In this blog, we will go though various types of logs in Linux operating system and how journalctl tool can be used to explore some of these logs. In Linux operating system, logs are used to capture different types of system events, errors, and activities. These logs provide valuable information for monitoring, troubleshooting, and maintaining the system.
Table of Contents
Common logs locations and files in Linux
Type | Location | Purpose |
Syslog | /var/log/syslog /var/log/messages | General messages from various services and daemons are logged here and include information about system startups, shutdowns, kerenal messages |
Kernal Logs | /var/log/kern.log | Messages and errors from Linux kernel are recorded here and include information like hardware errors, warnings, and kerenel module loading |
Authentication Logs | /var/log/auth.log /var/log/secure | All the authentication related information, such as login attempts, password changes, and authentication errors are stored in these files. |
Application Logs | /var/log/<application-name> /var/log/<service-name> | Application logs are generally stored in application specific log files |
Systemd Journal | /var/log/journal/ | The logs in this directory are managed by the systemd-journald and stores logs in a binary format and can be accessed using journalctl command |
Cron Job Logs | /var/log/cron /var/log/syslog | Logs from scheduled jobs are recorded here. |
Package Manager Logs | /var/log/yum.log /var/log/dpkg.log | The logs about package installation, updates, and removals are recorded in these files. |
Security Logs | /var/log/audit/ | Security related logs generated by the Linux Audit Framework (audit) are stored in this directory |
What is systemd-journald?
systemd-journald
is a component of the systemd
system and service manager, which is a replacement for the traditional SysV init system in many modern Linux distributions. This component is responsible for collection, storage, and management of log data on Linux operating systems.
Here are some key points about systemd-journald
:
Logging Facility | systemd-journald serves as the central logging daemon that receives and stores log messages from the kernel, system services, and applications. |
Binary Log format | It used a binary log format (Journal) which is different from traditional text based logging. |
Indexed and Structured Logs | The log data is stored in an indexed and structured way to allow efficient and faster retrieval |
Metadata and Tagging | Each log entry contains metadata such as timestamps, log source, and other contextual information, to aid in analysis |
Strong integration with systemd | systemd-journald integrates tightly with other components of systemd , enabling features like logging during the early boot process and collecting logs from containers. |
Log management | It manages log rotation and storage quotas automatically, preventing logs from consuming excessive disk space. |
Log query | journalctl is the command-line utility used to query and view logs managed by systemd-journald . It provides powerful filtering and querying capabilities to access log data. |
Access control and security | systemd-journald enforces access control mechanisms, allowing only authorized users or services to read and manage logs. |
The systemd-journald
has become a core component of modern Linux distributions utilising systemd. While it introduces changes to the way logs are stored and managed, it offers various features that improve log handling and analysis for system administrators and developers.
What is journalctl tool?
The journalctl
is a command-line utility in Linux used for querying and displaying messages from the journal, managed by systemd-journald
, as discussed above. The journal contains information about system events, services, and other log messages.
Few simple and common uses of journalctl
:
Purpose | Bash command |
---|---|
View All Logs | journalctl |
Show the Latest Logs | journalctl -xe |
View Logs from a Specific Unit (Service) | journalctl -u |
View Logs Since a Specific Time | journalctl –since “2023-01-01 00:00:00” |
Show Logs for a Time Range | journalctl –since “2023-01-01 00:00:00” –until “2023-01-02 00:00:00” |
Search for a Specific String | journalctl | grep “search_term” |
Filter Logs by Priority (Severity) | journalctl -p <level> Displays logs with the specified priority level (0-7: emerg-alert-crit-err-warning-notice-info-debug). |
Show Logs from a Specific Process | journalctl _COMM=<process-name> |
View Boot Logs | journalctl -b |
Show Logs from a Specific PID (Process ID) | journalctl _PID=<process-id> |
Live Monitoring (Follow Logs) | journalctl -f |
Display Logs in a Human-readable Format | journalctl -verbose |
Summary
These are just a few examples of how you can use journalctl
to inspect and analyze system logs on a Linux system. The utility provides a rich set of options for querying and filtering logs based on various criteria.
Please read more about Linux in our learning blog