Journal#
What is /var/log/journal?#
This directory stores persistent system logs collected by systemd-journald. Unlike traditional plain-text logs in /var/log, journal logs are stored in a binary format, allowing for structured, indexed, and queryable logs using the journalctl command.
- It captures:
- Kernel logs
- System service logs
- Standard output/error from services
- Boot logs
- User session logs
If /var/log/journal does not exist, logs are stored in memory and lost on reboot. Creating this directory enables persistent logging across reboots.
How to Use It#
You can interact with these logs using the journalctl command:
- View all logs:
journalctl - View logs in reverse (latest first):
journalctl -r - View logs for a specific service::
journalctl -u nginx.service - View logs since boot:
journalctl -b - Check disk usage::
journalctl --disk-usage - Clear logs older than 2 days:
journalctl --vacuum-time=2d - Limit log size to 500MB:
journalctl --vacuum-size=500M
Retention#
Time-Based Retention#
You can configure how long logs are kept using the SystemMaxUse, SystemKeepFree, SystemMaxFileSize, and SystemMaxFiles settings in the journald.conf file. However, by default, there is no fixed time limit—logs are retained until disk space limits are reached.
Size-Based Retention#
By default, systemd-journald will:
- Keep logs until the journal size exceeds a certain percentage of available disk space (usually around 10% of /var).
- Automatically delete the oldest logs to make room for new ones.
Configuration#
You can set retention policies in /etc/systemd/journald.conf:
| Bash | |
|---|---|
After editing, reload the service: sudo systemctl restart systemd-journald