 06:37:12 localhost kernel: Centaur CentaurHauls ..... ..... # show help root@dlp:~# journalctl --help --no-pager journalctl [OPTIONS...] [MATCHES...] Query the journal. Options: --system Show the system journal --user Show the user journal for the current user -M --machine=CONTAINER Operate on local container -S --since=DATE Show entries not older than the specified date ..... ..... |
Sponsored Link |
|