Syslogd gathers log messages coming from different system and user processes.
These logs end up in the different subdirectories of /dev/log.
Within Systemd, logging is managed by journald and its command journalctl.
Syslog can't handle certain types of data, that is the main reason why certain applications like web server generate their own logs.
Journald uses binary file as opposed to syslogd.
Journalctl will give a lot of output by default. We can limit its output by for example only checking the last 10 lines using the below:
We could also use the priority of the logs to fine-tune our filters by using the below priorities:
To display the latest error logs we could use the below for example:
To display live log messages including the most recent ones, we use:
If we know approximately when an error has occurred, we could trace the cause by displaying logs messages between two periods - 12:00 and 12:05 -:
To keep the logs from filling up our storage, journald sets a limit on how much space logs could use by removing old logs once they reach a set value defined by the journaling system in the /etc/systemd/journal.conf file.
The logs in /run/log/journal are deleted once we reboot our system.
We can make these entries persist by following the below steps: