Log
In Linux, the kernel uses a ring buffer to keep log messages from when the system starts. This buffer has a set size, and when it's full, new messages replace old ones.
The kernel log buffer is important for keeping the system working well and finding issues. User applications have their own ways of logging, which gives a bigger picture of what the whole system is doing.
Also, applications and services made by users can create their own messages. These are usually handled by different logging systems like rsyslog or systemd-journald.
/dev/log
/dev/log is a Unix domain socket that applications use to send logs to a logging daemon such as rsyslog or systemd-journald.
In a Linux system, /dev/log is often a symbolic link to /run/systemd/journal/dev-log
readlink /dev/log
# /run/systemd/journal/dev-log
ls -l /run/systemd/journal/dev-log
# srw-rw-rw- 1 root root 0 Oct 6 18:09 /run/systemd/journal/dev-log
# s stands for socket
dmesg
The dmesg command is used to display the kernel ring buffer. By default it read the messaged from /dev/kmsg, that provides access to the kernel ring buffer.
dmesg
sudo dmesg --level=emerg,alert,crit,err
journalctl
journalctl is a command-line utility for viewing and querying logs from the systemd journal, a system logging service commonly used in modern Linux distributions
sudo systemctl restart systemd-journald.service
| Command | Description |
|---|---|
journalctl | all Collected Logs |
journalctl -k | Kernel Logs |
journalctl -b | Current Boot Logs (Including kernel logs) |
journalctl -r | Show Logs in Reverse Order |
journalctl -f | Live Systemd Logs |
journalctl -b -f | Monitor Boot Logs |
journalctl -b -p err | Boot Logs with priority "err" level |
journalctl -u sshd.service | Unit's Logs |
journalctl -u sshd.service -x | Verbose |
journalctl /usr/bin/firefox | Show logs related to the Firefox executable |
sudo journalctl _PID=20220 | View logs associated with PID 20220 |
journalctl --flush | Flush Journal Logs |
sudo journalctl --flush --vacuum-time=1s | Flush system Logs, Retain Last 1 Second |
sudo journalctl --user --flush --vacuum-time=1s | Flush user Logs, Retain Last 1 Second |
journalctl Configuration
Journald is configured in /etc/systemd/journald.conf. You can change storage location, log size, log rotation, etc.
nano
[Journal]
Storage=persistent
Compress=yes
SystemMaxUse=100M
Log Level
Log Level refers to the severity or importance of the log messages generated by various components of the system
| P | Level | Description |
|---|---|---|
| 0 | emerg | System is unusable |
| 1 | alert | Action must be taken immediately |
| 2 | crit | Critical conditions |
| 3 | err | Error conditions |
| 4 | warning | Warning conditions |
| 5 | notice | Normal but significant condition |
| 6 | info | Informational messages |
| 7 | debug | Debug-level messages |
systemd-cat
systemd-cat is a command-line utility that allows you to send logs to the systemd journal.
echo "Hello World" | systemd-cat -t "Hello"
journalctl -t Hello
echo "Hello World" | systemd-cat
journalctl -f
Syslog
It is a standard for recording events in a computer system.
rsyslog
rsyslog is a free and open source syslog implementation.
lastlog
The lastlog command displays the last login times and information for all users on the system.
It provides details such as the username, port, and timestamp of the last login for each user. It reads the /var/log/lastlog binary file to retrieve this information.
lastlog
Username Port From Latest
root **Never logged in**
nobody **Never logged in**
dbus **Never logged in**
bin **Never logged in**
mlibre pts/2 127.0.0.1 Sun Aug 20 22:39:47 +0330 2023