Journalctl

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the unix category.

Last Updated: 2022-05-26

Journalctl is a system-wide logging system (a more modern alternative to the role syslog often assumes)

Usage

Behind the scenes

It stores data in a binary format - the idea being to make it much faster to find particular messages. Unstructured text files from syslog are difficult to work with when large.

Default non-persistent

The default storage type in journald.conf is "auto". In this storage type, the journal logs may not be persistent and may not survive reboots.

Technically this is what happens:

"By default, the journal stores log data in /run/log/journal/. Since /run/ is volatile, log data is lost at reboot. To make the data persistent, it is sufficient to create /var/log/journal/ where systemd-journald will then store the data."

i.e. in "auto" mode you just have to create the needed directories for data to be persisted: mkdir -p /var/log/journal

Then restart the log using the systemctl interface to journald: systemctl restart systemd-journald.service

Comparison with syslog

Data sources

It draws data from

It then mixes all this data together

Resources