Linux 101 : Syslogd, Journald - logging -

Syslogd gathers log messages coming from different system and user processes.
These logs end up in the different subdirectories of /dev/log

Within Systemd, logging is managed by journald 
and its command journalctl


Syslog can't handle certain types of data, that is the main reason why certain applications like web server generate their own logs.

Journald uses binary file as opposed to syslogd.

Journalctl will give a lot of output by default. We can limit its output by for example only checking the last 10 lines using the below:

We could also use the priority of the logs to fine-tune our filters by using the below priorities:

  • emerg 
  • alert 
  • crit 
  • err 
  • warning 
  • notice 
  • info 
  • debug
To display the latest error logs we could use the below for example:

To display live log messages including the most recent ones, we use:

If we know approximately when an error has occurred, we could trace the cause by displaying logs messages between two periods - 12:00 and 12:05 -:

To keep the logs from filling up our storage, journald sets a limit on how much space logs could use by removing old logs once they reach a set value defined by the journaling  system in the /etc/systemd/journal.conf file.

  • SystemMaxUse 
  • RuntimeMaxUse
The logs in /run/log/journal are deleted once we reboot our system.

We can make these entries persist by following the below steps:


Leave as a comment: