Locate and interpret system log files and journals

Step I – Setup

Let’s go to set journalctl; first we must create a journal directory in the location /var/log/

# mkdir journal

To verify to which group this new directory should belong, we can see it in /etc/group :

# grep journal /etc/group
# systemd-journal:x:190:

We change the group,

# chgrp systemd-journal journal/
# ls -lad journal/
 drwxr-xr-x. 2 root systemd-journal 6 Sep  9 19:04 journal/

and the permissions:

# chmod 2755 journal/
# ls -lad journal/
drwxr-sr-x. 2 root systemd-journal 6 Sep  9 19:04 journal/

Now restart the machine or just the service:

# systemctl restart systemd-journald

Step II – Use

# journalctl --help
 journalctl [OPTIONS…] [MATCHES…]
 Query the journal.
      --system              Show the system journal
      --user                Show the user journal for the current user
   -M --machine=CONTAINER   Operate on local container
   -S --since=DATE          Show entries not older than the specified date
   -U --until=DATE          Show entries not newer than the specified date
   -c --cursor=CURSOR       Show entries starting at the specified cursor
      --after-cursor=CURSOR Show entries after the specified cursor
      --show-cursor         Print the cursor after all the entries
   -b --boot[=ID]           Show current boot or the specified boot
      --list-boots          Show terse information about recorded boots
   -k --dmesg               Show kernel message log from the current boot
   -u --unit=UNIT           Show logs from the specified unit
   -t --identifier=STRING   Show entries with the specified syslog identifier
   -p --priority=RANGE      Show entries with the specified priority
   -e --pager-end           Immediately jump to the end in the pager
   -f --follow              Follow the journal
   -n --lines[=INTEGER]     Number of journal entries to show
      --no-tail             Show all lines, even in follow mode
   -r --reverse             Show the newest entries first
   -o --output=STRING       Change journal output mode (short, short-iso,
                                    short-precise, short-monotonic, verbose,
                                    export, json, json-pretty, json-sse, cat)
      --utc                 Express time in Coordinated Universal Time (UTC)
   -x --catalog             Add message explanations where available
      --no-full             Ellipsize fields
   -a --all                 Show all fields, including long and unprintable
   -q --quiet               Do not show privilege warning
      --no-pager            Do not pipe output into a pager
   -m --merge               Show entries from all available journals
   -D --directory=PATH      Show journal files from directory
      --file=PATH           Show journal file
      --root=ROOT           Operate on catalog files underneath the root ROOT
      --interval=TIME       Time interval for changing the FSS sealing key
      --verify-key=KEY      Specify FSS verification key
      --force               Override of the FSS key pair with --setup-keys
   -h --help                Show this help text
      --version             Show package version
   -F --field=FIELD         List all values that a specified field takes
      --new-id128           Generate a new 128-bit ID
      --disk-usage          Show total disk usage of all journal files
      --vacuum-size=BYTES   Reduce disk usage below specified size
      --vacuum-time=TIME    Remove journal files older than specified date
      --flush               Flush all journal data from /run into /var
      --header              Show journal header information
      --list-catalog        Show all message IDs in the catalog
      --dump-catalog        Show entries in the message catalog
      --update-catalog      Update the message catalog database
      --setup-keys          Generate a new FSS key pair
      --verify              Verify journal file consistency
 lines 16-56/56 (END)
journalctl -f

To check is working, you can open a new terminal and login as root. See what happens in the journalctl window.

The journalctl recording the events of the system.

Related Posts

Leave a Reply

Your email address will not be published.