Journal_analysis
Chapter 86: Systemd Journal Analysis - Deep Dive
Section titled “Chapter 86: Systemd Journal Analysis - Deep Dive”Mastering System Diagnostics with journalctl
Section titled “Mastering System Diagnostics with journalctl”86.1 Understanding Systemd Journal
Section titled “86.1 Understanding Systemd Journal”Journal Architecture
Section titled “Journal Architecture” systemd Journal System+------------------------------------------------------------------+| || +-------------+ +-------------+ +-------------+ || | Applications| | Kernel | | Systemd | || | (syslog) | | (/dev/kmsg)| | (journald) | || +-------------+ +-------------+ +-------------+ || | | | || v v v || +-------------------------------------------------------------+ || | journald Daemon | || | | || | - Receives log messages | || | - Indexes for fast searching | || | - Stores in binary format | || | - Applies filtering | || +-----------------------------+-------------------------------+ || | | || v v || /run/log/journal /var/log/journal || (volatile) (persistent) || |+------------------------------------------------------------------+Journal Storage
Section titled “Journal Storage” Journal Storage Types+------------------------------------------------------------------+| || volatile || +----------------------------------------------------------+ || | - Stored in /run/log/journal | || | - Lost on reboot | || | - Default when /var not writable | || +----------------------------------------------------------+ || || persistent || +----------------------------------------------------------+ || | - Stored in /var/log/journal | || | - Persists across reboots | || | - Configured in journald.conf | || +----------------------------------------------------------+ || || auto || +----------------------------------------------------------+ || | - Uses persistent if /var is on persistent storage | || | - Uses volatile otherwise | || +----------------------------------------------------------+ || || none || +----------------------------------------------------------+ || | - Doesn't store any logs | || | - Forwards to syslog only | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+86.2 Basic journalctl Commands
Section titled “86.2 Basic journalctl Commands”Viewing Logs
Section titled “Viewing Logs”# =============================================================================# BASIC VIEWING# =============================================================================
# View all logs (newest first)journalctl
# View all logs (oldest first)journalctl -r
# View kernel messagesjournalctl -kjournalctl --dmesg
# View current bootjournalctl -b
# View previous bootjournalctl -b -1
# View specific boot IDjournalctl -b abc123def456
# =============================================================================# TIME-BASED FILTERING# =============================================================================
# Since specific timejournalctl --since "2024-01-01 00:00:00"journalctl --since "1 hour ago"journalctl --since yesterdayjournalctl --since "2 days ago"
# Until specific timejournalctl --until "2024-01-01 12:00:00"journalctl --until "1 hour ago"
# Time rangejournalctl --since "2024-01-01 10:00:00" --until "2024-01-01 11:00:00"
# =============================================================================# PRIORITY FILTERING# =============================================================================
# Priority levels: emerg(0) > alert(1) > crit(2) > err(3) > warning(4) > notice(5) > info(6) > debug(7)
# Show error and abovejournalctl -p errjournalctl -p 3
# Show warning and abovejournalctl -p warning
# Show multiple prioritiesjournalctl -p err..warning
# All prioritiesjournalctl -p 0..7Unit/Service Filtering
Section titled “Unit/Service Filtering”# =============================================================================# SERVICE FILTERING# =============================================================================
# Single servicejournalctl -u nginx.service
# Multiple servicesjournalctl -u nginx.service -u mysql.service
# Follow service logsjournalctl -u nginx.service -f
# Since service startjournalctl -u nginx.service -b
# Failed servicejournalctl --failed
# All failed unitssystemctl --failed
# =============================================================================# PROCESS FILTERING# =============================================================================
# By PIDjournalctl _PID=1234
# By UIDjournalctl _UID=1000journalctl _UID=$(id -u username)
# By GIDjournalctl _GID=1000
# By executablejournalctl _EXE=/usr/bin/nginx
# By command linejournalctl _CMDLINE="nginx -g daemon off"
# =============================================================================# KERNEL MESSAGES# =============================================================================
# Kernel messages onlyjournalctl -kjournalctl --dmesg
# With kernel ring buffer sizejournalctl -k --cursor-file=/var/log/journal/boot-id
# =============================================================================# BOOT SPECIFIC# =============================================================================
# List bootsjournalctl --list-boots
# Current bootjournalctl -b
# Previous bootjournalctl -b -1
# N boots agojournalctl -b -2
# Specific boot IDjournalctl -b abc12386.3 Advanced Filtering
Section titled “86.3 Advanced Filtering”Complex Filters
Section titled “Complex Filters”# =============================================================================# MESSAGE CONTENT FILTERING# =============================================================================
# Simple matchjournalctl MESSAGE="Failed to start"
# Regex matchjournalctl -g "error|failed|exception"
# Contains substringjournalctl MESSAGE_STRIPAS=true | grep -i error
# =============================================================================# FIELD MATCHING# =============================================================================
# Match specific fieldjournalctl _SYSTEMD_UNIT="nginx.service"
# Negate matchjournalctl _SYSTEMD_UNIT!="nginx.service"
# Multiple conditions (AND)journalctl _SYSTEMD_UNIT="nginx.service" _PID=1234
# Multiple conditions (OR)journalctl + _SYSTEMD_UNIT="httpd.service"
# =============================================================================# FACILITY/SYSLOG# =============================================================================
# Based on syslog facility (via forwarding)journalctl SYSLOG_FACILITY=3journalctl SYSLOG_FACILITY=daemon
# Based on syslog identifierjournalctl SYSLOG_IDENTIFIER=systemd
# =============================================================================# HOST/TRANSPORT# =============================================================================
# Remote bootsjournalctl _HOSTNAME=server1.example.com
# Specific boot IDjournalctl _BOOT_ID=abc123
# Transport methodjournalctl _TRANSPORT=kerneljournalctl _TRANSPORT=syslogjournalctl _TRANSPORT=journal86.4 Output Formatting
Section titled “86.4 Output Formatting”Display Options
Section titled “Display Options”# =============================================================================# OUTPUT FORMATS# =============================================================================
# Short format (default)journalctl -o short
# Short with ISO timestampjournalctl -o short-iso
# Short with full timestampjournalctl -o short-full
# Short with monotonic clockjournalctl -o short-monotonic
# UTC timejournalctl -o short-precise
# Verbose (all fields)journalctl -o verbose
# JSONjournalctl -o json
# Pretty JSONjournalctl -o json-pretty
# JSON binary fieldsjournalctl -o json-sse
# Export to catjournalctl -o cat
# Export to export (binary)journalctl -o export
# =============================================================================# CUSTOM FORMAT# =============================================================================
# Custom fieldsjournalctl -o format '{{.HOSTNAME}} {{.MESSAGE}}'
# Full formatjournalctl -o short-full
# =============================================================================# HEAD/TAIL# =============================================================================
# Last N entriesjournalctl -n 100
# Follow with last Njournalctl -f -n 5086.5 Real-time Monitoring
Section titled “86.5 Real-time Monitoring”Live Log Monitoring
Section titled “Live Log Monitoring”# =============================================================================# FOLLOW MODE# =============================================================================
# Follow all logsjournalctl -f
# Follow specific servicejournalctl -u nginx.service -f
# Follow kernel messagesjournalctl -k -f
# =============================================================================# MONITORING# =============================================================================
# Monitor for new entries (like tail -f)journalctl -f
# Monitor with priorityjournalctl -p err -f
# Watch specific unitwatch -n 1 'journalctl -u nginx.service -n 10 --no-pager'
# =============================================================================# ALERTING# =============================================================================
# Watch for errorsjournalctl -p err -f | while read line; do echo "ERROR: $line" | mail -s "Server Error" admin@example.comdone86.6 Maintenance and Troubleshooting
Section titled “86.6 Maintenance and Troubleshooting”Disk Usage
Section titled “Disk Usage”# =============================================================================# DISK USAGE# =============================================================================
# Check disk usagejournalctl --disk-usage
# Current journal sizedu -sh /var/log/journal/
# Per-user usagejournalctl --user --disk-usage
# =============================================================================# CLEANUP# =============================================================================
# Keep only last 100MBjournalctl --vacuum-size=100M
# Keep only last 2 weeksjournalctl --vacuum-time=2weeks
# Keep only 5 filesjournalctl --vacuum-files=5
# All usersjournalctl --user --vacuum-size=50M
# =============================================================================# ROTATION# =============================================================================
# Force rotationjournalctl --rotate
# Archive old entriesjournalctl --archiveTroubleshooting Examples
Section titled “Troubleshooting Examples”# =============================================================================# SERVICE FAILURE# =============================================================================
# Check service failurejournalctl -u nginx.service --failed
# Last 10 lines before failurejournalctl -u nginx.service -b | tail -50
# Since last successful startjournalctl -u nginx.service --since "$(systemctl show -p ActiveEnterTimestamp nginx.service --value)"
# =============================================================================# BOOT ISSUES# =============================================================================
# Show boot errorsjournalctl -b -p err
# Previous boot issuesjournalctl -b -1 -p err
# Kernel failuresjournalctl -k --priority=err
# =============================================================================# PERFORMANCE ISSUES# =============================================================================
# High CPU by servicejournalctl -u nginx.service | awk '{print $5}' | sort | uniq -c | sort -rn | head
# Slow boot analysissystemd-analyze blame
# Critical chainsystemd-analyze critical-chain86.7 Configuration
Section titled “86.7 Configuration”journald Configuration
Section titled “journald Configuration”[Journal]# Storage locationStorage=persistent# Options: auto, volatile, persistent, none
# Size limitsSystemMaxUse=500MSystemKeepFree=500MSystemMaxFileSize=50MSystemMaxFiles=100
# Runtime limitsRuntimeMaxUse=100MRuntimeKeepFree=100MRuntimeMaxFileSize=10MRuntimeMaxFiles=3
# CompressionCompress=yesSeal=yes
# ForwardingForwardToSyslog=yesForwardToKMsg=noForwardToConsole=noForwardToWall=yes
# Rate limitingRateLimitIntervalSec=30sRateLimitBurst=1000
# Split modeSplitMode=uid86.8 Exam Tips
Section titled “86.8 Exam Tips”
- Filtering: Know —since, —until, -u, -p, -g flags
- Boot logs: Use -b, -b -1 for previous boot
- Priority: -p err (0-3)
- Real-time: Use -f for follow mode
- Output: -o json-pretty for structured data
- Maintenance: —vacuum-size, —vacuum-time
- Systemd-analyze: For boot performance
- Field matching: _SYSTEMD_UNIT, _PID, etc.
- Disk usage: Check journal size regularly
- Rotation: Automatic in systemd
Summary
Section titled “Summary”In this chapter, you learned:
- ✅ Journal architecture and storage
- ✅ Basic journalctl commands
- ✅ Time and priority filtering
- ✅ Unit and process filtering
- ✅ Output formatting
- ✅ Real-time monitoring
- ✅ Maintenance and cleanup
- ✅ Configuration options
- ✅ Troubleshooting techniques
Next Chapter
Section titled “Next Chapter”Chapter 87: strace, ltrace, and syscalls
Last Updated: February 2026