How to View and Analyze Logs on Linux With journalctl

Log messages are important for auditing and maintaining a healthy Linux system. Every Linux computer stores log messages for different services or jobs. This guide will explore how to read and analyze log messages using journalctl, a command-line tool for reading log messages written by journald.

What Is journald?

Journald is a system logging service that aggregates log messages into a journal. It is a part of the systemd daemon which is responsible for event logging in Linux. The journal is simply a binary file used for storing log messages generated by journald.

Journal log messages are not persistent, because they are stored in RAM, which is a volatile form of storage. By default, journald logs are lost or wiped whenever your PC reboots or loses power. Linux allocates a fixed amount of RAM to journald logs to avoid clogging your system’s memory.

How to Use the journalctl Command

You can use journalctl to query the systemd journal or journald logs. The system indexes all journald logs to improve efficiency when reading log messages from the journal.

Note: This guide uses sudo to run commands using elevated privileges because the journalctl command will not list all log messages when you run it as a regular Linux user.

View All Log Messages

To view all journald logs, simply run the journalctl command without any arguments:

sudo journalctl

The journalctl command will list all journald logs on your system in chronological order. The command uses less in the background which gives you the same navigation ability as you generally would have with the less command. For example, you can navigate through the logs using the F and B keys on your keyboard.

If you want to change the order in which the system outputs the logs, i.e. show the latest one first, you can use the -r flag with the command. The -r flag stands for Reverse.

sudo journalctl -r

View Kernel journald Logs

Kernel logs are very important on Linux because they contain information related to your system from the time it boots up. To view kernel logs only, specify the -k flag with the journalctl command:

sudo journalctl -k

The output will also list some kernel information, such as the kernel version and its name.

Related: What Is a Kernel in Linux and How Do You Check Your Version?

Filter journald Logs by a Specific Program

You can also view logs related to a specific program or service using journalctl. For example, to view logs associated with the cron service, run the command below:

sudo journalctl -u cron

View Log Messages in Real-Time

Sometimes you might want to view the logs in real-time as they are being logged. For that, issue the following command:

sudo journalctl -f

Use the Ctrl + C keyboard shortcut to exit the real-time view.

Get Log Messages by Date

You can use journalctl to filter and analyze the logs using a timestamp. For example, to display the logs from yesterday until now:

sudo journalctl --since=yesterday

You can be more specific by using a detailed “since” and “until” timestamp, as follows:

sudo journalctl --since="2021-07-17 12:00:00" --until="2021-07-17 15:00:00"

Journalctl will only display the log messages for the specified period.

View Log Messages by UID or PID

You can also filter journald logs using the user ID (UID) or the process ID (PID). The basic syntax is:

sudo journalctl _UID=0

…where 0 is the UID for the root account. You can also replace UID in the aforementioned command with either PID or GID (group ID).

Formatting the journalctl Output

To view journalctl logs using a specific output format, you should use the journalctl -o command followed by your preferred format. For example, to display the logs in a pretty JSON format, run the command below:

sudo journalctl -o json-pretty

Output:

Related: Getting Started With System Logging in Linux

Configuring journald on Linux

This guide has shown you how to view and analyze journald log messages on Linux using the journalctl command. The /var/log/journal directory stores all the journald logs. Note that, not all Linux distros have journald enabled by default.

You can use the /etc/systemd/journald.conf file to configure or make changes to the journald configuration on your PC. Apart from an effective logging service, there are several other tools that are a must if you are serious about the security of your Linux servers.

Author: Mwiza Kumwenda

Source: Mwiza Kumwenda.” How to View and Analyze Logs on Linux With journalctl”. Retrieved From https://www.makeuseof.com/view-and-analyze-logs-with-journalctl-linux/

All Rights Of This Article Reserved To MakeUseOf

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: