systemd
Daemonjournalctl
: Query the systemd
Journaludev
journalctl
: Query the systemd
Journal
When systemd
replaced traditional init scripts in SUSE Linux Enterprise 12 (see
Chapter 10, The systemd
Daemon), it introduced its own logging system
called journal. There is no need to run a
syslog
based service anymore, as all system
events are written in the journal.
The journal itself is a system service managed by systemd
. Its full
name is systemd-journald.service
. It collects and
stores logging data by maintaining structured indexed journals based on
logging information received from the kernel, from user processes, from
standard input and error of system services. The
systemd-journald
service is on by default:
# systemctl status systemd-journald systemd-journald.service - Journal Service Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static) Active: active (running) since Mon 2014-05-26 08:36:59 EDT; 3 days ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Main PID: 413 (systemd-journal) Status: "Processing requests..." CGroup: /system.slice/systemd-journald.service └─413 /usr/lib/systemd/systemd-journald [...]
The journal stores log data in /run/log/journal/
by
default. Because the /run/
directory is volatile by
nature, log data is lost at reboot. To make the log data persistent, the
directory /var/log/journal/
with correct ownership
and permissions must exist, where the systemd-journald service can store
its data. systemd
will create the directory for you—and
switch to persistent logging—if you do the following:
As root
, open /etc/systemd/journald.conf
for editing.
# vi /etc/systemd/journald.conf
Uncomment the line containing Storage=
and change it
to
[...] [Journal] Storage=persistent #Compress=yes [...]
Save the file and restart systemd-journald:
systemctl restart systemd-journald
journalctl
Useful Switches #
This section introduces several common useful options to enhance the
default journalctl
behavior. All switches are
described in the journalctl
manual page, man
1 journalctl
.
To show all journal messages related to a specific executable, specify the full path to the executable:
journalctl /usr/lib/systemd/systemd
Shows only the most recent journal messages, and prints new log entries as they are added to the journal.
Prints the messages and jumps to the end of the journal, so that the latest entries are visible within the pager.
Prints the messages of the journal in a reverse order, so that the latest entries are listed first.
Shows only kernel messages. This is equivalent to the field match
_TRANSPORT=kernel
(see
Section 11.3.3, “Filtering Based on Fields”).
Shows only messages for the specified systemd
unit. This is
equivalent to the field match
_SYSTEMD_UNIT=UNIT
(see
Section 11.3.3, “Filtering Based on Fields”).
# journalctl -u apache2 [...] Jun 03 10:07:11 pinkiepie systemd[1]: Starting The Apache Webserver... Jun 03 10:07:12 pinkiepie systemd[1]: Started The Apache Webserver.
When called without switches, journalctl
shows the
full content of the journal, the oldest entries listed first. The output
can be filtered by specific switches and fields.
journalctl
can filter messages based on a specific
system boot. To list all available boots, run
# journalctl --list-boots -1 097ed2cd99124a2391d2cffab1b566f0 Mon 2014-05-26 08:36:56 EDT—Fri 2014-05-30 05:33:44 EDT 0 156019a44a774a0bb0148a92df4af81b Fri 2014-05-30 05:34:09 EDT—Fri 2014-05-30 06:15:01 EDT
The first column lists the boot offset: 0
for the
current boot, -1
for the previous,
-2
for the second previous, etc. The second column
contains the boot ID, and then the limiting time stamps of the specific
boot follow.
Show all messages from the current boot:
# journalctl -b
If you need to see journal message from the previous boot, add an offset parameter. The following example outputs the previous boot messages:
# journalctl -b -1
Another way is to list boot messages based on the boot ID. For this purpose, use the _BOOT_ID field:
# journalctl _BOOT_ID=156019a44a774a0bb0148a92df4af81b
You can filter the output of journalctl
by specifying
the starting and/or ending date. The date specification should be of the
format "2014-06-30 9:17:16". If the time part is omitted, the midnight
is assumed. If seconds are omitted, ":00" is assumed. If the date part
is omitted, the current day is assumed. Instead of numeric expression,
you can specify the keywords "yesterday", "today", or "tomorrow", which
refer to midnight of the day before the current day, of the current day,
or of the day after the current day. If you specify "now", it refers to
the current time. You can also specify relative times prefixed with
-
or +
, referring to times before
or after the current time.
Show only new messages since now, and update the output continuously:
# journalctl --since "now" -f
Show all messages since last midnight till 3:20am:
# journalctl --since "today" --until "3:20"
You can filter the output of the journal by specific fields. The syntax
of a field to be matched is FIELD_NAME=MATCHED_VALUE
,
such as _SYSTEMD_UNIT=httpd.service
. You can specify
multiple matches in a single query to filter the output messages event
more. See man 7 systemd.journal-fields
for a list of
default fields.
Show messages produced by a specific process ID:
# journalctl _PID=1039
Show messages belonging to a specific user ID:
# journalctl _UID=1000
Show messages from the kernel ring buffer (the same as
dmesg
produces):
# journalctl _TRANSPORT=kernel
Show messages from the service's standard or error output:
# journalctl _TRANSPORT=stdout
Show messages produced by a specified service only:
# journalctl _SYSTEMD_UNIT=avahi-daemon.service
If two different fields are specified, only entries that match both expressions at the same time are shown:
# journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=1488
If two matches refer to the same field, all entries matching either expression are shown:
# journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service
You can use the '+' separator to combine two expressions in a logical 'OR'. The following example shows all messages from the Avahi service process with the process ID 1480 together with all messages from the D-Bus service:
# journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=1480 + _SYSTEMD_UNIT=dbus.service
systemd
Errors #
This section introduces a simple example to illustrate how to find and
fix the error reported by systemd
during apache2
start-up.
Try to start the apache2 service:
# systemctl start apache2 Job for apache2.service failed. See 'systemctl status apache2' and 'journalctl -xn' for details.
Let us see what the service's status says:
# systemctl status apache2 apache2.service - The Apache Webserver Loaded: loaded (/usr/lib/systemd/system/apache2.service; disabled) Active: failed (Result: exit-code) since Tue 2014-06-03 11:08:13 CEST; 7min ago Process: 11026 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND \ -k graceful-stop (code=exited, status=1/FAILURE)
The ID of the process causing the failure is 11026.
Show the verbose version of messages related to process ID 11026:
# journalctl -o verbose _PID=11026 [...] MESSAGE=AH00526: Syntax error on line 6 of /etc/apache2/default-server.conf: [...] MESSAGE=Invalid command 'DocumenttRoot', perhaps misspelled or defined by a module [...]
Fix the typo inside
/etc/apache2/default-server.conf
, start the
apache2 service, and print its status:
# systemctl start apache2 && systemctl status apache2 apache2.service - The Apache Webserver Loaded: loaded (/usr/lib/systemd/system/apache2.service; disabled) Active: active (running) since Tue 2014-06-03 11:26:24 CEST; 4ms ago Process: 11026 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop (code=exited, status=1/FAILURE) Main PID: 11263 (httpd2-prefork) Status: "Processing requests..." CGroup: /system.slice/apache2.service ├─11263 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D [...] ├─11280 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D [...] ├─11281 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D [...] ├─11282 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D [...] ├─11283 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D [...] └─11285 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D [...]
The behavior of the systemd-journald service can be adjusted by modifying
/etc/systemd/journald.conf
. This section introduces
only basic option settings. For a complete file description, see
man 5 journald.conf
. Note that you need to restart the
journal for the changes to take effect with
# systemctl restart systemd-journald
If the journal log data is saved to a persistent location (see
Section 11.1, “Making the Journal Persistent”), it uses up to 10% of the file
system the /var/log/journal
resides on. For
example, if /var/log/journal
is located on a 30 GB
/var
partition, the journal may use up to 3 GB of
the disk space. To change this limit, change (and uncomment) the
SystemMaxUse
option:
SystemMaxUse=50M
/dev/ttyX
#
You can forward the journal to a terminal device to inform you about
system messages on a preferred terminal screen, for example
/dev/tty12
. Change the following journald options to
ForwardToConsole=yes TTYPath=/dev/tty12
Journald is backward compatible with traditional syslog implementations
such as rsyslog
. Make sure the following is
valid:
rsyslog is installed.
# rpm -q rsyslog rsyslog-7.4.8-2.16.x86_64
rsyslog service is enabled.
# systemctl is-enabled rsyslog enabled
Forwarding to syslog is enabled in
/etc/systemd/journald.conf
.
ForwardToSyslog=yes
systemd
Journal #For an easy way of filtering the systemd journal (without having to deal with the journalctl
syntax), you can use the YaST journal module. After installing it with sudo zypper in
yast2-journal
, start it from YaST by selecting › . Alternatively, start it from command line by entering sudo yast2 journal
.
The module displays the log entries in a table. The search box on top allows you to search
for entries that contain certain characters, similar to using grep
. To filter the
entries by date and time, unit, file, or priority, click and set the
respective options.