Evaluate systemd logs using journalctl
Early and Often
The journald daemon not only records much more data than other logging mechanisms, but actually starts up much earlier in the boot process than was previously possible. This is a huge help when narrowing down system startup problems. Readers who remember the number of photos taken of systems not booting because of a kernel panic or other boot issues on support forums will no doubt relate. Thanks to systemd this is a thing of the past.
Systems using SysVinit [2] do not store messages from the initial stages of the boot process, as the root file system has not yet been mounted as a writable medium. However, systems using systemd create a socket [3] at run time, from which collected messages can be read. The journal, therefore, offers some significant advantages, despite creating numerous binary files.
Status and verification
Your operating system contains a journal for each user as well as one for the system itself. If a user belongs to the group systemd-journal, they can access the journal and view all the data without running as root. Before you dive in and view all the data available, you may want to master a few basic but important commands.
View the current status of the journal daemon using Systemctl (Listing 1). Use journalctl --disk-usage
to check the current journal size and journalctl - verify
to test the integrity of your data (Listing 2).
Listing 1
Viewing the Current Status of the Journal Daemon
Listing 2
Checking the Size and Integrity of Journal Data
To see whether your log is recording the correct time, run timedatectl status
. This command lets you check that your time zone corresponds to your location (Listing 3). The top line should show the current time. If you're running the computer in a new time zone use timedatectl set-timezone <zone>
to adjust.
Listing 3
Checking Local Time
In theory, you can display any data from the journal using the journalctl
command. By default the terminal pager program less is used to display data. It allows you to scroll back and forth through the log. Most importantly, you can use it from your regular user account without root privileges. When you've finished examining the binary files, return to the command prompt by pressing Q.
The whole story
You can display the complete journal output by running the command journalctl
without any additional options. This will show all saved logs subject to any file size limitations and the time since your last reboot.
Each time you restart the computer, the program will insert the line – Reboot – to break up the information. This not only makes the logs easier on the eye, but is useful to determine how long an error has been occurring. Use journalctl -p err
to limit the output if necessary. This option will display only ERROR log levels from the journal.
Normally you'll most probably want to focus on issues occurring at a certain time or filter results. For instance, you can use journalctl -b
to show all logs since the last boot. If you're interested in logfiles from the last boot but one, run journalctl -b -1
. Use journalctl --list-boots
to display all boot events saved in the journal (Listing 4). Use the value from the first column of the output to display information on a specific boot e.g. journalctl -b -0
Listing 4
Displaying All Boot Events Saved in the Journal