How to Use journalctl for Logs in Debian

Edited 1 week ago by ExtremeHow Editorial Team

DebianjournalctlLogsCLISystem AdministrationLinuxMonitoringOpen SourceTroubleshootingSoftware

Debian is known for its stability and vast repository of software packages. One of the key aspects of maintaining a stable and secure system is to regularly monitor system logs. Logs help system administrators understand what is happening within the system. They can provide invaluable information for troubleshooting problems or understanding system performance.

The traditional method of log management on Linux systems is using text files located in the /var/log directory. These logs are managed by various services such as syslog or more specifically rsyslog in many Debian systems. However, with the advent of systemd, a new logging system called journald came into use, and it offers some notable improvements and features compared to traditional logging methods.

In this document, we will discuss in detail how you can use journalctl command to view and manage systemd logs in Debian. Let's explore this powerful command and learn how it can help you manage your system logs effectively.

Introduction to JournalCTL and SystemD

Before discussing journalctl usage, it is important to have a basic understanding of systemd and journald. systemd is a system and service manager for the Linux operating system. It was designed to provide better service management and boot-up performance. journald is the logging component of systemd, which is responsible for collecting and storing logs.

Unlike traditional logging methods that store logs as plain text files, journald stores logs in binary format, which can provide several benefits, including improved performance, indexing, and filtering capabilities.

journalctl command is used to query this binary log data, with a wide range of filtering options to make it as versatile as possible.

Basic usage of journalctl

The simplest way to use journalctl is to run it without any arguments or options. This will display all available log entries, starting with the oldest.

$ journalctl

The log will be displayed with a timestamp and message for each entry. However, given the potentially large volume of entries, using an option to view the log daily is not usually practical, especially on systems that have been running for a long time.

Viewing the latest logs

Often, you'll be interested in seeing only the most recent logs rather than scouring older entries. Using the -n flag followed by a number, you can specify how recent lines you want to see:

$ journalctl -n 50

This command gets the last 50 log entries. The default behavior without specifying a number is to show the last ten lines:

$ journalctl -n

Follow the logs in real time

Another useful feature is the ability to follow logs in real time as they are generated, similar to tail -f command for traditional logs. This can be achieved with the -f flag:

$ journalctl -f

This command will display new log entries as they appear, which is especially useful for monitoring log output during troubleshooting sessions.

Filtering the log

One of the powerful aspects of journalctl is its ability to filter logs using a variety of criteria. This is important when you need to pinpoint certain events or types of log entries.

Filter by time

You can easily filter the logs by a specific time range using --since and --until options. Both options accept various time formats, including relative time:

$ journalctl --since "2023-03-01 00:00:00" --until "2023-03-01 23:59:59"

You can also use relative time:

$ journalctl --since "1 hour ago"

Here, the logs for the last one hour are displayed.

Filtering by unit

Since journald is deeply integrated with systemd, which manages services as "units", you can filter the logs for a specific service unit. Use -u flag followed by the unit name:

$ journalctl -u apache2.service

This will show only logs related to the Apache Web Server service, which is helpful in diagnosing service-specific problems.

Filter by priority

Systemd logs have different priorities. If you are only interested in the more serious log messages, you can filter the logs according to these priorities:

$ journalctl -p err

This command will only display log entries with a priority level of "error" or higher, which can include "critical", "warning", and "emergency" messages.

Combination of filters

You can combine different filters to limit the logs even more precisely. For example, if you want to get error messages for the Apache2 service for the last hour:

$ journalctl -u apache2.service -p err --since "1 hour ago"

This flexibility allows you to quickly focus on the logs of interest.

Persistent Logging

By default, journald may not store persistent logs between reboots on some systems. This can be confirmed by viewing the logs after a reboot. If you want to enable persistent logging, make sure the directory /var/log/journal exists. If it is not there, create it:

$ sudo mkdir -p /var/log/journal $ sudo systemctl restart systemd-journald

This will configure journald to store logs persistently across reboots in binary journal format.

Clearing and Managing Journal Logs

Over time, journal logs can accumulate and take up significant disk space. You can manage disk space usage with journalctl command:

Check the disk usage of the journal log

You can see how much space the journal logs take up by using --disk-usage option:

$ journalctl --disk-usage

This command will display the total space used by the journal log.

Removing old logs

You can delete older logs using --vacuum-time, --vacuum-size, or --vacuum-files options. For example, if you want to delete logs older than two weeks, use the following command:

$ sudo journalctl --vacuum-time=2weeks

To retain only a certain amount of megabytes of logs (for example, 500MB), use:

$ sudo journalctl --vacuum-size=500M

The above method allows the journal log to use up to the specified space on disk.

Exporting and saving logs

Sometimes you may need to share or inspect logs outside of the journal environment. You can export logs in various formats with journalctl:

Exporting to text files

You can redirect journal log output to plain text files for easy sharing or archiving:

$ journalctl > /path/to/your/output.txt

This command will copy the entire log to a text file. You can apply filters as needed to limit the output.

Exporting to JSON

To output logs in JSON format, which can be programmatically parsed by various tools, use -o json option:

$ journalctl -o json-pretty > /path/to/your/output.json

This command will generate a JSON representation of the logs, making it easy to programmatically dissect the log data.

Creating a Binary Journal Backup

If you want a binary backup that includes all additional metadata, you can use the --output-export option:

$ journalctl --output-export > /path/to/backup.journal

This allows you to preserve all journal-specific information in a format that can be easily re-imported into systemd-journal using journalctl --merge with the backup file.

Conclusion

journalctl command is a powerful tool on Debian systems where systemd is used to manage logs via journald. It provides robust capabilities for viewing, filtering, and managing system logs, providing a significant edge over traditional logging methods in terms of flexibility and efficiency.

Through simple commands, journalctl allows you to view logs chronologically, follow them in real time, filter by various conditions, and manage the log data stored on your system. For system administrators and users, understanding how to leverage journalctl can lead to better monitoring of system events and faster troubleshooting, ultimately contributing to maintaining a smooth operating environment.

  Share This Article

If you find anything wrong with the article content, you can request an update