Ubuntu 22.04
Sponsored Link

Journald : Basic Usage2022/08/30

 
This is Basic Usage of Journald that is the Log Management Service Daemon.
[1] By default, Journald is running and many logging data on the System are collected by Journald.
Therefore, if [Journald (systemd-journald.service systemd-journald.socket systemd-journald-dev-log.socket)] would be down, collecting of many logging data will also stop.
root@dlp:~#
systemctl status systemd-journald.service

*  systemd-journald.service - Journal Service
     Loaded: loaded (/lib/systemd/system/systemd-journald.service; static)
     Active: active (running) since Tue 2022-08-30 00:42:37 UTC; 10min ago
TriggeredBy: *  systemd-journald-dev-log.socket
             *  systemd-journald-audit.socket
             *  systemd-journald.socket
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
   Main PID: 386 (systemd-journal)
     Status: "Processing requests..."
      Tasks: 1 (limit: 4579)
     Memory: 20.4M
        CPU: 162ms
     CGroup: /system.slice/systemd-journald.service
[2] It's possible to change settings of Journald on [/etc/systemd/journald.conf].
All options are commented out by default, however they are the default parameters of Journald on Ubuntu.
root@dlp:~#
cat /etc/systemd/journald.conf

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#Audit=no
[3] The place of stored logging data is set on [Storage=***] of [/etc/systemd/journald.conf].
For the place of stored logging data, they are also stored in conventional files like [/var/log/syslog] and so on by Rsyslogd with the setting [ForwardToSyslog=yes] on Journald.
# parameters of [Storage=***]
#
# volatile   : stored only in memory : under the [/run/log/journal]
# persistent : stored on disk : under the [/var/log/journal]
#              but if impossible to write on disk like  early boot, fallback to memory
# auto       : stored on disk if [/var/log/journal] exists
#              if not exists, stored in memory
# none       : not stored all data
#              but forwarding to other targets like Syslog daemon if they are configured
#
# * storing in memory is not persistent, when system restarted, logging data are cleared

# on default settings of Ubuntu, it's set [auto] and also
# [/var/log/journal] exists, so logging data are stored in [/var/log/journal]

root@dlp:~#
grep Storage /etc/systemd/journald.conf

#Storage=auto
root@dlp:~#
ll -d /var/log/journal

drwxr-sr-x+ 3 root systemd-journal 4096 Apr 22 13:30 /var/log/journal/

root@dlp:~#
ll -Rh /var/log/journal

/var/log/journal:
total 12K
drwxr-sr-x+  3 root systemd-journal 4.0K Apr 22 13:30 ./
drwxrwxr-x  10 root syslog          4.0K Aug 30 00:42 ../
drwxr-sr-x+  2 root systemd-journal 4.0K Aug 30 00:43 73bbfaf5e3cd467082d8f6731752bfb2/

/var/log/journal/73bbfaf5e3cd467082d8f6731752bfb2:
total 73M
drwxr-sr-x+ 2 root systemd-journal 4.0K Aug 30 00:43  ./
drwxr-sr-x+ 3 root systemd-journal 4.0K Apr 22 13:30  ../
-rw-r-----+ 1 root systemd-journal  16M Aug 30 00:53  system.journal
-rw-r-----+ 1 root systemd-journal 8.0M Apr 25 01:40 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000000001-0005dd3e3b6de698.journal'
-rw-r-----+ 1 root systemd-journal  16M May  9 03:49 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000000ec8-0005dd70a996cb45.journal'
-rw-r-----+ 1 root systemd-journal 8.0M Jul  6 01:27 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000003c3a-0005de8c19674e83.journal'
-rw-r-----+ 1 root systemd-journal 8.0M Aug 10 06:37 'system@4a63fa3eab2b496fbc9767fef12555ab-0000000000004a3c-0005e318df19edb6.journal'
-rw-r-----+ 1 root systemd-journal 8.0M Aug 30 00:47  user-1000.journal
-rw-r-----+ 1 root systemd-journal 8.0M Apr 25 01:40 'user-1000@5aa0bbef60624f32a8a705f2a65217e4-0000000000000488-0005dd3e3ee2f335.journal'
[4] To show stored logging data by Journald, it's possible with [journalctl] command.
# show all data without any option : results are send to [less] command
# if not send to [less], add [--no-pager] option

root@dlp:~#
journalctl

Apr 22 13:30:38 localhost kernel: Linux version 5.15.0-25-generic (buildd@ubunt>
Apr 22 13:30:38 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-5.15.0-25->
Apr 22 13:30:38 localhost kernel: KERNEL supported cpus:
Apr 22 13:30:38 localhost kernel:   Intel GenuineIntel
Apr 22 13:30:38 localhost kernel:   AMD AuthenticAMD
Apr 22 13:30:38 localhost kernel:   Hygon HygonGenuine
Apr 22 13:30:38 localhost kernel:   Centaur CentaurHauls
Apr 22 13:30:38 localhost kernel:   zhaoxin   Shanghai
.....
.....

# [-u UNIT] : show logs of a specific UNIT

root@dlp:~#
journalctl -u cron.service

Apr 22 13:31:15 localhost systemd[1]: Started Regular background program proces>
Apr 22 13:31:15 localhost cron[784]: (CRON) INFO (pidfile fd = 3)
Apr 22 13:31:15 localhost cron[784]: (CRON) INFO (Running @reboot jobs)
Apr 22 13:33:16 localhost systemd[1]: Stopping Regular background program proce>
Apr 22 13:33:16 localhost systemd[1]: cron.service: Deactivated successfully.
Apr 22 13:33:16 localhost systemd[1]: Stopped Regular background program proces>
.....
.....

root@dlp:~#
journalctl -u systemd-tmpfiles-clean.timer

Apr 22 13:31:15 localhost systemd[1]: Started Daily Cleanup of Temporary Direct>
Apr 22 13:33:16 localhost systemd[1]: systemd-tmpfiles-clean.timer: Deactivated>
Apr 22 13:33:16 localhost systemd[1]: Stopped Daily Cleanup of Temporary Direct>
.....
.....

# [-k] : show logs of kernel message

root@dlp:~#
journalctl -k

Aug 30 00:42:37 dlp.srv.world kernel: Linux version 5.15.0-25-generic (buildd@u>
Aug 30 00:42:37 dlp.srv.world kernel: Command line: BOOT_IMAGE=/vmlinuz-5.15.0->
Aug 30 00:42:37 dlp.srv.world kernel: KERNEL supported cpus:
Aug 30 00:42:37 dlp.srv.world kernel:   Intel GenuineIntel
Aug 30 00:42:37 dlp.srv.world kernel:   AMD AuthenticAMD
Aug 30 00:42:37 dlp.srv.world kernel:   Hygon HygonGenuine
.....
.....

# [-p Priority] : show logs of a specific priority

root@dlp:~#
journalctl -p err

Aug 10 06:41:45 localhost kernel: mtd device must be supplied (device name is e>
-- Boot a840f56ef63a4e8c8cccd148103ab577 --
Aug 11 00:20:17 localhost kernel: mtd device must be supplied (device name is e>
-- Boot 4e040cbb0df542ff8a4615b3beb0d399 --
.....
.....

# [-g PATTERN] : show logs that include specific word [PATTERN] in [MESSAGE] field

root@dlp:~#
journalctl -g "apparmor"

Apr 22 13:30:38 localhost kernel: AppArmor: AppArmor initialized
Apr 22 13:30:38 localhost kernel: AppArmor: AppArmor Filesystem Enabled
Apr 22 13:30:38 localhost kernel: AppArmor: AppArmor sha1 policy hashing enabled
Apr 22 13:30:38 localhost kernel: evm: security.apparmor
Apr 22 13:30:38 localhost systemd[1]: systemd 249.11-0ubuntu3 running in system>
Apr 22 13:30:39 localhost systemd[1]: Starting Load AppArmor profiles...
Apr 22 13:30:39 localhost apparmor.systemd[518]: Restarting AppArmor
Apr 22 13:30:39 localhost apparmor.systemd[518]: Reloading AppArmor profiles
Apr 22 13:30:39 localhost audit[546]: AVC apparmor="STATUS" operation="profile_>
Apr 22 13:30:39 localhost audit[546]: AVC apparmor="STATUS" operation="profile_>
Apr 22 13:30:39 localhost kernel: audit: type=1400 audit(1650634239.264:2): app>
Apr 22 13:30:39 localhost kernel: audit: type=1400 audit(1650634239.264:3): app>
.....
.....

# [-S DATE] : show logs Since DATE
# [-U DATE] : show logs Until DATE

root@dlp:~#
journalctl -S "2022-08-01 00:00:00" -U "2022-08-30 23:59:59"

Aug 10 06:37:12 localhost kernel: Linux version 5.15.0-25-generic (buildd@ubunt>
Aug 10 06:37:12 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-5.15.0-25-g>
Aug 10 06:37:12 localhost kernel: KERNEL supported cpus:
Aug 10 06:37:12 localhost kernel:   Intel GenuineIntel
Aug 10 06:37:12 localhost kernel:   AMD AuthenticAMD
Aug 10 06:37:12 localhost kernel:   Hygon HygonGenuine
Aug 10 06:37:12 localhost kernel:   Centaur CentaurHauls
.....
.....

# show help

root@dlp:~#
journalctl --help --no-pager

journalctl [OPTIONS...] [MATCHES...]

Query the journal.

Options:
     --system                Show the system journal
     --user                  Show the user journal for the current user
  -M --machine=CONTAINER     Operate on local container
  -S --since=DATE            Show entries not older than the specified date
.....
.....
Matched Content