Systemd-Journald
#journaldjournald
is a part of the systemd
suite of softwares that provide variety of system components for Linux based
operating systems. journald is a daemon responsible for recording logs generated by Linux kernel and other
applications installed on the system.
Since its inception and later mass adoption by majority of the Linux distributions, systemd has remained a controversial topic among the Linux enthusiasts and sysadmins. Now there are both valid and not-so-sound arguments against systemd; but the fact that almost every major Linux distribution today uses systemd speaks for its merit and is a reason good enough for us to understand it better.
I for one quite like the convenience and coherent ecosystem of utilities and commands that systemd provides and in this series of web posts I want to share some of the systemd related tid-bits and the use-cases I solve using systemd utilities.
This first post is about the log collection and management utility provided by the systemd i.e. systemd-journald
.
What is systemd-journald
systemd-journald
is a daemon to collect event logs into its data store in binary format. This daemon can be
configured by modifying the configuration file that by default is stored at /etc/systemd/journald.conf
.
Configuration files for all systemd daemons (including journald) are in INI
format and are stored under
/etc/systemd/
. After modifying the INI
files it is necessary to restart the corresponding daemon using systemctl
How to restart journald
systemctl restart systemd-journald
Detailed reference for the journald config can be found at the freedesktop website here - https://www.freedesktop.org/software/systemd/man/journald.conf.html#
Few facts about the journal daemon and its config that stand out for me are:
journald can be configured to store the logs in either the persistent file system under the default path of
/var/log/journal/
or in a volatile file system under/run/log/journal
by default. Logs stored in the persistent file system are stored permanently depending upon the retention factors specified in config like total size, age etc. Logs stored in the volatile file system also obey similar retention logic, but are removed upon reboot.journald can be configured to forward the logs to syslog. This the default behaviour for most Linux distributions. For e.g. in fedora journald logs are also stored in syslog format in plain text in various files under
/var/log
.
$ sudo tail -3 /var/log/messages
Feb 28 11:49:03 xpsws NetworkManager[773]: <info> [1582850943.6441]
Feb 28 11:49:03 xpsws systemd[1]: Starting Network Manager
Feb 28 11:49:03 xpsws systemd[1]: Started Network Manager
What is journalctl
Journalctl is a command line interface to query the logs stored by journald in its binary store.
When invoked without any parameters, it displays all the logs in default syslog format. Following are a few more examples of the common journalctl commands that highlight its powerful features.
Common commands
- To follow all the logs on stdout (analogous to
tail -f /var/log/syslog
)
$ journalctl -f
- To display logs pertaining to a service (systemd unit) and display only last 10 log entries
$ journalctl -u <servicename> -n 10
- To display logs in a different format e.g.
json
$ journalctl -u <servicename> -n 2 -o json
Notable supported formats: json, json-pretty, short, short-iso, verbose
- To display the amount of disk used by journald logs
$ journalctl --disk-usage
Archived and active journals take up 24.0M in the file system.
A detailed reference guide for the journalctl cli can be found here - https://www.freedesktop.org/software/systemd/man/journalctl.html