The systemd Journal isn't a single file, but a collection of log entries organized and indexed for efficient searching and retrieval. Each entry includes details like timestamps, log levels, messages, and metadata.
Unlike plain text logs, the Journal uses a space-saving binary format. This data typically resides in a directory structure under /var/log/journal/.
Before diving into the structure, let's clarify some key terms:
- Machine ID: A unique identifier assigned by systemd to each machine, independent of the MAC address.
- System Boot ID: A unique identifier generated for each boot session, helping track logs specific to that session.
- Binary File: A file format computers can directly process, containing program code, data, images, or structured data.
The Journal organizes logs within /var/log/journal/ using subdirectories named after the Machine ID. Inside each Machine ID directory, further subdirectories exist based on System Boot IDs, representing different boot sessions.
Each Boot ID directory holds individual journal files named based on their creation date and time. These files contain binary log entries structured by systemd.
The journalctl command-line tool allows you to view and manage logs from the systemd Journal. You can use various options to filter and display logs:
- View all logs:
journalctl - Filter by service:
journalctl -u sshd(shows logs for the 'sshd' service) - Filter by date/time:
journalctl --since yesterday(displays logs since yesterday)
Summary:
- Systemd Journal stores logs in a structured, binary format for efficient searching.
- Logs are organized by Machine ID and System Boot ID within the
/var/log/journaldirectory. - The
journalctlcommand lets you view and manage these logs with various filtering options.