Today, we will dive deep into one of the most critical Linux utilities for logging errors and debugging messages. For those Linux systems that don't use systemd, the leading utility was rsyslogd daemon. Although you can still use rsyslogd with systemd systems, systemd has its own method of gathering and displaying messages called the systemd journal (journalctl command).
The primary command for viewing the messages from systemd journal is the journalctl command. The boot process, the kernel, and all systemd-managed services direct their status and error messages to the systemd journal.
Basic commands
jorunalctl
To display logs from a specific unit (service):
syntax: journalctl -u service_name
journalctl -u docker
To display logs from a specific time range:
syntax: journalctl -s "YYYY-MM-DD HH:MM:SS"
journalctl -S -4h # view system logs from the past 4 hours
To view the real-time logs
journalctl -f
To view the logs of specific process
syntax: journalctl _PID=processid
journalctl _PID=12644 # value is generated using ps command
To Clear Logs Older Than a Specific Time:
syntax: journalctl --vacuum-time=duration
journalctl --vacuum-time=2d #Retains log only of the past two days
journalctl --vacuum-size=500M #retains only past 500mb
Note*: The command is performed successfully but the execution failed as the regular user wasn't allowed to perform those deletions of the logs from the system. Since I don't want to delete any logs I am not performing the root user action. You can simply add sudo before the command and complete the command*
To view all kernel messages:
journalctl -k
To view logs in human-readable-format:
journalctl -o verbose
To export logs to a file:
journalctl > file_name.txt
For more commands, you can follow the man page of journalctl. In this way, we can use the journalctl command to perform normally to view any error message and debug the issues.
Happy Learning!!