Journalctl - some details missing.

**kitman** · 02-Mar-2021, 03:48

Hi,

Having been recently introduced to Journalctl (ty Jay at Learnlinux TV et al) I have been monitoring /var/log/messages via the CLI with

Code:

sudo journalctl -f -a

This is set to follow the log and show me 'all' entries. This is great as it has helped me sort out a few non-fatal issues as well as learn more how the system works.

However, I am not seeing "all" entries as I would expect. For example, if, as non-sudo since sudo is logged, I run the mpv media play against a file then that is not logged. If I open leafpad and edit/save a file that is not logged. I found that in some cases I have to activate the application's own log file file to capture logs.

I have scanned the man page but nothing is obvious to me about what "all" means. Is what is currently logged in /var/log/messages all there is to work with or are there other system tools (besides app's own log files)?

Thanks.

**hcvv** · 02-Mar-2021, 04:32

I can not inform you about the details, but in general I would expect that with journalctl you see system logs. And a normal user that runs some application is not normally creating much logs on the system level. E.g. what you show as a user that tries to open a file that does not exist, that is simply a user error.

Imagine that all hundreds of users of a system use it extensive, how many logs do you expect then to be created? That would fill all disk space in due time.

And when a user application has the feature of creating logs in a log file (to be used by the user e.g. when he encounters some problem), that file will be in the users realm (somewhere in his/her home directory) and also most probably not in a format that journalctl will understand.

And I assume that "all" in this case means all the log entries that are available are listed, thus no filtering. Logs that are not available will obvious never be listed

**hcvv** · 02-Mar-2021, 04:54

Originally Posted by kitman

This is set to follow the log and show me 'all' entries. This is great as it has helped me sort out a few non-fatal issues as well as learn more how the system works.

I assume you are confused here and think that the -a option means "all entries". This is not the case. Reading

Code:

man journalctl

you will find at the very beginning:

If called without parameters, it will show the full contents of the journal, starting with the oldest entry collected.

Thus it will show "all" by default.

And about the -a option:

-a, --all
Show all fields in full, even if they include unprintable characters or are very long.

which has nothing to do with the selection of entries to be shown.

**karlmistelberger** · 02-Mar-2021, 04:55

Originally Posted by kitman

Hi,

Having been recently introduced to Journalctl (ty Jay at Learnlinux TV et al) I have been monitoring /var/log/messages via the CLI with

Code:

sudo journalctl -f -a

This is set to follow the log and show me 'all' entries. This is great as it has helped me sort out a few non-fatal issues as well as learn more how the system works.

However, I am not seeing "all" entries as I would expect. For example, if, as non-sudo since sudo is logged, I run the mpv media play against a file then that is not logged. If I open leafpad and edit/save a file that is not logged. I found that in some cases I have to activate the application's own log file file to capture logs.

I have scanned the man page but nothing is obvious to me about what "all" means. Is what is currently logged in /var/log/messages all there is to work with or are there other system tools (besides app's own log files)?

Thanks.

Did you tinker with logging? My machine never had /var/log/messages. Everything here goes to /var/log/journal/ See 'man journald.conf'.

**dcurtisfra** · 02-Mar-2021, 10:53

Originally Posted by kitman

Is what is currently logged in /var/log/messages all there is to work with or are there other system tools?

Modern Linux gave up on System V logging more than a few years ago …

Currently, all system (and user) logging is handled by the systemd Journal – located in a subdirectory of ‘/var/log/journal/’ and are directly accessible only be the user “root”.
The only access allowed is via the systemd “journalctl” command – also applies to “normal” (non-system) users …
There are some user logging relics in ‘~/.local/share/’ but, they're often antiquated and unreliable …

The default Journal time stamps displayed by the systemd tools are (accurate) local time – which are usually sufficient for most purposes – with the exception of working out why the system boot isn't as fast as it should be …

**deano_ferrari** · 02-Mar-2021, 14:47

Originally Posted by karlmistelberger

Did you tinker with logging? My machine never had /var/log/messages. Everything here goes to /var/log/journal/ See 'man journald.conf'.

I assume the OP has rsyslog active concurrently. That logs to /var/log/messages by default.

Code:

systemctl status rsyslog

**deano_ferrari** · 02-Mar-2021, 14:52

Originally Posted by dcurtisfra

Modern Linux gave up on System V logging more than a few years ago …

Some well-known non-systemd distros would argue with that statement.

Text-based logging (rsyslog, syslog-ng) still exists for those who want it.

**kitman** · 02-Mar-2021, 21:15

Originally Posted by hcvv

I assume you are confused here and think that the -a option means "all entries". This is not the case. Reading

Code:

man journalctl

you will find at the very beginning:

Thus it will show "all" by default.

And about the -a option:

which has nothing to do with the selection of entries to be shown.

Thanks for the clarification. I read the man page too fast and assumed too much

Originally Posted by karlmistelberger

Did you tinker with logging? My machine never had /var/log/messages. Everything here goes to /var/log/journal/ See 'man journald.conf'.

No, I did not tinker. Rsyslog is set by default on any 15.1 or 15.2 install I have done with LXDE, LXQt and KDE.

Originally Posted by deano_ferrari

I assume the OP has rsyslog active concurrently. That logs to /var/log/messages by default.

Code:

systemctl status rsyslog

Yes.

Code:

chris@asus-roc:~> systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-03-03 07:48:10 AWST; 8min ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 1265 (rsyslogd)
    Tasks: 5
   CGroup: /system.slice/rsyslog.service
           └─1265 /usr/sbin/rsyslogd -n -iNONE
chris@asus-roc:~> systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-03-03 07:48:10 AWST; 2h 30min ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 1265 (rsyslogd)
    Tasks: 5
   CGroup: /system.slice/rsyslog.service
           └─1265 /usr/sbin/rsyslogd -n -iNONE

I guess I just need to disable rsyslog.service and the binary logs start in either /run/log/journal or /var/log/journal depending on journald.conf Storage setting.

Code:

Storage=
           Controls where to store journal data. One of "volatile", "persistent", "auto" and "none". If "volatile", journal log data will be stored only in memory, i.e.
           below the /run/log/journal hierarchy (which is created if needed). If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal
           hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.
           "auto" is similar to "persistent" but the directory /var/log/journal is not created if needed, so that its existence controls where log data goes.  "none"
           turns off all storage, all log data received will be dropped. Forwarding to other targets, such as the console, the kernel log buffer, or a syslog socket
           will still work however. Defaults to "auto".

Originally Posted by deano_ferrari

Some well-known non-systemd distros would argue with that statement.

Text-based logging (rsyslog, syslog-ng) still exists for those who want it.

I like BSD too

Now, do I want text based or binary logs?

Thanks all.

**deano_ferrari** · 02-Mar-2021, 21:55

Originally Posted by kitman

I guess I just need to disable rsyslog.service and the binary logs start in either /run/log/journal or /var/log/journal depending on journald.conf Storage setting.

Correct.

I like BSD too

Now, do I want text based or binary logs?

Thanks all.

Choices, choices...

**dcurtisfra** · 03-Mar-2021, 07:37

Originally Posted by kitman

I guess I just need to disable rsyslog.service and the binary logs start in either /run/log/journal or /var/log/journal depending on journald.conf Storage setting.

Not so fast, please.

Also here – fairly new, fresh, Leap 15.2 installation on new hardware –

Code:

 > systemctl list-unit-files | grep -i 'syslog'
rsyslog.service                                                  enabled        
syslog.service                                                   enabled        
syslog.socket                                                    static         
 >

We'll need to check why the syslog services are enabled by default – something is relying on them …

Back soon – please, brew a perfect porcelain cup of tea in a perfect porcelain teapot …