Systemd, is a tool to manage processes and systems in linux. It offers a very powerful logging solution to log service related information through its journal system. The journalctl service provides a way to access and manipulate the data stored in the systemd journal.
The main goal of this systemd’s journal is to have a centralized log management, merge logs from multiple sources to a single and easy to access source. The Journald daemon is responsible for collecting and managing log messages from a variety of components such as the kernel, initrd and other services.
The main advantage of using systemd journal includes dynamic log displays, arbitrary output formats and the ability to replace or complement existing syslog implementation. This centralized approach gives an efficient log analysis, which enables the users to have log data presented according to one’s needs.
Setting the System Time
Before getting into journalctl, it is important to make sure the system time settings are correct. Systemd provides the timedatectl tool for managing time-related configs. Use it to list all available time zones and set the appropriate time zone for your servers.
timedatectl list-timezones
sudo timedatectl set-timezone <zone>
timedatectl statusBasic Log Viewing
To view logs stored by the journald daemon, utilize the journalctl command. When executed without options, it displays all journal entries in a pager. You can navigate through the logs, which include information from the early boot process, kernel, initrd, and application standard error and output.
journalctlTo display timestamps in UTC instead of local time, use the –utc flag:
journalctl --utcJournal Filtering by Time
Displaying Logs from the Current Boot
A common scenario is viewing logs from the current boot. The -b flag achieves this:
journalctl -bFor previous boots, utilize the –list-boots option to identify available boots and display logs from a specific boot using the -b flag along with the boot ID.
journalctl --list-boots
journalctl -b <boot-ID>Time Windows
To filter logs within specific time ranges, use the –since and –until options. Time values can be absolute or relative, allowing flexibility in defining time windows.
journalctl --since "YYYY-MM-DD HH:MM:SS"
journalctl --since yesterday
journalctl --since 09:00 --until "1 hour ago"Filtering by Message Interest
By Unit
Filtering by unit (service) is useful for focusing on specific components. Use the -u option to retrieve logs related to a particular unit.
journalctl -u nginx.service
journalctl -u nginx.service --since today
journalctl -u nginx.service -u php-fpm.service --since todayBy Process, User, or Group ID
Filter logs by process ID (_PID), user ID (_UID), or group ID (_GID). This can be valuable for isolating logs associated with specific processes or users.
journalctl _PID=<process-ID>
journalctl _UID=<user-ID> --since today
journalctl -F _GID # Display available group IDs
journalctl _GID=<group-ID>By Component Path
Filter logs by providing an executable path. This is helpful when focusing on entries related to a specific executable.
journalctl /usr/bin/bashDisplaying Kernel Messages
Retrieve kernel messages using the -k or –dmesg flags:
journalctl -k
journalctl -k -b -5 # Display messages from five boots agoBy Priority
Filter logs by priority using the -p option, showing entries at or above the specified level.
journalctl -p err -bModifying the Journal Display
Truncate or Expand Output
Adjust how journalctl displays data by using the –no-full option to truncate output or the -a flag to display all information.
journalctl --no-full
journalctl -aOutput to Standard Out
By default, journalctl uses a pager. Use the –no-pager option to output directly to standard output, facilitating further processing.
journalctl --no-pagerOutput Formats
Change the output format using the -o option with format specifiers such as json, json-pretty, short, etc.
journalctl -b -u nginx -o json
journalctl -b -u nginx -o json-prettyActive Process Monitoring
Journalctl can serve as a real-time log monitoring tool.
Displaying Recent Logs
Use the -n option to display a specific number of recent log entries.
journalctl -n
journalctl -n 20Following Logs
Actively follow logs as they are written using the -f flag, similar to tail -f.
journalctl -fJournal Maintenance
Finding Current Disk Usage
Check the current disk usage of the journal with the –disk-usage flag:
journalctl --disk-usageDeleting Old Logs
Shrink the journal by specifying a size with –vacuum-size or a cutoff time with –vacuum-time.
sudo journalctl --vacuum-size=1G
sudo journalctl --vacuum-time=1yearsLimiting Journal Expansion
Configure journal growth limits in the journald.conf file, using options like SystemMaxUse, SystemKeepFree, etc.
Conclusion
The Journalctl command, coupled with systemd’s journal, offers a more robut solution for log management and analysis. The flexibility it offers, coupled with various filtering and formatting options, empowers the admins to efficiently navigate and extract valuable insights from system and app logs. Understanding this abilities of Journalctl enhances ability to troubleshoot, monitor, and maintain a systemd-based system effectively.
