Journal Analysis
Chapter 86: Systemd Journal Analysis - Deep Dive
Section titled “Chapter 86: Systemd Journal Analysis - Deep Dive”Mastering System Diagnostics with journalctl
Section titled “Mastering System Diagnostics with journalctl”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”Systemd journal is the primary logging mechanism in modern Linux systems:
- Incident Response: First place to look when systems fail
- Debugging: Understand application behavior and failures
- Compliance: Audit logs for security and regulatory requirements
- Performance: Identify bottlenecks and resource issues
- Root Cause Analysis: Correlate events across services
Every DevOps and SRE must master journalctl for effective troubleshooting.
86.1 Understanding Systemd Journal
Section titled “86.1 Understanding Systemd Journal”Journal Architecture
Section titled “Journal Architecture” systemd Journal System+------------------------------------------------------------------+| || +-------------+ +-------------+ +-------------+ || | Applications| | Kernel | | Systemd | || | (syslog) | | (/dev/kmsg)| | (journald) | || +-------------+ +-------------+ +-------------+ || | | | || v v v || +-------------------------------------------------------------+ || | journald Daemon | || | | || | - Receives log messages | || | - Indexes for fast searching | || | - Stores in binary format | || | - Applies filtering | || +-----------------------------+-------------------------------+ || | | || v v || /run/log/journal /var/log/journal || (volatile) (persistent) || |+------------------------------------------------------------------+Journal Storage
Section titled “Journal Storage” Journal Storage Types+------------------------------------------------------------------+| || volatile || +----------------------------------------------------------+ || | - Stored in /run/log/journal | || | - Lost on reboot | || | - Default when /var not writable | || +----------------------------------------------------------+ || || persistent || +----------------------------------------------------------+ || | - Stored in /var/log/journal | || | - Persists across reboots | || | - Configured in journald.conf | || +----------------------------------------------------------+ || || auto || +----------------------------------------------------------+ || | - Uses persistent if /var is on persistent storage | || | - Uses volatile otherwise | || +----------------------------------------------------------+ || || none || +----------------------------------------------------------+ || | - Doesn't store any logs | || | - Forwards to syslog only | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+86.2 Basic journalctl Commands
Section titled “86.2 Basic journalctl Commands”Viewing Logs
Section titled “Viewing Logs”# =============================================================================# BASIC VIEWING# =============================================================================
# View all logs (newest first)journalctl
# View all logs (oldest first)journalctl -r
# View kernel messagesjournalctl -kjournalctl --dmesg
# View current bootjournalctl -b
# View previous bootjournalctl -b -1
# View specific boot IDjournalctl -b abc123def456
# =============================================================================# TIME-BASED FILTERING# =============================================================================
# Since specific timejournalctl --since "2024-01-01 00:00:00"journalctl --since "1 hour ago"journalctl --since yesterdayjournalctl --since "2 days ago"
# Until specific timejournalctl --until "2024-01-01 12:00:00"journalctl --until "1 hour ago"
# Time rangejournalctl --since "2024-01-01 10:00:00" --until "2024-01-01 11:00:00"
# =============================================================================# PRIORITY FILTERING# =============================================================================
# Priority levels: emerg(0) > alert(1) > crit(2) > err(3) > warning(4) > notice(5) > info(6) > debug(7)
# Show error and abovejournalctl -p errjournalctl -p 3
# Show warning and abovejournalctl -p warning
# Show multiple prioritiesjournalctl -p err..warning
# All prioritiesjournalctl -p 0..7Unit/Service Filtering
Section titled “Unit/Service Filtering”# =============================================================================# SERVICE FILTERING# =============================================================================
# Single servicejournalctl -u nginx.service
# Multiple servicesjournalctl -u nginx.service -u mysql.service
# Follow service logsjournalctl -u nginx.service -f
# Since service startjournalctl -u nginx.service -b
# Failed servicejournalctl --failed
# All failed unitssystemctl --failed
# =============================================================================# PROCESS FILTERING# =============================================================================
# By PIDjournalctl _PID=1234
# By UIDjournalctl _UID=1000journalctl _UID=$(id -u username)
# By GIDjournalctl _GID=1000
# By executablejournalctl _EXE=/usr/bin/nginx
# By command linejournalctl _CMDLINE="nginx -g daemon off"
# =============================================================================# KERNEL MESSAGES# =============================================================================
# Kernel messages onlyjournalctl -kjournalctl --dmesg
# With kernel ring buffer sizejournalctl -k --cursor-file=/var/log/journal/boot-id
# =============================================================================# BOOT SPECIFIC# =============================================================================
# List bootsjournalctl --list-boots
# Current bootjournalctl -b
# Previous bootjournalctl -b -1
# N boots agojournalctl -b -2
# Specific boot IDjournalctl -b abc12386.3 Advanced Filtering
Section titled “86.3 Advanced Filtering”Complex Filters
Section titled “Complex Filters”# =============================================================================# MESSAGE CONTENT FILTERING# =============================================================================
# Simple matchjournalctl MESSAGE="Failed to start"
# Regex matchjournalctl -g "error|failed|exception"
# Contains substringjournalctl MESSAGE_STRIPAS=true | grep -i error
# =============================================================================# FIELD MATCHING# =============================================================================
# Match specific fieldjournalctl _SYSTEMD_UNIT="nginx.service"
# Negate matchjournalctl _SYSTEMD_UNIT!="nginx.service"
# Multiple conditions (AND)journalctl _SYSTEMD_UNIT="nginx.service" _PID=1234
# Multiple conditions (OR)journalctl + _SYSTEMD_UNIT="httpd.service"
# =============================================================================# FACILITY/SYSLOG# =============================================================================
# Based on syslog facility (via forwarding)journalctl SYSLOG_FACILITY=3journalctl SYSLOG_FACILITY=daemon
# Based on syslog identifierjournalctl SYSLOG_IDENTIFIER=systemd
# =============================================================================# HOST/TRANSPORT# =============================================================================
# Remote bootsjournalctl _HOSTNAME=server1.example.com
# Specific boot IDjournalctl _BOOT_ID=abc123
# Transport methodjournalctl _TRANSPORT=kerneljournalctl _TRANSPORT=syslogjournalctl _TRANSPORT=journal86.4 Output Formatting
Section titled “86.4 Output Formatting”Display Options
Section titled “Display Options”# =============================================================================# OUTPUT FORMATS# =============================================================================
# Short format (default)journalctl -o short
# Short with ISO timestampjournalctl -o short-iso
# Short with full timestampjournalctl -o short-full
# Short with monotonic clockjournalctl -o short-monotonic
# UTC timejournalctl -o short-precise
# Verbose (all fields)journalctl -o verbose
# JSONjournalctl -o json
# Pretty JSONjournalctl -o json-pretty
# JSON binary fieldsjournalctl -o json-sse
# Export to catjournalctl -o cat
# Export to export (binary)journalctl -o export
# =============================================================================# CUSTOM FORMAT# =============================================================================
# Custom fieldsjournalctl -o format '{{.HOSTNAME}} {{.MESSAGE}}'
# Full formatjournalctl -o short-full
# =============================================================================# HEAD/TAIL# =============================================================================
# Last N entriesjournalctl -n 100
# Follow with last Njournalctl -f -n 5086.5 Real-time Monitoring
Section titled “86.5 Real-time Monitoring”Live Log Monitoring
Section titled “Live Log Monitoring”# =============================================================================# FOLLOW MODE# =============================================================================
# Follow all logsjournalctl -f
# Follow specific servicejournalctl -u nginx.service -f
# Follow kernel messagesjournalctl -k -f
# =============================================================================# MONITORING# =============================================================================
# Monitor for new entries (like tail -f)journalctl -f
# Monitor with priorityjournalctl -p err -f
# Watch specific unitwatch -n 1 'journalctl -u nginx.service -n 10 --no-pager'
# =============================================================================# ALERTING# =============================================================================
# Watch for errorsjournalctl -p err -f | while read line; do echo "ERROR: $line" | mail -s "Server Error" admin@example.comdone86.6 Maintenance and Troubleshooting
Section titled “86.6 Maintenance and Troubleshooting”Disk Usage
Section titled “Disk Usage”# =============================================================================# DISK USAGE# =============================================================================
# Check disk usagejournalctl --disk-usage
# Current journal sizedu -sh /var/log/journal/
# Per-user usagejournalctl --user --disk-usage
# =============================================================================# CLEANUP# =============================================================================
# Keep only last 100MBjournalctl --vacuum-size=100M
# Keep only last 2 weeksjournalctl --vacuum-time=2weeks
# Keep only 5 filesjournalctl --vacuum-files=5
# All usersjournalctl --user --vacuum-size=50M
# =============================================================================# ROTATION# =============================================================================
# Force rotationjournalctl --rotate
# Archive old entriesjournalctl --archiveTroubleshooting Examples
Section titled “Troubleshooting Examples”# =============================================================================# SERVICE FAILURE# =============================================================================
# Check service failurejournalctl -u nginx.service --failed
# Last 10 lines before failurejournalctl -u nginx.service -b | tail -50
# Since last successful startjournalctl -u nginx.service --since "$(systemctl show -p ActiveEnterTimestamp nginx.service --value)"
# =============================================================================# BOOT ISSUES# =============================================================================
# Show boot errorsjournalctl -b -p err
# Previous boot issuesjournalctl -b -1 -p err
# Kernel failuresjournalctl -k --priority=err
# =============================================================================# PERFORMANCE ISSUES# =============================================================================
# High CPU by servicejournalctl -u nginx.service | awk '{print $5}' | sort | uniq -c | sort -rn | head
# Slow boot analysissystemd-analyze blame
# Critical chainsystemd-analyze critical-chain86.7 Configuration
Section titled “86.7 Configuration”journald Configuration
Section titled “journald Configuration”[Journal]# Storage locationStorage=persistent# Options: auto, volatile, persistent, none
# Size limitsSystemMaxUse=500MSystemKeepFree=500MSystemMaxFileSize=50MSystemMaxFiles=100
# Runtime limitsRuntimeMaxUse=100MRuntimeKeepFree=100MRuntimeMaxFileSize=10MRuntimeMaxFiles=3
# CompressionCompress=yesSeal=yes
# ForwardingForwardToSyslog=yesForwardToKMsg=noForwardToConsole=noForwardToWall=yes
# Rate limitingRateLimitIntervalSec=30sRateLimitBurst=1000
# Split modeSplitMode=uid86.8 Exam Tips
Section titled “86.8 Exam Tips”
- Filtering: Know —since, —until, -u, -p, -g flags
- Boot logs: Use -b, -b -1 for previous boot
- Priority: -p err (0-3)
- Real-time: Use -f for follow mode
- Output: -o json-pretty for structured data
- Maintenance: —vacuum-size, —vacuum-time
- Systemd-analyze: For boot performance
- Field matching: _SYSTEMD_UNIT, _PID, etc.
- Disk usage: Check journal size regularly
- Rotation: Automatic in systemd
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Not Using Proper Time Ranges
Section titled “1. Not Using Proper Time Ranges”WRONG:
# Getting all logs - overwhelming and slowjournalctlCORRECT:
# Use time filtersjournalctl --since "1 hour ago"journalctl --since "2024-01-15 10:00:00" --until "2024-01-15 11:00:00"journalctl -S -24hWhy: Without time filters, you get massive output and slow performance.
2. Ignoring Priority Levels
Section titled “2. Ignoring Priority Levels”WRONG:
# Showing all prioritiesjournalctl -mCORRECT:
# Filter by priority (0=emergency to 7=debug)journalctl -p err # Errors and abovejournalctl -p warning # Warnings and abovejournalctl -p 0..3 # Emergency to ErrorWhy: Focus on relevant logs to find issues faster.
3. Not Using Unit Filters
Section titled “3. Not Using Unit Filters”WRONG:
# Searching everywherejournalctl | grep nginxCORRECT:
# Filter by service unitjournalctl -u nginx.servicejournalctl -u nginx.service --since "1 hour ago"journalctl -u nginx.service -u php-fpm.serviceWhy: Much faster and more relevant results.
4. Forgetting About Disk Space
Section titled “4. Forgetting About Disk Space”WRONG:
# Not checking journal sizedf -h # See disk full!CORRECT:
# Check journal sizejournalctl --disk-usagedu -sh /var/log/journal
# Clean old logsjournalctl --vacuum-time=7djournalctl --vacuum-size=500MWhy: Journal can grow large and fill disk.
5. Not Using Real-time Monitoring
Section titled “5. Not Using Real-time Monitoring”WRONG:
# Checking logs periodicallywhile true; do journalctl -n 20; sleep 60; doneCORRECT:
# Use built-in real-time monitoringjournalctl -fjournalctl -f -u nginx.servicejournalctl -f -p errWhy: Built-in follow mode is more efficient and handles rotation.
Summary
Section titled “Summary”In this chapter, you learned:
- ✅ Journal architecture and storage
- ✅ Basic journalctl commands
- ✅ Time and priority filtering
- ✅ Unit and process filtering
- ✅ Output formatting
- ✅ Real-time monitoring
- ✅ Maintenance and cleanup
- ✅ Configuration options
- ✅ Troubleshooting techniques
Next Chapter
Section titled “Next Chapter”Chapter 87: strace, ltrace, and syscalls
Last Updated: February 2026