From the course: Cert Prep LPIC-1 Exam 102 (Version 5.0)

Read the system journal - Linux Tutorial

From the course: Cert Prep LPIC-1 Exam 102 (Version 5.0)

Start my 1-month free trial

Read the system journal

- [Narrator] The second method of logging data in Enterprise Linux is a service called journald which is part of systemd. The journal is a binary file stored in slash var slash run which is a virtual file system in RAM. Everything in this file system disappears on reboot, thus the journald by default is not persistent. Because it's in RAM, it also has a fixed size based on the amount of memory the system has. The data in the journal is structured and indexed so it can be accessed very quickly. If persistence is necessary, Journald can be made persistent, or even configured to forward journal data to our syslog. This gives us the ability to even send journal data to a remote log server. To view the journal entries, we'll use journalctl. In a terminal, type in journalctl, and hit enter. Typing journalctl without any arguments gives us all of journal entries. If you wanted to be a bit more specific and only view journal entries from the kernel, we can specify the dash k option. Press q, bring your line back and add a dash k to the end. We can also specify the command we want to show journal entries for. For instance, to show journal entries for the cron service, press q, then type in clear, and then type in journalctl space slash sbin slash crond and hit enter. This will only show journal entries for crond. We can also specify by systemd unit as well. Press q, type in clear, and then type in journal ctl, space dash u for unit space crond, which is the systemd unit name, and hit enter again. In a previous video, we followed the messages log file by using tail dash f. We can't use tail dash f to follow the journal since it's binary, but we can use journalctl space dash f. Type in clear. Type in journal ctl space dash f and hit enter. This follows the journal just like tail dash f does for regular log files. To make the journal persistent so it survives a reboot, we just need to make a directory and restart the service. Press control c to stop journalctl, and then type in clear. Now type in Sudo space nkdir space slash var slash log slash journal. This'll be the directory the journal is in. Hit enter. Now restart the journald service. Type in Sudo space systemctl space restart space systemd dash journal d, and hit enter. And now let's look in the directory we just made. Type in ls space dash l space slash var slash log slash journal and hit enter. We should see a directory with a random looking name. This is a unique identifier of our system that was created at OS installation. Now that the journal survives reboots, we can show all events for a different number of reboots. Since we haven't rebooted yet, let's do it now. Type in reboot. After your system boots up, log in and open a terminal. To show entries from our previous reboot, use the dash b option. Type into a terminal journalctl space dash b space dash one and hit enter. We should see the journal entries from the previous session. We can also specify date ranges with journalctl. We can use the dash dash since and dash dash until keywords to specify ranges of dates and times to show. There are even some natural language keywords to make searches easier such as yesterday and one hour ago. In the past, this would have been accomplished by clever grep searches.

Contents