Journald : Basic Usage2021/09/23 |
|
This is Basic Usage of Journald that is the Log Management Service Daemon.
|
|
| [1] | By default, Journald is running and many logging data on the System are collected by Journald. Therefore, if [Journald (systemd-journald.service systemd-journald.socket systemd-journald-dev-log.socket)] would be down, collecting of many logging data will also stop. |
|
root@dlp:~# systemctl status systemd-journald.service
* systemd-journald.service - Journal Service
Loaded: loaded (/lib/systemd/system/systemd-journald.service; static)
Active: active (running) since Wed 2021-09-22 19:31:44 CDT; 2h 17min ago
TriggeredBy: * systemd-journald-audit.socket
* systemd-journald-dev-log.socket
* systemd-journald.socket
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Main PID: 235 (systemd-journal)
Status: "Processing requests..."
Tasks: 1 (limit: 4675)
Memory: 15.0M
CPU: 131ms
|
| [2] | It's possible to change settings of Journald on [/etc/systemd/journald.conf]. All options are commented out by default, however they are the default parameters of Journald on Debian 11. |
|
root@dlp:~# cat /etc/systemd/journald.conf [Journal] #Storage=auto #Compress=yes #Seal=yes #SplitMode=uid #SyncIntervalSec=5m #RateLimitIntervalSec=30s #RateLimitBurst=10000 #SystemMaxUse= #SystemKeepFree= #SystemMaxFileSize= #SystemMaxFiles=100 #RuntimeMaxUse= #RuntimeKeepFree= #RuntimeMaxFileSize= #RuntimeMaxFiles=100 #MaxRetentionSec= #MaxFileSec=1month #ForwardToSyslog=yes #ForwardToKMsg=no #ForwardToConsole=no #ForwardToWall=yes #TTYPath=/dev/console #MaxLevelStore=debug #MaxLevelSyslog=debug #MaxLevelKMsg=notice #MaxLevelConsole=info #MaxLevelWall=emerg #LineMax=48K #ReadKMsg=yes #Audit=no |
| [3] | The place of stored logging data is set on [Storage=***] of [/etc/systemd/journald.conf]. For the place of stored logging data, they are also stored in conventional files like [/var/log/syslog] and so on by Rsyslogd with the setting [ForwardToSyslog=yes] on Journald. |
# parameters of [Storage=***] # # volatile : stored only in memory : under the [/run/log/journal] # persistent : stored on disk : under the [/var/log/journal] # but if impossible to write on disk like early boot, fallback to memory # auto : stored on disk if [/var/log/journal] exists # if not exists, stored in memory # none : not stored all data # but forwarding to other targets like Syslog daemon if they are configured # # * storing in memory is not persistent, when system restarted, logging data are cleared # on default settings of Debian 11, it's set [auto] and also # [/var/log/journal] exists, so logging data are stored in [/var/log/journal]
root@dlp:~#
root@dlp:~# grep Storage /etc/systemd/journald.conf #Storage=auto ll -d /var/log/journal drwxr-sr-x+ 3 root systemd-journal 4096 Aug 16 01:29 /var/log/journalroot@dlp:~# ll -Rh /var/log/journal /var/log/journal: total 4.0K drwxr-sr-x+ 2 root systemd-journal 4.0K Sep 22 19:31 6d96b40f1a954b7cbd42a163bc9e82af /var/log/journal/6d96b40f1a954b7cbd42a163bc9e82af: total 57M -rw-r-----+ 1 root systemd-journal 8.0M Aug 16 21:29 system@c98557962af340efb600ccd36f4dbfb0-0000000000000001-0005c9a7535c72c7.journal -rw-r-----+ 1 root systemd-journal 8.0M Sep 22 18:38 system@c98557962af340efb600ccd36f4dbfb0-0000000000001310-0005c9b81768bef9.journal -rw-r-----+ 1 root systemd-journal 8.0M Sep 22 19:31 system@c98557962af340efb600ccd36f4dbfb0-0000000000001656-0005cc9e023814c2.journal -rw-r-----+ 1 root systemd-journal 8.0M Sep 22 22:22 system.journal -rw-r-----+ 1 root systemd-journal 8.0M Aug 16 21:29 user-1000@b01c0c9bfd2c451faf49e166e7738756-0000000000000322-0005c9a7540ff542.journal -rw-r-----+ 1 root systemd-journal 8.0M Sep 22 19:31 user-1001@8302bc9870d949f69bc87d3aa26902b2-0000000000001b35-0005cc9eadea0637.journal -rw-r-----+ 1 root systemd-journal 8.0M Sep 22 19:36 user-1001.journal |
| [4] | To show stored logging data by Journald, it's possible with [journalctl] command. |
|
# show all data without any option : results are send to [less] command # if not send to [less], add [--no-pager] option root@dlp:~# journalctl -- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:> Aug 16 01:29:38 debian kernel: Linux version 5.10.0-8-amd64 (debian-kernel@list> Aug 16 01:29:38 debian kernel: Command line: BOOT_IMAGE=/vmlinuz-5.10.0-8-amd64> Aug 16 01:29:38 debian kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 fl> Aug 16 01:29:38 debian kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE re> Aug 16 01:29:38 debian kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX re> ..... ..... # [-u UNIT] : show logs of a specific UNIT root@dlp:~# journalctl -u cron.service -- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:> Aug 16 01:29:40 debian systemd[1]: Started Regular background program processin> Aug 16 01:29:40 debian cron[375]: (CRON) INFO (pidfile fd = 3) Aug 16 01:29:40 debian cron[375]: (CRON) INFO (Running @reboot jobs) Aug 16 01:32:07 debian systemd[1]: Stopping Regular background program processi> Aug 16 01:32:07 debian systemd[1]: cron.service: Succeeded. ..... .....root@dlp:~# journalctl -u systemd-tmpfiles-clean.timer -- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:> Aug 16 01:29:40 debian systemd[1]: Started Daily Cleanup of Temporary Directori> Aug 16 01:32:07 debian systemd[1]: systemd-tmpfiles-clean.timer: Succeeded. Aug 16 01:32:07 debian systemd[1]: Stopped Daily Cleanup of Temporary Directori> ..... ..... # [-k] : show logs of kernel message root@dlp:~# journalctl -k -- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:> Sep 22 19:31:44 dlp.srv.world kernel: Linux version 5.10.0-8-amd64 (debian-kern> Sep 22 19:31:44 dlp.srv.world kernel: Command line: BOOT_IMAGE=/vmlinuz-5.10.0-> Sep 22 19:31:44 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x001: > Sep 22 19:31:44 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x002: > Sep 22 19:31:44 dlp.srv.world kernel: x86/fpu: Supporting XSAVE feature 0x004: > ..... ..... # [-p Priority] : show logs of a specific priority root@dlp:~# journalctl -p err -- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:> Aug 16 21:29:18 debian kernel: watchdog: watchdog0: watchdog did not stop! -- Boot 18eec54b205e4c6b82a225ab14159385 -- Sep 22 18:38:54 dlp.srv.world dhclient[456]: receive_packet failed on enp1s0: N> Sep 22 18:38:54 dlp.srv.world kernel: watchdog: watchdog0: watchdog did not sto> -- Boot ee96107c56db424185e3fce8408c5d9b -- Sep 22 19:31:38 dlp.srv.world kernel: watchdog: watchdog0: watchdog did not sto> ..... ..... # [-g PATTERN] : show logs that include specific word [PATTERN] in [MESSAGE] field root@dlp:~# journalctl -g "apparmor" -- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:> Aug 16 01:29:38 debian kernel: AppArmor: AppArmor initialized Aug 16 01:29:38 debian kernel: AppArmor: AppArmor Filesystem Enabled Aug 16 01:29:38 debian kernel: AppArmor: AppArmor sha1 policy hashing enabled Aug 16 01:29:38 debian systemd[1]: systemd 247.3-6 running in system mode. (+PA> Aug 16 01:29:39 debian systemd[1]: Starting Load AppArmor profiles... Aug 16 01:29:39 debian apparmor.systemd[355]: Restarting AppArmor Aug 16 01:29:39 debian apparmor.systemd[355]: Reloading AppArmor profiles Aug 16 01:29:39 debian audit[372]: AVC apparmor="STATUS" operation="profile_loa> Aug 16 01:29:39 debian kernel: audit: type=1400 audit(1629095379.952:2): apparm> Aug 16 01:29:39 debian audit[373]: AVC apparmor="STATUS" operation="profile_loa> ..... ..... # [-S DATE] : show logs Since DATE # [-U DATE] : show logs Until DATE root@dlp:~# journalctl -S "2021-09-20 00:00:00" -U "2021-09-25 23:59:59" -- Journal begins at Mon 2021-08-16 01:29:38 CDT, ends at Wed 2021-09-22 22:17:> Sep 22 18:38:17 debian kernel: Linux version 5.10.0-8-amd64 (debian-kernel@list> Sep 22 18:38:17 debian kernel: Command line: BOOT_IMAGE=/vmlinuz-5.10.0-8-amd64> Sep 22 18:38:17 debian kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 fl> Sep 22 18:38:17 debian kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE re> Sep 22 18:38:17 debian kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX re> Sep 22 18:38:17 debian kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]> ..... ..... # show help root@dlp:~# journalctl --help --no-pager
journalctl [OPTIONS...] [MATCHES...]
Query the journal.
Options:
--system Show the system journal
--user Show the user journal for the current user
-M --machine=CONTAINER Operate on local container
-S --since=DATE Show entries not older than the specified date
.....
.....
|
| Sponsored Link |