journalctl: Your door to Linux logs

In this blog, we will go though various types of logs in Linux operating system and how journalctl tool can be used to explore some of these logs. In Linux operating system, logs are used to capture different types of system events, errors, and activities. These logs provide valuable information for monitoring, troubleshooting, and maintaining the system.

Common logs locations and files in Linux

TypeLocationPurpose
Syslog/var/log/syslog
/var/log/messages
General messages from various services and daemons are logged here and include information about system startups, shutdowns, kerenal messages
Kernal Logs/var/log/kern.logMessages and errors from Linux kernel are recorded here and include information like hardware errors, warnings, and kerenel module loading
Authentication Logs/var/log/auth.log
/var/log/secure
All the authentication related information, such as login attempts, password changes, and authentication errors are stored in these files.
Application Logs/var/log/<application-name>
/var/log/<service-name>
Application logs are generally stored in application specific log files
Systemd Journal/var/log/journal/The logs in this directory are managed by the systemd-journald and stores logs in a binary format and can be accessed using journalctl command
Cron Job Logs/var/log/cron
/var/log/syslog
Logs from scheduled jobs are recorded here.
Package Manager Logs/var/log/yum.log
/var/log/dpkg.log
The logs about package installation, updates, and removals are recorded in these files.
Security Logs/var/log/audit/Security related logs generated by the Linux Audit Framework (audit) are stored in this directory

What is systemd-journald?

systemd-journald is a component of the systemd system and service manager, which is a replacement for the traditional SysV init system in many modern Linux distributions. This component is responsible for collection, storage, and management of log data on Linux operating systems.

Here are some key points about systemd-journald:

Logging Facilitysystemd-journald serves as the central logging daemon that receives and stores log messages from the kernel, system services, and applications.
Binary Log formatIt used a binary log format (Journal) which is different from traditional text based logging.
Indexed and Structured LogsThe log data is stored in an indexed and structured way to allow efficient and faster retrieval
Metadata and TaggingEach log entry contains metadata such as timestamps, log source, and other contextual information, to aid in analysis
Strong integration with systemdsystemd-journald integrates tightly with other components of systemd, enabling features like logging during the early boot process and collecting logs from containers.
Log managementIt manages log rotation and storage quotas automatically, preventing logs from consuming excessive disk space.
Log queryjournalctl is the command-line utility used to query and view logs managed by systemd-journald. It provides powerful filtering and querying capabilities to access log data.
Access control and securitysystemd-journald enforces access control mechanisms, allowing only authorized users or services to read and manage logs.

The systemd-journald has become a core component of modern Linux distributions utilising systemd. While it introduces changes to the way logs are stored and managed, it offers various features that improve log handling and analysis for system administrators and developers.

What is journalctl tool?

The journalctl is a command-line utility in Linux used for querying and displaying messages from the journal, managed by systemd-journald, as discussed above. The journal contains information about system events, services, and other log messages.

Few simple and common uses of journalctl:

PurposeBash command
View All Logsjournalctl
Show the Latest Logsjournalctl -xe
View Logs from a Specific Unit (Service)journalctl -u
View Logs Since a Specific Timejournalctl –since “2023-01-01 00:00:00”
Show Logs for a Time Rangejournalctl –since “2023-01-01 00:00:00” –until “2023-01-02 00:00:00”
Search for a Specific Stringjournalctl | grep “search_term”
Filter Logs by Priority (Severity)journalctl -p <level>

Displays logs with the specified priority level (0-7: emerg-alert-crit-err-warning-notice-info-debug).
Show Logs from a Specific Processjournalctl _COMM=<process-name>
View Boot Logsjournalctl -b
Show Logs from a Specific PID (Process ID)journalctl _PID=<process-id>
Live Monitoring (Follow Logs)journalctl -f
Display Logs in a Human-readable Formatjournalctl -verbose

Summary

These are just a few examples of how you can use journalctl to inspect and analyze system logs on a Linux system. The utility provides a rich set of options for querying and filtering logs based on various criteria.

Please read more about Linux in our learning blog

Leave a Comment