Oracle Cloud Infrastructure Documentation

System Logging in Systemd

Introduces the systemd journal, its configuration, and how to query logs with journalctl.

The systemd journal stores log data in a binary format, making it more efficient than traditional text-based logging systems.

The journal conforms to standard syslog severity codes or priorities to mark the importance of a message, and syslog facilities to describe the subsystems and services that generate messages as defined in RFC 5424. See the systemd-journald.service(8) manual page for more information.

Journal configuration is controlled by editing the /etc/systemd/journald.conf file.

The preferred approach to updating journal configuration is to use systemd drop-in configuration to make changes. See Adding Persistent Journal Storage for an example of creating a drop-in configuration file. Also see the journald.conf(5) manual page for more information about configuration options.

Use journalctl to view and manage system logs.

journalctl is a utility used to query and display log messages from the systemd journal. See Viewing and Filtering Log Messages for more information. You can also use journalctl to manage certain journal runtime behavior. For example, you can use the --disk-usage option to view how much disk space the journal is using. You can also use the --rotate option to force log rotation, and the --vacuum-size or --vacuum-time to limit how much data is stored in the rotated journal files. See the journalctl(1) manual page for more information.

Viewing and Filtering Log Messages

To view and filter log messages in the journal, you can use the journalctl command.

To view all log messages, run:

journalctl

When run without any options, the journalctl command displays all log messages.

You can also run the journalctl --grep command to return only lines that match a specified string or regular expression.

If the string specified is all in lowercase, the match is treated as case-insensitive. If you need a case-sensitive match on a lowercase string, you can override this behavior with the --case-sensitive option.

You can apply other filters to log messages to limit output by specifying various filtering options, including:

  • -S, --since: Show only lines in the log after a specified date, time, or duration. For example, you can run any of the following commands: 
    journalctl --since today
journalctl --since "1 hour ago"
journalctl --since "2025-01-15 18:10:20"
  • -U, --until: Show only lines in the log before a specified date, time, or duration. For example, you can run: 
    journalctl --until "10 minutes ago"
  • -f, --follow: Follow the journal as it's being updated and display new entries as they're added. Use the Ctrl-c keyboard sequence to exit the log.
  • -n, --lines: Show only the most recent n lines.
  • -b, --boot: Show only the lines from the specified boot. If set to 0, log lines from the most recent boot are shown. If set to -1, log lines from the previous boot are used. Note that you need persistent storage for journald enabled to retain logs from previous boots. See Adding Persistent Journal Storage.
  • -u, --unit: Filter by unit name. For example, you can run: 
    journalctl -u cockpit.socket
journalctl -u cockpit.service
  • -t, --identifier: Filter by syslog identifier. For example, you can run: 
    journalctl -t sudo
  • -p, --priority: Filter by syslog priority. For example you can run: 
    journalctl -p crit
  • -x, --catalog: Include extra explanation texts from the message catalog, if available. These explanations can make log output dense, but can also be helpful in finding resolutions for issues that might appear in the log.

You can combine any of the filtering options to narrow the returned log information to exactly what you need. For example, to see all systemd's log activity for the current date until an hour ago, and to include explanatory messages, run:

journalctl --since "today" -U "1 hour ago" -t systemd -x

Adding Persistent Journal Storage

Add persistent journal storage if you want log entries to persist across reboots, for greater historical reference and for deeper auditing purposes.

By default, the systemd journal is stored in volatile storage under /run/log/journal.

This storage is wiped at reboot. To create persistent journal storage, that's preserved after reboot, you can create the appropriate directory structure, set the correct permissions and edit the journald configuration.

  1. Create the persistent storage directory in /var/log/journal. 
    sudo mkdir /var/log/journal
  2. Set the appropriate permissions and configure the directory for systemd-journald access. 
    sudo systemd-tmpfiles --create --prefix /var/log/journal
  3. Optionally, create a systemd journald drop-in configuration file in /etc/systemd/journald.conf.d/ and set the Storage parameter to persistent.

    Creating a systemd journald drop-in configuration can help make it clearer that the configuration is set to use persistent storage.

    This step is optional because, by default, the storage is set to 'auto' and journald switches to persistent if the /var/log/journal directory exists. 

    sudo mkdir /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/00-storage.conf << EOF
[Journal]
Storage=persistent
EOF
  4. Restart the systemd-journald service and flush the journal to force it to switch from volatile to persistent storage. 
    sudo systemctl restart systemd-journald
sudo journalctl --flush
  5. Validate that the journal has switched to persistent storage.

    You can check the /var/log/journal directory to ensure that it's populated with data.

    sudo ls /var/log/journal

    Also check the journal path that's configured in the journal:

    journalctl -F JOURNAL_PATH