Evaluate systemd logs using Journalctl

Lead Image © Aloysius Patrimonio, 123RF.com

Finely Filtered

The Journal is a component of systemd that is responsible for viewing and management of log files.

The systemd service Journald creates very comprehensive logs, which allow you to analyze data in a variety of ways. Once you get used to the convenience this affords, you won't even miss the old-style log files.

Better structured

The Journald daemon collects messages from the kernel, initrd, any running services and other available sources and collects them into one place. This results in a massive amount of data compared to the log files you're traditionally used to such as /var/log/messages or /var/log/syslog. You'll also find a huge amount of metadata is included, which can significantly improve your results when searching the Journal.

This also results in a larger amount of data which is tricky to store in traditional text files. This is why the Journald daemon stores this information in binary files. You can read this data, using the command journalctl. If necessary, you can also convert the binary files to other formats for further analysis.

A little off the top

The huge amount of data being logged results in large files. While your system previously managed to trim these down using the Logrotate tool to compress and archive log files, the systemd journal allows you to set limits when files are changed.

Take a look at your own systemd [1] configuration file. For non-Debian based Linux distros, this is usually found in /etc/systemd/journald.conf. You may also find it in /etc/systemd/journald.conf. Look for the values SystemMaxUse and SystemKeepFree. The first of these determines how much space the journal files contain. The second value specifies how much free space to allocate (Figure 1).

Figure 1: The Systemd-Journal can expand very quickly. To save on disk space, limit the size of the journal files.

Both values will determine the absolute limit on journal file sizes and available space. If you don't enter any values, the default amount of space permitted for journal files is 10 percent of your filesystem. The minimum amount of free space is 15 percent by default. The program caps both values at 4 GB for each.

Given the size of hard drives nowadays, it's perfectly feasible to set SystemMaxUse to somewhere between 50 MB to 1 GB. In any case, the default values for the Journal are sufficient for everyday use. Feel free to change the SystemMaxFileSize to limit the size of individual files if you think it's necessary, however.

When setting size limits, use the values K,G and T for kilobytes, gigabytes and terabytes respectively. If you want to alter the default values in journald.conf, make sure to uncomment each line by removing the # at the start, then restart the Journald daemon.

Buy this article as PDF

Express-Checkout as PDF

Pages: 6

Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content