Link playlist
Red Hat Enterprise Linux Administration
2023 12 06 23 47 33
Working with systemd-journald
The systemd-journald service stores log messages in the
journal, a binary file that is temporarily stored in the file
/run/log/journal. This file can be examined using the journalctl
command.
Using journalctl to Find Events
The easiest way to use journalctl is by just typing the
command. It shows that recent events have been written to the
journal since your server last started. The result of this
command is shown in the less pager, and by default you’ll see
the beginning of the journal. Because the journal is written
from the moment your server boots, the start of the output
shows boot-related log messages. If you want to see the last
messages that have been logged, you can use journalctl -f,
which shows the last lines of the messages where new log lines
are automatically added. You can also type journalctl and use
(uppercase) G to go to the end of the journal. Also note that the search options / and ? work in the journalctl output. Example
13-3 shows a partial result of this command.
What makes journalctl a flexible command is that its many
filtering options allow you to show exactly what you need.
Exercise 13-2 shows some of the most interesting options.
Exercise 13-2 Discovering journalctl
1. Type journalctl. You’ll see the content of the journal since
your server last started, starting at the beginning of the
journal. The content is shown in less, so you can use
common less commands to walk through the file.
2. Type q to quit the pager. Now type journalctl –no-pager.
This shows the contents of the journal without using a pager.
3. Type journalctl -f. This opens the live view mode of
journalctl, which allows you to see new messages scrolling
by in real time. Press Ctrl-C to interrupt.
4. Type journalctl, press the Spacebar, and then press the Tab
key twice. When prompted to view all possibilities, type y
and then press the Enter key. This shows specific options that
can be used for filtering. Type, for instance, journalctl
_UID=1000 to show messages that have been logged for your
student user account.
5. Type journalctl -n 20. The -n 20 option displays the last 20
lines of the journal (just like tail -n 20).
6. Type journalctl -p err. This command shows errors only.
7. If you want to view journal messages that have been written
in a specific time period, you can use the –since and –until
commands. Both options take the time parameter in the
format YYYY-MM-DD hh:mm:ss. Also, you can use yesterday,
today, and tomorrow as parameters. So, type journalctl —
since yesterday to show all messages that have been written
since yesterday.
8. journalctl allows you to combine different options, as well.
So, if you want to show all messages with a priority error
that have been written since yesterday, use journalctl —
since yesterday -p err.
9. If you need as much detail as possible, use journalctl -o
verbose. This shows different options that are used when
writing to the journal (see Example 13-4). All these options
can be used to tell the journalctl command which specific
information you are looking for. Type, for instance,
journalctl _SYSTEMD_UNIT=sshd.service to show more
information about the sshd Systemd unit.
10. Type journalctl –dmesg. This shows kernel-related
messages only. Not many people use this command, as the
dmesg command gives the exact same result.
In the preceding exercise, you typed journalctl -o verbose to
show verbose output. Example 13-4 shows an example of the
verbose output. As you can see, this provides detailed
information for all items that have been logged, including the
PID, the ID of the associated user and group account, the
command that is associated, and more. This verbose
information may help you in debugging specific Systemd units.
Example 13-4 Showing Detailed Log Information with
journalctl -o verbose
There are some more interesting options to use with the
journalctl command. The -b option shows a boot log, which
includes just the messages that were generated while booting.
The -x option adds explanation to the information that is
shown. This explanation makes it easier to interpret specific
messages. You should also consider the -u option, which allows
you to see messages that have been logged for a specific
systemd unit only. Use, for instance, journalctl -u sshd to see
all messages that have been logged for the sshd service. Table
13-3 provides an overview of the most interesting journalctl
options.
Table 13-3 Most Useful journalctl Options
Option Use
-f Shows the bottom of the journal and live adds
new messages that are generated
-b Shows the boot log
-x Adds additional explanation to the logged items
Option Use
-u Used to filter log messages for a specific unit only
-p Allows for filtering of messages with a specific
priority
[ad_2]
source
