2024-09-02 16:42:08 -06:00
# System Log Management *JournalCTL)
## 1. Introduction to journalctl
journalctl is a command-line utility for querying and displaying logs from the systemd journal. The systemd journal is a centralized logging system that collects and stores logging data from various sources, including the kernel, system services, and applications.
## 2. Basic Usage
### To view all logs:
2024-11-12 10:12:26 -07:00
`journalctl`
2024-09-02 16:42:08 -06:00
### To follow new log entries in real-time:
2024-11-12 10:12:26 -07:00
`journalctl -f`
2024-09-02 16:42:08 -06:00
## 3. Filtering Logs
### By time:
2024-11-12 10:12:26 -07:00
`journalctl --since "2024-01-01 00:00:00"`
`journalctl --until "2024-01-31 23:59:59"`
`journalctl --since "1 hour ago"`
2024-09-02 16:42:08 -06:00
### By service unit:
2024-11-12 10:12:26 -07:00
`journalctl -u nginx.service`
`journalctl -u ssh.service`
2024-09-02 16:42:08 -06:00
### By priority level:
2024-11-12 10:12:26 -07:00
`journalctl -p err`
2024-09-02 16:42:08 -06:00
Priority levels: emerg, alert, crit, err, warning, notice, info, debug
### By kernel messages:
2024-11-12 10:12:26 -07:00
`journalctl -k`
2024-09-02 16:42:08 -06:00
## 4. Output Formatting
### JSON output:
2024-11-12 10:12:26 -07:00
`journalctl -o json`
2024-09-02 16:42:08 -06:00
### Short output format:
2024-11-12 10:12:26 -07:00
`journalctl -o short`
2024-09-02 16:42:08 -06:00
### Verbose output:
2024-11-12 10:12:26 -07:00
`journalctl -o verbose`
2024-09-02 16:42:08 -06:00
## 5. Boot-specific Logs
### Current boot:
2024-11-12 10:12:26 -07:00
`journalctl -b`
2024-09-02 16:42:08 -06:00
### Previous boot:
2024-11-12 10:12:26 -07:00
`journalctl -b -1`
2024-09-02 16:42:08 -06:00
## 6. User-specific Logs
2024-11-12 10:12:26 -07:00
`journalctl _UID=1000`
2024-09-02 16:42:08 -06:00
## 7. Disk Usage and Log Rotation
### View disk usage:
2024-11-12 10:12:26 -07:00
`journalctl --disk-usage`
2024-09-02 16:42:08 -06:00
### Rotate logs:
2024-11-12 10:12:26 -07:00
`journalctl --rotate`
2024-09-02 16:42:08 -06:00
### Vacuum old logs:
2024-11-12 10:12:26 -07:00
`journalctl --vacuum-time=1week`
`journalctl --vacuum-size=1G`
2024-09-02 16:42:08 -06:00
## 8. Remote Journal Access
To access logs on a remote system:
2024-11-12 10:12:26 -07:00
`journalctl -D /path/to/journal/directory`
2024-09-02 16:42:08 -06:00
## 9. Persistent Journal Storage
### Edit /etc/systemd/journald.conf:
2024-11-12 10:12:26 -07:00
`Storage=persistent`
2024-09-02 16:42:08 -06:00
### Restart journald:
2024-11-12 10:12:26 -07:00
`sudo systemctl restart systemd-journald`
2024-09-02 16:42:08 -06:00
## 10. Forwarding Logs to a Central Server
### Install rsyslog:
2024-11-12 10:12:26 -07:00
`sudo apt install rsyslog`
2024-09-02 16:42:08 -06:00
### Configure /etc/rsyslog.conf for forwarding:
2024-11-12 10:12:26 -07:00
`*.* @@central-log-server:514`
2024-09-02 16:42:08 -06:00
### Restart rsyslog:
2024-11-12 10:12:26 -07:00
`sudo systemctl restart rsyslog`
2024-09-02 16:42:08 -06:00
## 11. Security Considerations
- Restrict access to journal files
- Use encryption for remote logging
- Regularly audit and review logs
- Implement log retention policies
## 12. Performance Tuning
Adjust RateLimitInterval and RateLimitBurst in /etc/systemd/journald.conf to balance between logging thoroughness and system performance.
## 13. Integration with Other Tools
journalctl can be combined with other tools like grep, awk, and sed for advanced log analysis:
```
journalctl | grep "error" | awk '{print $1, $2, $3}'
```
## 14. Scripting and Automation
You can use journalctl in shell scripts for automated log analysis and reporting.
