Services Logging With Journald: journalctl

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey, there's Cybrarians,
00:00
and welcome back to the Linux
00:00
plus course here at Cybrary.
00:00
I'm your instructor Rob Goelz,
00:00
and in today's lesson we're going to
00:00
cover logging with journald.
00:00
Upon completion of today's lesson,
00:00
you're going to be able to understand
00:00
the benefits of systemd-journald,
00:00
we're going to talk about how journald operates,
00:00
and then we're going to use journalctl
00:00
to view journal entries.
00:00
Systemd has been widely adopted,
00:00
and it comes with its own logging system.
00:00
This is known as the systemd-journald,
00:00
or more commonly by the name of the daemon,
00:00
>> which is journald.
00:00
>> Now, unlike syslog journald
00:00
logs everything into a binary file.
00:00
Each event that gets logged contains
00:00
metadata info instead of detailed text.
00:00
Now, journald is beneficial for
00:00
a few reasons despite the binary complication,
00:00
and that is because the process
00:00
of viewing logs is going to be the
00:00
same on any systemd distribution you go to,
00:00
you can also query the metadata
00:00
like facilities, severity or message,
00:00
and if you can get access to
00:00
more detailed metadata like
00:00
the PID or the command that was run.
00:00
It also integrates with systemd so that
00:00
any daemon output is saved by default.
00:00
Now, journald is configured in
00:00
>> /etc/systemd/journald.conf.
00:00
>> But the file doesn't have rules necessarily,
00:00
not like syslog does.
00:00
It just controls how journald operates.
00:00
For example, we have a storage option,
00:00
if it's set to auto,
00:00
that means that logs are only
00:00
temporarily stored in a non-persistent location,
00:00
which is run log journal.
00:00
Now, when you reboot,
00:00
that data gets lost.
00:00
If you want to set that to persistent,
00:00
you change that there to be persistent instead of auto,
00:00
and then logs gets saved in
00:00
that binary format in var log journal instead.
00:00
We can also specify that we want
00:00
to compress journal files,
00:00
which is a very good idea,
00:00
and then we can set up four syslogs.
00:00
We can also use syslog
00:00
>> for two layers of logging options,
00:00
>> and then syslog can take the information,
00:00
and for that to a centralized logging system.
00:00
We can have syslog and journald running,
00:00
and forward logs to a centralized logging system
00:00
>> for log analysis and aggregation.
00:00
>> If you want a little bit more information
00:00
>> about journald,
00:00
>> definitely check out the main page,
00:00
which is linked there
00:00
>> at the bottom of this presentation.
00:00
>> Now, we talked about
00:00
>> journald storing entries in binary,
00:00
>> but how are we going to read it if it's in binary.
00:00
Well, we use the journalctl command.
00:00
By default, journalctl will display everything.
00:00
We're going to want to filter that.
00:00
There's a few ways you can just filter that.
00:00
One is you can do journalctl -b,
00:00
that's going to display our boot messages,
00:00
you can display only kernel messages
00:00
>> with journalctl -k,
00:00
>> you can run journalctl -u to filter for system units.
00:00
For example, if you wanted to filter for services,
00:00
you could do journalctl -u and that specify services,
00:00
and tn if you want to grep for something,
00:00
you can use the -g flag, journalctl -g,
00:00
>> and then provide a message string
00:00
>> that you want to search for.
00:00
>> There are a lot of other journalctl options,
00:00
so definitely if you're interested,
00:00
check out the main page that's also noted here
00:00
>> at the bottom of this slide.
00:00
>> But with that, we've reached the end of the lesson,
00:00
and in this lesson we covered
00:00
the benefits of systemd-journal, a.k.a journald,
00:00
>> we talked about how journald operates,
00:00
>> and the main configuration file
00:00
which is /etc/systemd/journald.conf,
00:00
and then finally we talked about
00:00
>> how to use journalctl to read journal entries.
00:00
>> Thanks so much for being here
00:00
>> and I look forward to seeing you in the next lesson.
Up Next