Systemd is a system and service manager for modern Linux, by replacing SysVinit. It:
- runs as daemon with PID 1.
- Provides aggressive parallelization capabilities
- Uses socket and D-Bus activation for starting services
- Offers on-demand starting of daemons
- Implements transactional dependency-based service control logic
- Tracks processes using Linux cgroups
- Supports snapshotting and restoring
- Maintains mount and automount points
In traditional SysVinit, we use syslog to stores logs. Then we read and analyze those log files with 'find', 'grep', 'less' commands. However, systemd which collects logs from more sources than syslogs, and keeps the journal logs in binary format. And we need 'journalctl' to perform analysis on those log files.
journald is the daemon from systemd that collects the logs from various log sources like syslog.
journalctl is the command line tool that lets you interact with the journal logs.
With journalctl, you can read logs, monitor the logs in real time, filter the logs based on time, service, severity and other parameters.
The default location of journald logs is /var/log/journal directory. Next, in the /etc/systemd/journald.conf file make sure that the value Storage is set to either auto or persistent.
Keys used in 'journalctl'
Arrow - move by one line
Space - move to next page
b - move back one page
g/G - first/last line
100g - the 100th line
/term - search string
n/N - next/previous search term
q - quit
Command line options:
$ journalctl -r [reverse chronological order]
$ journalctl -n N [display last N lines]
$ journalctl -f [same like tail -f]
$ journalctl --utc [display the time at UTC]
$ journalctl -k [show only kernel messages]
$ journalctl -u ssh [show 'ssh' unit messages only]
To filter logs based on time interval:
$ journalctl --since=yesterday --until=now
$ journalctl --since "2020-01-01"
To filter logs based on uid/gid/pid:
$ journalctl _PID=1234
Other useful options:
$ journalctl --disk-usage [ disk space usage ]
$ journalctl -xe [view last few logs]
$ journalctl -p 3 -xb
-p 3 : filter logs based on priority 3 (which i error)
-x : additional info on the log
b : since the last boot (current session)
$ journalctl -p 4..6 -b0 [ warn .. info ]
[ 0/emerg, 1/alert, 2/crit, 3/err, 4/warn, 5/notice, 6/info, 7/debug ]
Link: How to Use journalctl Command to Analyze Logs in Linux (linuxhandbook.com)