Systemd journalctl

The linux systemd init system comes with journalctl a queriable binary system log.

Configuration

First, check the timezone on the system:

$ timedatectl status

If necessary, change the time zone:

# timedatectl set-timezone 'America/Detroit'

The config file resides at /etc/systemd/journald.conf. See the man page journald.conf(5). If Storage=auto (the default?), journald saves data to /run/log/journal/ unless /var/log/journal/ exists. Since /run/ is typically a tmpfs, the journal data effectively does not persist across reboots. We persist the journal data like:

# mkdir /var/log/journal
# chown root:systemd-journal /var/log/journal
# chmod 2755 /var/log/journal

To restart journald, which we must do after making any config changes:

# systemctl restart systemd-journald

If necessary, add log-reading users to the systemd-journald group:

# usermod -a -G systemd-journal paul

Find disk used by journals:

$ journalctl --disk-usage

Shrink the journal by removing old entries until it reaches a specified size:

$ sudo journalctl --vacuum-size=1G

Shrink the journal by removing entries older than a given time:

$ sudo journalctl --vacuum-time=1years

These and other limits may be configured in /etc/systemd/journald.conf.

Viewing Logs

If called without arguments, journalctl spits out all its entries, from oldest to newest.

$ journalctl

When comparing logs from various time zones, consider the --utc flag.

$ journalctl --utc

Scope results to the last boot (or a previous boot):

$ journalctl -b
$ journalctl -b -1
$ journalctl --list-boots

Or confine returned log entries based on date/time:

$ journalctl --since "2017-01-10" --until "2017-01-18 02:30"
$ journalctl --since yesterday
$ journalctl --since 10:00 --until "1 hour ago"

The -p flag shows one or a range of log levels (following SYSLOG(3)). Show kernel messages with severity of emergency, alert, critical, error, or warning:

$ journalctl -k -p 0..4

Filter for a particular systemd unit/service:

$ journalctl -u fancontrol

Filter for a particular PID or user ID:

$ journalctl _PID=1660
$ journalctl _UID=1001

See SYSTEMD.JOURNAL-FIELDS(7) for additional filterable fields.

Three flags of note:

• -f follows the log
• -r reverses output order to show newest entries first
• -e jumps to the end of the output in the pager

Pager

By default, journalctl pages its output, trying well-known pagers (less, more, etc.). To stop it defaulting to that:

export SYSTEMD_PAGER=cat

Or, to stop it paging for one invocation:

$ journalctl --no-pager

Remote Logging

Links

• https://www.freedesktop.org/software/systemd/man/journalctl.html
• https://www.freedesktop.org/software/systemd/man/journald.conf.html
• https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs