{"id":3876,"date":"2024-02-22T02:17:00","date_gmt":"2024-02-22T07:17:00","guid":{"rendered":"https:\/\/www.both.org\/?p=3876"},"modified":"2025-01-21T06:53:43","modified_gmt":"2025-01-21T11:53:43","slug":"systemd-9-using-systemd-journals-to-troubleshoot-transient-problems","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=3876","title":{"rendered":"systemd &#8212; #9: Using systemd journals to troubleshoot transient problems"},"content":{"rendered":"<div class=\"pld-like-dislike-wrap pld-template-1\">\r\n    <div class=\"pld-like-wrap  pld-common-wrap\">\r\n    <a href=\"javascript:void(0)\" class=\"pld-like-trigger pld-like-dislike-trigger  \" title=\"\" data-post-id=\"3876\" data-trigger-type=\"like\" data-restriction=\"cookie\" data-already-liked=\"0\">\r\n                        <i class=\"fas fa-thumbs-up\"><\/i>\r\n                <\/a>\r\n    <span class=\"pld-like-count-wrap pld-count-wrap\">    <\/span>\r\n<\/div><\/div>\n<h2 class=\"wp-block-heading\">Find the root cause of hard-to-track errors by diving into your systemd journals.<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\" id=\"using-systemd-journals\">Problem determination can be as much an art as a science, and sometimes, it seems even a little magic can be useful. Everyone has encountered situations where a reported failure could not be reproduced, which is always frustrating for both&nbsp;the user and the system administrator. Even home appliances and automobiles can be obstinate and refuse to fail when the service person shows up.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Anthropomorphism aside, sysadmins have some tools that can show what has been happening in their Linux computers with varying degrees of granularity. There are tools, like top, htop, glances, sar, iotop, tcpdump, traceroute, mtr, iptraf-ng, df, du, and many more, all of which can display various aspects of a host&#8217;s current state, and several of which can produce logs with wide ranges of detail.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While these tools can be used to find ongoing problems, they are not particularly helpful for transient problems or those with no directly observable symptoms\u2014not observable, at least, until some major and possibly catastrophic problem occurs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An important tool I use for problem determination is the system logs\u2014and with systemd, the system journals. The systemd journal is always one of the first tools I turn to when solving a problem, especially the problems that don&#8217;t seem to happen when I am watching. It took me a long time at the beginning of my sysadmin career to realize the wealth of information in the log files, and this discovery greatly improved my speed in resolving problems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You have already seen some uses of the <code>journalctl<\/code> command in many of the previous articles in this series. In this article, I explore some details about the systemd journal, how it works, and ways to use <code>journalctl<\/code> to locate and identify problems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"about-journals\">About journals<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The purpose of any log or journal is to maintain a time-sequenced history of the normal activities of the services and programs that run on a host and to record any errors or warning messages that occur. The log messages used to be maintained in separate files in <code>\/var\/log<\/code>, usually one file for the kernel and separate ones for most of the services running on the host. Unfortunately, the large number of log files could spread&nbsp;out necessary information and delay the discovery of a problem&#8217;s root cause. This could be especially time-consuming when you&#8217;re trying to determine what was happening in a system when an error occurred.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The old <code>\/var\/log\/dmesg<\/code> file was usually used for the kernel, but that file&nbsp;was discontinued several years ago in favor of using the <code>dmesg<\/code> command to display the same information and integrating those messages (and more) into the <code>\/var\/log\/messages<\/code> file. This merger of other logs into the <code>messages<\/code> file helped speed problem determination by keeping much of the data in one file, but there were still many services whose logs were not integrated into the more central <code>messages<\/code> file.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The systemd journal is designed to collect all messages into a single, unified structure that can show a complete picture of everything that happened in a system at and around a specific time or event. Because the events, regardless of the source, are in one place and in time sequence, it is possible to see at a glance everything happening at a specific point or range of times. In my opinion, this is one of the main benefits of systemd journaling.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"about-the-systemd-journal\">About the systemd journal<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The systemd journaling service is implemented by the <code>systemd-journald<\/code> daemon. According to the <a href=\"https:\/\/man7.org\/linux\/man-pages\/man8\/systemd-journald.8.html\" target=\"_blank\" rel=\"noreferrer noopener\"><code>systemd-journald<\/code> man page<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em><code>systemd-journald<\/code> is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Kernel log messages, via <code>kmsg<\/code><\/em><\/li>\n\n\n\n<li><em>Simple system log messages, via the <code>libc syslog(3)<\/code> call<\/em><\/li>\n\n\n\n<li><em>Structured system log messages via the native Journal API, see <code>sd_journal_print(3)<\/code><\/em><\/li>\n\n\n\n<li><em>Standard output and standard error of service units. For further details see below.<\/em><\/li>\n\n\n\n<li><em>Audit records, originating from the kernel audit subsystem<\/em><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><em>The daemon will implicitly collect numerous metadata fields for each log messages in a secure and unfakeable way. See <code>systemd.journal-fields(7)<\/code> for more information about the collected metadata.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Log data collected by the journal is primarily text-based but can also include binary data where necessary. Individual fields making up a log record stored in the journal may be up to 2^64-1 bytes in size.<\/em><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuration\">Configuration changes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The systemd journal daemon can be configured using the <code>\/etc\/systemd\/journald.conf<\/code> file. For many hosts, this file does not need any changes because the defaults are quite reasonable. Look at your&nbsp;<code>journald.conf<\/code> file now, if you have not already.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The most common configuration changes you might consider would&nbsp;specify the maximum journal file size, the number of older journal files, and the maximum file-retention times. The primary reason to make those changes would be to reduce the storage space used by the journal if you have a small storage device. In a mission-critical environment, you may also want to reduce the amount of time between syncing journal data stored in RAM memory to the storage device.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/man7.org\/linux\/man-pages\/man5\/journald.conf.5.html\" target=\"_blank\" rel=\"noreferrer noopener\"><code>journald.conf<\/code> man page<\/a> has more details.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"about-the-data-format\">Controversies about the data format<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">One of the controversies surrounding systemd is the binary format in which the journal contents are stored. Some arguments against systemd are based on the systemd journal being stored in a binary format. This would seem to be contrary to the Unix\/Linux philosophy to use ASCII text for data, which is one argument people use to justify their dislike of systemd. For example, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Douglas_McIlroy\" target=\"_blank\" rel=\"noreferrer noopener\">Doug McIlroy<\/a>, the inventor of the pipes, said:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">&#8220;This is the Unix Philosophy: Write programs that do one thing well. Write programs to work together. Write programs to handle text steams, because that is a universal interface.&#8221; \u2014Doug McIlroy, quoted in Eric S. Raymond&#8217;s book <a href=\"http:\/\/www.catb.org\/esr\/writings\/taoup\/html\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>The Art of Unix Programming<\/em><\/a><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">However, these arguments seem to be based on at least a partial misconception because the man page clearly states that the data &#8220;is primarily text-based,&#8221; although it allows for binary data forms. Linux kernel creator Linus Torvalds, who is always clear about his feelings, said:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">&#8220;I don&#8217;t actually have any particularly strong opinions on systemd itself. I&#8217;ve had issues with some of the core developers that I think are much too cavalier about bugs and compatibility, and I think some of the design details are insane (I dislike the binary logs, for example), but those are details, not big issues.&#8221; \u2014Linus Torvalds, quoted in ZDNet&#8217;s &#8220;<a href=\"https:\/\/www.zdnet.com\/article\/linus-torvalds-and-others-on-linuxs-systemd\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linus Torvalds and others on Linux&#8217;s systemd<\/a>&#8221; in 2014<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">The systemd journal files are stored in one or more subdirectories of <code>\/var\/log\/journal<\/code>. Log into a test system where you have root access, and make <code>\/var\/log\/journal<\/code> the present working directory (PWD). List the subdirectories there, choose one, and make it the PWD. You can look&nbsp;at these files in a number of ways. I started with the <code>stat<\/code> command (note that the journal file names on your host will be different from mine):<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 3bccd1140fca488187f8a1439c832f07]# <strong>stat<\/strong> <strong>system@7ed846aadf1743139083681ec4042037-0000000000000001-0005a99c0280fd5f.journal<\/strong>\n  File: system@7ed846aadf1743139083681ec4042037-0000000000000001-0005a99c0280fd5f.journal\n  Size: 8388608         Blocks: 16392      IO Block: 4096   regular file\nDevice: fd04h\/64772d    Inode: 524384      Links: 1\nAccess: (0640\/-rw-r-----)  Uid: (    0\/    root)   Gid: (  190\/systemd-journal)\nAccess: 2020-07-13 08:30:05.764291231 -0400\nModify: 2020-07-04 07:33:52.916001110 -0400\nChange: 2020-07-04 07:33:52.916001110 -0400\n Birth: -\n&#91;root@testvm1 3bccd1140fca488187f8a1439c832f07]#<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The journal file is identified as a &#8220;regular&#8221; file, which is not especially helpful. The <code>file<\/code> command identifies it as a &#8220;journal&#8221; file, but you already know that. Look inside the file with the <code>dd<\/code> command. The following command sends the output data stream to STDOUT; you may want to pipe it through the <code>less<\/code> pager:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 3bccd1140fca488187f8a1439c832f07]# <strong>dd if=system@7ed846aadf1743139083681ec4042037-0000000000000001-0005a99c0280fd5f.journal | less<\/strong>\n&lt;SNIP&gt;\n9\ufffdP1\ufffd8\ufffd\ufffd9_SOURCE_MONOTONIC_TIMESTAMP=191726\ufffd\ufffd\ufffd\/\ufffd\ufffdP\ufffd\ufffd\ufffd\ufffd9MESSAGE=Inode-cache hash table entries: 1048576 (order: 11, 8388608 bytes, linear)\ufffdhx\n9\ufffdP1\ufffdp\ufffd9\ufffd\ufffd\/\ufffd\ufffdP\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd9_SOURCE_MONOTONIC_TIMESTAMP=191825\ufffdpdXY\ufffd7p\ufffd9\ufffd\ufffd9MESSAGE=mem auto-init: stack:off, heap alloc:off, heap free:off\ufffdi\ufffd\ufffd\n\ufffd\ufffd(n\ufffdO\ufffd\ufffd\ufffd@Y\ufffd    \ufffd\ufffd\ufffd\ufffd\ufffdZ\u057d\ufffd\ufffd\ufffd82\ufffd\ufffd\ufffd7X\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u01f1R\ufffd\ufffd\ufffd\ufffd\ufffd8&lt;~B\ufffd4\ufffd&lt;\ufffd \ufffd8tM\u02de8$\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u0416\ufffd\ufffdh9\ufffd&amp;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd`@\ufffd9\ufffdpdXY\ufffd7b\ufffd\u037a\ufffd\ufffdWV\ufffd\ufffd9\ufffd\ufffd9_SOURCE_MONOTONIC_TIM\nESTAMP=234745\ufffd\ufffd\ufffd\ufffd4\ufffdh@\ufffd9\ufffd\ufffd9MESSAGE=Memory: 12598028K\/12963384K available (14339K kernel code, 2406K rwdata, 8164K rodata, 2468K init, 5072K b\nss, 365356K reserved, 0K cma-reserved)\ufffdj\ufffd\ufffd\ufffd\ufffd(n\ufffdO\ufffd\ufffd\ufffd@Y\ufffd  \ufffd\ufffd\ufffd\ufffd]\ufffd\ufffdm\ufffd82\ufffd\ufffd\ufffd7X\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u01f1R\ufffd\ufffd\ufffd\ufffd\ufffd8&lt;~B\ufffd4\ufffd&lt;\ufffd \ufffd8tM\u02de8$\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u0416\ufffd\ufffdh9\ufffd&amp;\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\u037a\ufffd\ufffdWV\ufffd\ufffd9\ufffd\ufffd\ufffd\n4\ufffdhbB\ufffd\ufffd\ufffda\ufffd\ufffd^\ufffd\ufffd9\ufffd\ufffd9_SOURCE_MONOTONIC_TIMESTAMP=234758\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd9MESSAGE=random: get_random_u64 called from __kmem_cache_create+0x3e\/0x610 wi\nth crng_init=0\ufffdk\ufffd\ufffd\ufffd(n\ufffdO\ufffd\ufffd\ufffd@Y\ufffd   \ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd82\ufffd\ufffd\ufffd7X\ufffd\ufffd8C\ufffdX\ufffdY\"\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u01f1R\ufffd\ufffd\ufffd\ufffd\ufffd8&lt;~B\ufffd4\ufffd&lt;\ufffd \ufffd8tM\u02de8$\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u0416\ufffd\u00e0\ufffd9B\ufffd\ufffd\ufffda\ufffd\ufffd\ufffd9\ufffd3\ufffd\ufffd\ufffdb\ufffd8\ufffd\u022d\ufffd\ufffd\ufffd\ufffd\ufffd9h\ufffd9_SO\ufffd9h\ufffd9MESSAGE=SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1\ufffdl\ufffd\ufffd\ufffd\ufffd(n\ufffdO\ufffd\ufffd\ufffd@Y\ufffd  \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffdX\ufffd82\ufffd\ufffd\ufffd7X\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u01f1R\ufffd\ufffd\ufffd\ufffd\ufffd8&lt;~B\ufffd4\ufffd&lt;\ufffd \ufffd8tM\u02de\nb\ufffd(+I)\ufffdx\ufffd9\ufffd9_SOURCE_MONOTONIC_TIMESTAMP=235444r\ufffd\ue339%\/p\ufffd\ufffd9\ufffd9MESSAGE=Kernel\/User page tables isolation: enabled\ufffdm\ufffd\ufffd\ufffd\ufffd(n\ufffdO\ufffd\ufffd\ufffd@Y\ufffd     \ufffd\ufffd\ufffd\ufffdk\ufffd\ufffdB0\ufffd\ufffd8\n2\ufffd\ufffd\ufffd7X\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u01f1R\ufffd\ufffd\ufffd\ufffd\ufffd8&lt;~B\ufffd4\ufffd&lt;\ufffd \ufffd8tM\u02de8$\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\u0416\ufffd\ufffdh9\ufffd&amp;\ufffd\ufffd\ufffd\ufffd8\ufffd9\ufffd(+I)\u04a0\ufffd9\ufffd\ue339%\/pb8O{ W\ufffd\ufffd\ufffd8\ufffd9\ufffd\ufffd9_SOURCE_MONOTONIC_TIMESTAMP=235464u\ufffdN`\ufffdFP    M\ufffd\ufffd9\n\ufffd\ufffd9MESSAGE=ftrace: allocating 41361 entries in 162 pages\ufffdn\ufffd\ufffd\ufffd\ufffd(n\ufffdO\ufffd\ufffd\ufffd@Y\ufffd\n&lt;SNIP&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Even this small portion of the data stream from the <code>dd<\/code> command shows an interesting mixture of ASCII text and binary data. Another useful tool is the <code>strings<\/code> command, which simply displays all the ASCII text strings contained in a file and ignores the binary data:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 3bccd1140fca488187f8a1439c832f07]# <strong>strings system@7ed846aadf1743139083681ec4042037-0000000000000001-0005a99c0280fd5f.journal<\/strong>\n&lt;SNIP&gt;\nMESSAGE=Linux version 5.7.6-201.fc32.x86_64 (mockbuild@bkernel01.iad2.fedoraproject.org) (gcc version 10.1.1 20200507 (Red Hat 10.1.1-1) (GC\nC), GNU ld version 2.34-3.fc32) #1 SMP Mon Jun 29 15:15:52 UTC 2020\nMESSAGE\n_BOOT_ID=6e944f99ebd9405984090f829a927fa4\n_BOOT_ID\n_MACHINE_ID=3bccd1140fca488187f8a1439c832f07\n_MACHINE_ID\n_HOSTNAME=testvm1.both.org\n_HOSTNAME\nPRIORITY=6\nMESSAGE=Command line: BOOT_IMAGE=(hd0,msdos1)\/vmlinuz-5.7.6-201.fc32.x86_64 root=\/dev\/mapper\/VG01-root ro resume=\/dev\/mapper\/VG01-swap rd.lv\nm.lv=VG01\/root rd.lvm.lv=VG01\/swap rd.lvm.lv=VG01\/usr selinux=0\nMESSAGE=x86\/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'\nMESSAGE=x86\/fpu: Supporting XSAVE feature 0x002: 'SSE registers'\nMESSAGE=x86\/fpu: Supporting XSAVE feature 0x004: 'AVX registers'\nZ_g3;\nMESSAGE=x86\/fpu: xstate_offset&#91;2]:  576, xstate_sizes&#91;2]:  256\nZ_g3;\nMESSAGE=x86\/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.\nMESSAGE=BIOS-provided physical RAM map:\n`k2X\nMESSAGE=BIOS-e820: &#91;mem 0x0000000000000000-0x000000000009fbff] usable\nMESSAGE=BIOS-e820: &#91;mem 0x000000000009fc00-0x000000000009ffff] reserved\nMESSAGE=BIOS-e820: &#91;mem 0x00000000000f0000-0x00000000000fffff] reserved\nPyLM\nMESSAGE=BIOS-e820: &#91;mem 0x0000000000100000-0x00000000dffeffff] usable\nMESSAGE=BIOS-e820: &#91;mem 0x00000000dfff0000-0x00000000dfffffff] ACPI data\nMESSAGE=BIOS-e820: &#91;mem 0x00000000fec00000-0x00000000fec00fff] reserved\nMESSAGE=BIOS-e820: &#91;mem 0x00000000fee00000-0x00000000fee00fff] reserved\nMESSAGE=BIOS-e820: &#91;mem 0x00000000fffc0000-0x00000000ffffffff] reserved\nMESSAGE=BIOS-e820: &#91;mem 0x0000000100000000-0x00000003373fffff] usable\n&lt;SNIP&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This data can be interpreted by humans, and this particular segment looks very similar to the output data stream from the <code>dmesg<\/code> command. I&#8217;ll leave you to explore further on your own, but my conclusion is that the journal files are clearly a mixture of binary and ASCII text. That mix makes it cumbersome to use traditional text-based Linux tools to extract usable data. But there is a better way that provides many possibilities for extracting and viewing journal data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"about-journalctl\">About journalctl<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>journalctl<\/code> command is designed to extract usable information from the systemd journals using powerful and flexible criteria for identifying the desired data. Previous articles in this series have described <code>journalctl<\/code>, and there is more to know.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I&#8217;ll review a bit first and start with some basics in case you have not read the previous articles or just need a refresher.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can use the <code>journalctl<\/code> command without any options or arguments to view the systemd journal that contains all journal and log information:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 ~]# <strong>journalctl<\/strong>\n-- Logs begin at Mon 2020-06-08 07:47:20 EDT, end at Thu 2020-07-16 10:30:43 EDT. --\nJun 08 07:47:20 testvm1.both.org kernel: Linux version 5.6.6-300.fc32.x86_64 (mockbuild@bkernel03.phx2.fedoraproject.org) (gcc version 10.0&gt;\nJun 08 07:47:20 testvm1.both.org kernel: Command line: BOOT_IMAGE=(hd0,msdos1)\/vmlinuz-5.6.6-300.fc32.x86_64 root=\/dev\/mapper\/VG01-root ro &gt;\nJun 08 07:47:20 testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'\nJun 08 07:47:20 testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x002: 'SSE registers'\nJun 08 07:47:20 testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x004: 'AVX registers'\nJun 08 07:47:20 testvm1.both.org kernel: x86\/fpu: xstate_offset&#91;2]:  576, xstate_sizes&#91;2]:  256\nJun 08 07:47:20 testvm1.both.org kernel: x86\/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.\nJun 08 07:47:20 testvm1.both.org kernel: BIOS-provided physical RAM map:\nJun 08 07:47:20 testvm1.both.org kernel: BIOS-e820: &#91;mem 0x0000000000000000-0x000000000009fbff] usable\n&lt;SNIP&gt;\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1765] dhcp4 (enp0s3): option requested_routers    =&gt; '1'\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1765] dhcp4 (enp0s3): option requested_static_routes =&gt; '1'\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1765] dhcp4 (enp0s3): option requested_subnet_mask =&gt; '1'\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1765] dhcp4 (enp0s3): option requested_time_offset =&gt; '1'\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1766] dhcp4 (enp0s3): option requested_wpad       =&gt; '1'\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1766] dhcp4 (enp0s3): option routers              =&gt; '192.168.0.2&gt;\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1766] dhcp4 (enp0s3): option subnet_mask          =&gt; '255.255.255&gt;\nJul 16 09:51:00 testvm1.both.org NetworkManager&#91;760]: &lt;info&gt;  &#91;1594907460.1766] dhcp4 (enp0s3): state changed extended -&gt; extended\nJul 16 09:51:00 testvm1.both.org systemd&#91;1]: Starting Network Manager Script Dispatcher Service...\nJul 16 09:51:00 testvm1.both.org systemd&#91;1]: Started Network Manager Script Dispatcher Service.\nJul 16 09:51:00 testvm1.both.org audit&#91;1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher com&gt;\nJul 16 09:51:10 testvm1.both.org systemd&#91;1]: NetworkManager-dispatcher.service: Succeeded.\nJul 16 09:51:10 testvm1.both.org audit&#91;1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher comm&gt;\nJul 16 09:59:13 testvm1.both.org systemd&#91;1]: Starting dnf makecache...\nJul 16 09:59:13 testvm1.both.org audit&#91;1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm=\"systemd\" &gt;\nJul 16 09:59:13 testvm1.both.org audit&#91;1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm=\"systemd\" e&gt;\nJul 16 09:59:13 testvm1.both.org systemd&#91;1]: dnf-makecache.service: Succeeded.\nJul 16 09:59:13 testvm1.both.org systemd&#91;1]: Finished dnf makecache.\nJul 16 09:59:14 testvm1.both.org dnf&#91;378549]: Metadata cache refreshed recently.\nJul 16 10:00:42 testvm1.both.org systemd&#91;1]: Starting system activity accounting tool...\nJul 16 10:00:42 testvm1.both.org systemd&#91;1]: sysstat-collect.service: Succeeded.\nJul 16 10:00:42 testvm1.both.org audit&#91;1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm=\"systemd&gt;\nJul 16 10:00:42 testvm1.both.org systemd&#91;1]: Finished system activity accounting tool.\nJul 16 10:00:42 testvm1.both.org audit&#91;1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm=\"systemd\"&gt;\nJul 16 10:01:01 testvm1.both.org CROND&#91;378562]: (root) CMD (run-parts \/etc\/cron.hourly)\nJul 16 10:01:01 testvm1.both.org run-parts&#91;378565]: (\/etc\/cron.hourly) starting 0anacron\nJul 16 10:01:01 testvm1.both.org run-parts&#91;378571]: (\/etc\/cron.hourly) finished 0anacron<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can also explicitly show the same data the <code>dmesg<\/code> command presents. Open two terminal sessions next to each other and issue the <code>dmesg<\/code> command in one and the following command in the other.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl --dmesg<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The only difference you should see is the time format. By default the <code>dmesg<\/code> command data stream is in a monotonic format that shows the number of seconds since the system boot. The <code>journalctl<\/code> output is in a date and time format. The short-monotonic option displays the time since boot.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 ~]# <strong>journalctl --dmesg -o short-monotonic<\/strong>\n-- Logs begin at Mon 2020-06-08 07:47:20 EDT, end at Mon 2020-07-20 13:01:01 EDT. --\n&#91;    0.000000] testvm1.both.org kernel: Linux version 5.7.6-201.fc32.x86_64 (mockbuild@bkernel01.iad2.fedoraproject.org) (gcc version 10.1.&gt;\n&#91;    0.000000] testvm1.both.org kernel: Command line: BOOT_IMAGE=(hd0,msdos1)\/vmlinuz-5.7.6-201.fc32.x86_64 root=\/dev\/mapper\/VG01-root ro r&gt;\n&#91;    0.000000] testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'\n&#91;    0.000000] testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x002: 'SSE registers'\n&#91;    0.000000] testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x004: 'AVX registers'\n&#91;    0.000000] testvm1.both.org kernel: x86\/fpu: xstate_offset&#91;2]:  576, xstate_sizes&#91;2]:  256\n&#91;    0.000000] testvm1.both.org kernel: x86\/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.\n&lt;snip&gt;\n&#91;    0.000002] testvm1.both.org kernel: clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 8815905914&gt;\n&#91;    0.000005] testvm1.both.org kernel: tsc: Detected 2807.988 MHz processor\n&#91;    0.001157] testvm1.both.org kernel: e820: update &#91;mem 0x00000000-0x00000fff] usable ==&gt; reserved\n&#91;    0.001159] testvm1.both.org kernel: e820: remove &#91;mem 0x000a0000-0x000fffff] usable\n&#91;    0.001162] testvm1.both.org kernel: last_pfn = 0x24ec00 max_arch_pfn = 0x400000000\n&#91;    0.001172] testvm1.both.org kernel: MTRR default type: uncachable\n&#91;    0.001173] testvm1.both.org kernel: MTRR variable ranges disabled:\n&#91;    0.001173] testvm1.both.org kernel: Disabled\n&#91;    0.001174] testvm1.both.org kernel: x86\/PAT: MTRRs disabled, skipping PAT initialization too.\n&#91;    0.001176] testvm1.both.org kernel: CPU MTRRs all blank - virtualized system.\n&#91;    0.001179] testvm1.both.org kernel: x86\/PAT: Configuration &#91;0-7]: WB  WT  UC- UC  WB  WT  UC- UC  \n&#91;    0.001182] testvm1.both.org kernel: last_pfn = 0xdfff0 max_arch_pfn = 0x400000000\n&#91;    0.001238] testvm1.both.org kernel: found SMP MP-table at &#91;mem 0x0009fff0-0x0009ffff]\n&#91;    0.081068] testvm1.both.org kernel: RAMDISK: &#91;mem 0x34194000-0x360c1fff]\n&#91;    0.081088] testvm1.both.org kernel: ACPI: Early table checksum verification disabled\n&lt;snip&gt;\n&#91;   34.037575] testvm1.both.org kernel: 16:43:32.734466 main     6.1.10_Fedora r138449 started. Verbose level = 0\n&#91;   34.042209] testvm1.both.org kernel: 16:43:32.739032 main     vbglR3GuestCtrlDetectPeekGetCancelSupport: Supported (#1)\n&#91;   55.746944] testvm1.both.org kernel: e1000: enp0s3 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX\n&#91;   55.747738] testvm1.both.org kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp0s3: link becomes ready\n&lt;snip&gt;\nlines 624-681\/681 (END)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>journalctl<\/code> command has many options, including the <code>-o<\/code> (output) option with several suboptions that allow you to select a time and date format that meets different sets of requirements. I have listed most of them below, along with a short description that I expanded or modified from the <code>journalctl<\/code> man page. Note that the primary difference between most of these is the format of the date and time, and the other information remains the same.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">journalctl time and date formats<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>short:<\/strong>&nbsp;This is the default format and generates an output that is most closely like the formatting of classic syslog files, showing one line per journal entry. This option shows journal metadata including the date and time, the fully qualified hostname, and the unit name such as the kernel, DHCP, etc.<br><code>Jul 20 08:43:01 testvm1.both.org kernel: Inode-cache hash table entries: 1048576 (order: 11, 8388608 bytes, linear)<\/code><\/li>\n\n\n\n<li><strong>short-full:&nbsp;<\/strong>This format is very similar to the default&nbsp;but shows timestamps in the format the <code>--since=<\/code> and <code>--until=<\/code> options accept. Unlike the timestamp information shown in short output mode, this mode includes weekday, year, and timezone information in the output and is locale-independent.<br><code>Mon 2020-06-08 07:47:20 EDT testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x004: 'AVX registers'<\/code><\/li>\n\n\n\n<li><strong>short-iso:<\/strong>&nbsp;The short-iso format is very similar to the default, but shows ISO 8601 wallclock timestamps.<br><code>2020-06-08T07:47:20-0400 testvm1.both.org kernel: kvm-clock: Using msrs 4b564d01 and 4b564d00<\/code><\/li>\n\n\n\n<li><strong>short-iso-precise:<\/strong>This format is the same as short-iso but includes full microsecond precision.<br><code>2020-06-08T07:47:20.223738-0400 testvm1.both.org kernel: Booting paravirtualized kernel on KVM<\/code><\/li>\n\n\n\n<li><strong>short-monotonic:<\/strong>Very similar to the default but shows monotonic timestamps instead of wallclock timestamps.<br><code>[ &nbsp; &nbsp;2.091107] testvm1.both.org kernel: ata1.00: ATA-6: VBOX HARDDISK, 1.0, max UDMA\/133<\/code><\/li>\n\n\n\n<li><strong>short-precise:&nbsp;<\/strong>This format is also similar to the default but shows classic syslog timestamps with full microsecond precision.<br><code>Jun 08 07:47:20.223052 testvm1.both.org kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved<\/code><\/li>\n\n\n\n<li><strong>short-unix:&nbsp;<\/strong>Like the default, but shows seconds passed since January 1, 1970, UTC instead of wallclock timestamps (&#8220;Unix time&#8221;). The time is shown with microsecond accuracy.<br><code>1591616840.232165 testvm1.both.org kernel: tcp_listen_portaddr_hash hash table entries: 8192<\/code><\/li>\n\n\n\n<li><strong>cat:<\/strong>&nbsp;Generates a very terse output only showing the message of each journal entry with no metadata, not even a timestamp.<br><code>ohci-pci 0000:00:06.0: irq 22, io mem 0xf0804000<\/code><\/li>\n\n\n\n<li><strong>verbose:<\/strong>&nbsp;This format shows the full data structure for all the entry items with all fields. This is the format option that is most different from all the others.<br><code>Mon 2020-06-08 07:47:20.222969 EDT [s=d52ddc9f3e8f434b9b9411be2ea50b1e;i=1;b=dcb6dcc0658e4a8d8c781c21a2c6360d;m=242d7f;t=5a7912c6148f9;x=8f&gt; _SOURCE_MONOTONIC_TIMESTAMP=0 _TRANSPORT=kernel PRIORITY=5 SYSLOG_FACILITY=0 SYSLOG_IDENTIFIER=kernel MESSAGE=Linux version 5.6.6-300.fc32.x86_64 (mockbuild@bkernel03.phx2.fedoraproject.org) (gcc version 10.0.1 20200328 (Red Hat 10.0.1-0&gt; _BOOT_ID=dcb6dcc0658e4a8d8c781c21a2c6360d _MACHINE_ID=3bccd1140fca488187f8a1439c832f07 _HOSTNAME=testvm1.both.org<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Other choices, available with the <code>-o<\/code> option, allow exporting the data in various formats such as binary or JSON. I also find the <code>-x<\/code> option illuminating because it can show additional explanatory messages for some journal entries. If you try this option, be aware that it can greatly increase the output data stream. For example, the additional information for an entry like:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;    4.503737] testvm1.both.org systemd&#91;1]: Starting File System Check on \/dev\/mapper\/VG01-root...\n&#91;    4.691555] testvm1.both.org systemd-fsck&#91;548]: root: clean, 1813\/327680 files, 48555\/1310720 blocks\n&#91;    4.933065] testvm1.both.org systemd&#91;1]: Finished File System Check on \/dev\/mapper\/VG01-root.<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">expands to this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;    4.503737] testvm1.both.org systemd&#91;1]: Starting File System Check on \/dev\/mapper\/VG01-root...\n-- Subject: A start job for unit systemd-fsck-root.service has begun execution\n-- Defined-By: systemd\n-- Support: https:\/\/lists.freedesktop.org\/mailman\/listinfo\/systemd-devel\n-- \n-- A start job for unit systemd-fsck-root.service has begun execution.\n-- \n-- The job identifier is 36.\n&#91;    4.691555] testvm1.both.org systemd-fsck&#91;548]: root: clean, 1813\/327680 files, 48555\/1310720 blocks\n&#91;    4.933065] testvm1.both.org systemd&#91;1]: Finished File System Check on \/dev\/mapper\/VG01-root.\n-- Subject: A start job for unit systemd-fsck-root.service has finished successfully\n-- Defined-By: systemd\n-- Support: https:\/\/lists.freedesktop.org\/mailman\/listinfo\/systemd-devel\n-- \n-- A start job for unit systemd-fsck-root.service has finished successfully.\n-- \n-- The job identifier is 36<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">There is some new information here, but I think the main benefit is that the information is contextualized to clarify the original terse messages to some degree.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"narrowing-the-search\">Narrowing the search<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Most of the time, it is not necessary or even desirable to list all the journal entries and manually search through them. Sometimes I look for entries related to a specific service, and other times I look for entries that happened at specific times. The <code>journalctl<\/code> command provides powerful options that allow you to see only the data you are interested in finding.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start with the <code>--list-boots<\/code> option, which lists all the boots during the time period when journal entries exist. Note that the <code>journalctl.conf<\/code> file may specify that journal entries are discarded after they reach a certain age or after the storage device (HDD\/SSD) space taken by the journals reaches a specified maximum amount:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl --list-boots <\/strong>\n-10 dcb6dcc0658e4a8d8c781c21a2c6360d Mon 2020-06-08 07:47:20 EDT\u2014Mon 2020-06-08 07:53:05 EDT\n -9 7d61951a85f445c5946774aaae8bc2a4 Fri 2020-07-03 15:50:06 EDT\u2014Fri 2020-07-03 18:21:23 EDT\n -8 1b3a847577e544b4a2679fe576b62206 Fri 2020-07-03 18:21:58 EDT\u2014Fri 2020-07-03 22:10:54 EDT\n -7 5fef01a3568743af99118107ca6f61ae Fri 2020-07-03 22:18:41 EDT\u2014Sat 2020-07-04 06:50:19 EDT\n -6 6e944f99ebd9405984090f829a927fa4 Sat 2020-07-04 07:33:25 EDT\u2014Sat 2020-07-04 07:58:59 EDT\n -5 ec8b0c81ca4744b1bad071bdef432959 Sat 2020-07-04 08:12:06 EDT\u2014Sat 2020-07-04 09:12:47 EDT\n -4 cb173ec716824e21b87ccf6cb43a9a99 Sat 2020-07-04 10:19:53 EDT\u2014Sat 2020-07-04 11:31:03 EDT\n -3 4fe354a893194409843aa9623a36dbb0 Sat 2020-07-04 07:59:58 EDT\u2014Sun 2020-07-05 09:39:30 EDT\n -2 06fb81f1b29e4f68af9860844668446c Mon 2020-07-06 06:27:05 EDT\u2014Mon 2020-07-13 08:50:06 EDT\n -1 33dbf8e6b9de4113a591c4f487d0ac37 Mon 2020-07-13 04:50:33 EDT\u2014Thu 2020-07-16 13:49:32 EDT\n  0 75c9b70913934748b5396b3b172bee50 Mon 2020-07-20 08:43:01 EDT\u2014Fri 2020-07-24 12:44:06 EDT<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The most recent boot ID appears at the bottom; it is the long, random hex number. You can use this data to view the journals for a specific boot. This can be specified using the boot offset number in the left-most column or the UUID in the second column. This command displays the journal for the boot instance with the offset of <code>-2<\/code>\u2014the second previous boot from the current one:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 ~]# <strong>journalctl -b -2<\/strong>\n-- Logs begin at Mon 2020-06-08 07:47:20 EDT, end at Fri 2020-07-24 12:44:06 EDT. --\nJul 06 06:27:05 testvm1.both.org kernel: Linux version 5.7.6-201.fc32.x86_64 (mockbuild@bkernel01.iad2.fedoraproject.org) (gcc version 10.1&gt;\nJul 06 06:27:05 testvm1.both.org kernel: Command line: BOOT_IMAGE=(hd0,msdos1)\/vmlinuz-5.7.6-201.fc32.x86_64 root=\/dev\/mapper\/VG01-root ro &gt;\nJul 06 06:27:05 testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'\nJul 06 06:27:05 testvm1.both.org kernel: x86\/fpu: Supporting XSAVE feature 0x002: 'SSE registers'\n&lt;SNIP&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or you could use the UUID for the desired boot. The offset numbers change after each boot, but the UUID does not:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl -b 06fb81f1b29e4f68af9860844668446c<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>-u<\/code> option allows you to select specific units to examine. You can use a unit name or a pattern for matching, and you can use this option multiple times to match multiple units or patterns. In this example, I used it in combination with <code>-b<\/code> to show chronyd journal entries for the current boot:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 ~]# <strong>journalctl -u chronyd -b<\/strong>\n-- Logs begin at Mon 2020-06-08 07:47:20 EDT, end at Sun 2020-07-26 09:10:47 EDT. --\nJul 20 12:43:31 testvm1.both.org systemd&#91;1]: Starting NTP client\/server...\nJul 20 12:43:31 testvm1.both.org chronyd&#91;811]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCD&gt;\nJul 20 12:43:31 testvm1.both.org chronyd&#91;811]: Frequency -0.021 +\/- 0.560 ppm read from \/var\/lib\/chrony\/drift\nJul 20 12:43:31 testvm1.both.org chronyd&#91;811]: Using right\/UTC timezone to obtain leap second data\nJul 20 12:43:31 testvm1.both.org systemd&#91;1]: Started NTP client\/server.\nJul 20 12:44:00 testvm1.both.org chronyd&#91;811]: Selected source 192.168.0.52\nJul 20 12:44:00 testvm1.both.org chronyd&#91;811]: System clock TAI offset set to 37 seconds\nJul 20 12:44:00 testvm1.both.org chronyd&#91;811]: System clock wrong by 1.412227 seconds, adjustment started\nJul 20 12:44:01 testvm1.both.org chronyd&#91;811]: System clock was stepped by 1.412227 seconds\n&#91;root@testvm1 ~]#<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Suppose you want to look at events that were recorded between two arbitrary times. You can also use <code>-S<\/code> (<code>--since<\/code>) and <code>-U<\/code> (<code>--until<\/code>) to specify the beginning and ending times. The following command displays journal entries starting at 15:36:00 on July 24, 2020, through the current time:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl -S \"2020-07-24 15:36:00\"<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And this command displays all journal entries starting at 15:36:00 on July 24, 2020, until 16:00:00 on July 25:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl -S \"2020-07-24 15:36:00\" -U \"2020-07-25 16:00:00\"<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This command combines <code>-S<\/code>, <code>-U<\/code>, and <code>-u<\/code> to give journal entries for the NetworkManager service unit starting at 15:36:00 on July 24, 2020, until 16:00:00 on July 25:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 ~]# <strong>journalctl -S \"2020-07-24 15:36:00\" -U \"2020-07-25 16:00:00\" -u NetworkManager<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Some syslog facilities, such as cron, auth, mail, daemon, user, and more, can be viewed with the <code>--facility<\/code> option. You can use <code>--facility=help<\/code> to list the available facilities. In this example, the mail facility is not the Sendmail service that would be used for an email service, but the local client used by Linux to send email to root as event notifications. Sendmail actually has two parts, the server, which (for Fedora and related distributions) is not installed by default, and the client, which is always installed so that it can be used to deliver system emails to local recipients, especially root:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# journalctl --facility=mail<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>journalctl<\/code> man page lists all the options that can be used to narrow searches. The table below summarizes some of the options I use most frequently. Most of these options can be used in various combinations to further narrow a search. Refer to my previous article <a href=\"https:\/\/opensource.com\/article\/20\/7\/systemd-calendar-timespans\"><em>Analyzing systemd calendar and timespans<\/em><\/a> for details on creating and testing timestamps, as well as important tips like using quotes around timestamps.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Options to narrow searches of the journal<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Option<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><code>--list-boots<\/code><\/td><td>This displays a list of boots. The information can be used to show journal entries only for a particular boot.<\/td><\/tr><tr><td><code>-b [offset|boot ID]<\/code><\/td><td>This specifies which boot to display information for. It includes all journal entries from that boot through shutdown or reboot.<\/td><\/tr><tr><td><code>--facility=[facility name]<\/code><\/td><td>This specifies the facility names as they&#8217;re known to syslog. Use <code>--facility=help<\/code> to list the valid facility names.<\/td><\/tr><tr><td><code>-k<\/code>, <code>--dmesg<\/code><\/td><td>These display only kernel messages and are equivalent to using the <code>dmesg<\/code> command.<\/td><\/tr><tr><td><code>-S<\/code>, <code>--since [timestamp]<\/code><\/td><td>These show all journal entries since (after) the specified time. They can be used with <code>--until<\/code>&nbsp;to display an arbitrary range of time. Fuzzy times such as &#8220;yesterday&#8221; and &#8220;2 hours ago&#8221;\u2014with quotes\u2014are also allowed.<\/td><\/tr><tr><td><code>-u [unit name]<\/code><\/td><td>The <code>-u<\/code> option allows you to select specific units to examine. You can use a unit name or a pattern for matching. This option can be used multiple times to match multiple units or patterns.&nbsp;<\/td><\/tr><tr><td><code>-U<\/code>, <code>--until [timestamp]<\/code><\/td><td>These show all journal entries until (prior to) the specified time. They can be used with <code>--since<\/code>&nbsp;to display an arbitrary range of time. Fuzzy times such as &#8220;yesterday&#8221; and &#8220;2 hours ago&#8221;\u2014with quotes\u2014are also allowed.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"other-interesting-options\">Other interesting options<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>journalctl<\/code> program offers some other interesting options, as well. These are useful for refining the data search, specifying how the journal data is displayed, and managing the journal files.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Option<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td><code>-f<\/code>, <code>--follow<\/code><\/td><td>This <code>journalctl<\/code> option is similar to using the <code>tail -f<\/code> command. It shows the most recent entries in the journal that match whatever other options have been specified and also displays new entries as they occur. This can be useful when watching for events and when testing changes.<\/td><\/tr><tr><td><code>-e<\/code>, <code>--pager-end<\/code><\/td><td>The <code>-e<\/code> option displays the end of the data stream instead of the beginning. This does not reverse the order of the data stream, rather it causes the pager to jump to the end.<\/td><\/tr><tr><td><code>--file [journal filename]<\/code><\/td><td>This names a specific journal file in <code>\/var\/log\/journal\/&lt;journal subdirectory&gt;<\/code>.<\/td><\/tr><tr><td><code>-r<\/code>, <code>--reverse<\/code><\/td><td>This option reverses the order of the journal entries in the pager so that the newest are at the top rather than the bottom.<\/td><\/tr><tr><td><code>-n<\/code>, <code>--lines=[X]<\/code><\/td><td>This shows the most recent <code>X<\/code> number of lines from the journal.<\/td><\/tr><tr><td><code>--utc<\/code><\/td><td>This displays times in UTC rather than local time.<\/td><\/tr><tr><td><code>-g<\/code>, <code>--grep=[REGEX]<\/code><\/td><td>I like the <code>-g<\/code> option because it enables me to search for specific patterns in the journal data stream. This is just like piping a text data stream through the <code>grep<\/code> command. This option uses Perl-compatible regular expressions.<\/td><\/tr><tr><td><code>--disk-usage<\/code><\/td><td>This option displays the amount of disk storage used by the current and archived journals. It might not be as much as you think.<\/td><\/tr><tr><td><code>--flush<\/code><\/td><td>Journal data stored in the virtual filesystem <code>\/run\/log\/journal\/<\/code>, which is volatile storage, is written to <code>\/var\/log\/journal\/<\/code> which is persistent storage. This option ensures that all data is flushed to&nbsp;<code>\/run\/log\/journal\/<\/code> at the time it returns.<\/td><\/tr><tr><td><code>--sync<\/code><\/td><td>This writes all unwritten journal entries (still in RAM but not in <code>\/run\/log\/journal<\/code>) to the persistent filesystem. All journal entries known to the journaling system at the time the command is entered are moved to persistent storage.<\/td><\/tr><tr><td><code>--vacuum-size=<\/code> <code>--vacuum-time=<\/code> <code>--vacuum-files=<\/code><\/td><td>These can be used singly or in combination to remove the oldest archived journal files until the specified condition is met. These options only consider archived files, and not active files, so the result might not be exactly what was specified.<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Additional interesting journalctl options<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I&#8217;ll explore some of these entries below. More options can be found in the <code>journalctl<\/code> man page.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"journal-files\">Journal files<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you have not already, be sure to list the files in the journal directory on your host. Remember that the name of the directory containing the journal files is a long, random number. This directory contains multiple active and archived journal files, including some for users:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@david ~]# <strong>cd \/var\/log\/journal\/ad8f29ed15044f8ba0458c846300c2a4\/<\/strong>\n&#91;root@david ad8f29ed15044f8ba0458c846300c2a4]# <strong>ll<\/strong>\ntotal 352308\n-rw-r-----+ 1 root systemd-journal  33554432 May 28 13:07 system@0c91aaef57c441859ea5e421edff6528-0000000000000001-0005a6703120d448.journal\n-rw-r-----+ 1 root systemd-journal 109051904 Jun 23 21:24 system@0c91aaef57c441859ea5e421edff6528-0000000000008238-0005a6b85e4e03c6.journal\n-rw-r-----+ 1 root systemd-journal 100663296 Jul 21 18:39 system@0c91aaef57c441859ea5e421edff6528-0000000000021f3e-0005a8ca55efa66a.journal\n-rw-r-----+ 1 root systemd-journal  41943040 Jul 30 09:34 system.journal\n-rw-r-----+ 1 root systemd-journal   8388608 May 28 13:07 user-1000@037bcc7935234a5ea243b3af304fd08a-0000000000000c45-0005a6705ac48a3c.journal\n-rw-r-----+ 1 root systemd-journal  16777216 Jun 23 21:24 user-1000@bc90cea5294447fba2c867dfe40530db-0000000000008266-0005a6b85e910761.journal\n-rw-r-----+ 1 root systemd-journal  41943040 Jul 21 16:08 user-1000@bc90cea5294447fba2c867dfe40530db-0000000000021f4b-0005a8ca68c83ab7.journal\n-rw-r-----+ 1 root systemd-journal   8388608 Jul 30 09:34 user-1000.journal\n&#91;root@david ad8f29ed15044f8ba0458c846300c2a4]#<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can see the user files in this listing for the user ID (UID) 1000, which is my Linux account. The <code>--files<\/code> option allows me to see the content of specified files, including the user files:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@david ad8f29ed15044f8ba0458c846300c2a4]# <strong>journalctl --file user-1000.journal<\/strong>\n&lt;SNIP&gt;\nJul 29 14:13:32 david.both.org tumblerd&#91;145509]: Registered thumbnailer \/usr\/bin\/gdk-pixbuf-thumbnailer -s %s %u %o\nJul 29 14:13:32 david.both.org Thunar&#91;2788]: ThunarThumbnailer: got 0 handle (Queue)\nJul 29 14:13:32 david.both.org Thunar&#91;2788]: ThunarThumbnailer: got 0 handle (Error or Ready)\nJul 29 14:13:32 david.both.org Thunar&#91;2788]: ThunarThumbnailer: got 0 handle (Finished)\nJul 29 14:15:33 david.both.org tumblerd&#91;145552]: error: Broken zip file structure\nJul 29 14:20:34 david.both.org systemd&#91;2466]: dbus-:1.2-org.freedesktop.thumbnails.Thumbnailer1@11.service: Succeeded.\nJul 29 14:34:17 david.both.org systemd&#91;2466]: Starting Cleanup of User's Temporary Files and Directories...\nJul 29 14:34:17 david.both.org systemd&#91;2466]: systemd-tmpfiles-clean.service: Succeeded.\nJul 29 14:34:17 david.both.org systemd&#91;2466]: Finished Cleanup of User's Temporary Files and Directories.\nJul 29 14:48:26 david.both.org systemd&#91;2466]: Started dbus-:1.2-org.freedesktop.thumbnails.Thumbnailer1@12.service.\nJul 29 14:48:26 david.both.org tumblerd&#91;145875]: Registered thumbnailer gsf-office-thumbnailer -i %i -o %o -s %s\n&lt;SNIP&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This output shows, among other things, temporary file cleanup for the UID1000 user. Data relating to individual users may be helpful in locating the root cause of problems originating in user space. I found a number of interesting entries in this output. Try it on your host and see what you find.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"adding-journal-entries\">Adding journal entries<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">It can be useful to add your own entries to the journal. This is accomplished with the <code>systemd-cat<\/code> program that allows piping the STDOUT of a command or program to the journal. This command can be used as part of a pipeline on the command line or in a script:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>&#91;root@testvm1 ~]# <strong>echo \"Hello world\" | systemd-cat -p info -t myprog<\/strong>\n&#91;root@testvm1 ~]# <strong>journalctl -n 10<\/strong>\nJul 27 09:01:01 testvm1.both.org CROND&#91;976442]: (root) CMD (run-parts \/etc\/cron.hourly)\nJul 27 09:01:01 testvm1.both.org run-parts&#91;976445]: (\/etc\/cron.hourly) starting 0anacron\nJul 27 09:01:01 testvm1.both.org run-parts&#91;976451]: (\/etc\/cron.hourly) finished 0anacron\nJul 27 09:07:53 testvm1.both.org unknown&#91;976501]: Hello world\nJul 27 09:10:47 testvm1.both.org systemd&#91;1]: Starting system activity accounting tool...\nJul 27 09:10:47 testvm1.both.org systemd&#91;1]: sysstat-collect.service: Succeeded.\nJul 27 09:10:47 testvm1.both.org systemd&#91;1]: Finished system activity accounting tool.\nJul 27 09:10:47 testvm1.both.org audit&#91;1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm=\"systemd\" exe=\"\/usr\/lib\/syst&gt;\nJul 27 09:10:47 testvm1.both.org audit&#91;1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm=\"systemd\" exe=\"\/usr\/lib\/syste&gt;\nJul 27 09:17:10 testvm1.both.org myprog&#91;976516]: Hello world\n&#91;root@testvm1 ~]#<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>-p<\/code> option specifies a priority, emerg, alert, crit, err, warning, notice, info, debug, or a value between 0 and 7 that represents each of those named levels. These priority values are the same as those defined by <code>syslog(3)<\/code>. The default is info. The <code>-t<\/code> option is an identifier, which can be any arbitrary short string, such as a program or script name. This string can be used for searches by the <code>journalctl<\/code> command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl -t myprog<\/strong>\n-- Logs begin at Mon 2020-06-08 07:47:20 EDT, end at Mon 2020-07-27 09:21:57 EDT. --\nJul 27 09:17:10 testvm1.both.org myprog&#91;976516]: Hello world\n&#91;root@testvm1 ~]#<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"journal-management\">Journal management<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I use the <code>--disk-usage<\/code> option to check on journal sizes, along with other commands relating to disk usage, to ensure that my <code>\/var<\/code> filesystem is not filling up:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl --disk-usage<\/strong> \nArchived and active journals take up 136.0M in the file system.\n&#91;root@testvm1 ~]#<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The disk usage for the journals on the testvm1 host is about 136MB. The result on my primary workstation is 328MB, and the host I use for my firewall and router uses 2.8GB for the journals. Journal sizes depend greatly on the host&#8217;s use and daily run time. My physical hosts all run 24&#215;7.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>\/etc\/systemd\/journald.conf<\/code> file can be used to configure the journal file sizes, rotation, and retention times to meet any needs not met by the default settings. You can also configure the journal storage location\u2014you can specify a directory on the storage device or whether to store everything in RAM, which is volatile storage. If the journals are stored in RAM, they will not be persistent between boots.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The default time unit in the <code>journald.conf<\/code> file is seconds, but it can be overridden using the suffixes <code>year<\/code>, <code>month<\/code>, <code>week<\/code>, <code>day<\/code>, <code>h<\/code>, or <code>m<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Suppose you want to limit the total amount of storage space allocated to journal files to 1GB, store all journal entries in persistent storage, keep a maximum of 10 files, and delete any journal archive files that are more than a month old. You can configure this in <code>\/etc\/systemd\/journald.conf<\/code> using:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SystemMaxUse=1G\nStorage=persistent \nSystemMaxFiles=10\nMaxRetentionSec=1month<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">By default, the <code>SystemMaxUse<\/code> is 10% of available disk space. The default settings have been fine for the systems I work with, and I have not needed to change any of them. The <code>journald.conf<\/code> man page states that the time-based settings for specifying how long to store journal entries in a single file or to retain older files are normally not necessary. This is because file number and size configurations usually force rotation and deletion of old files before any time settings might be needed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>SystemKeepFree<\/code> option ensures a specific amount of space is kept free for other data. Many databases and application programs use the <code>\/var<\/code> filesystem to store data, so ensuring enough available storage space may be critical in systems with smaller hard drives and minimum space allocated to <code>\/var<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you make changes to this configuration, be sure to monitor the results carefully for an appropriate period of time to ensure they are performing as expected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"journal-file-rotation\">Journal file rotation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The journal files are typically rotated automatically based upon the configuration in the <code>\/etc\/systemd\/journald.conf<\/code> file. Files are rotated whenever one of the specified conditions is met. So if, for example, the space allocated to journal files is exceeded, the oldest file(s) is deleted, the active file is made into an archive, and a new active file is created.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Journal files can also be rotated manually. I suggest using the <code>--flush<\/code> option to ensure current data is moved to persistent storage before you run the command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl --rotate<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">There is another way to purge old journal files without performing a file rotation. The <code>vacuum-size=<\/code>, <code>vacuum-files=<\/code>, and <code>vacuum-time=<\/code> commands can be used to delete old archive files down to a specified total size, number of files, or prior time. The option values consider only the archive files and not the active ones, so the resulting reduction in total file size might be somewhat less than expected.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The following command purges old archive files so that only ones that are less than one month old are left. You can use the <code>s<\/code>, <code>m<\/code>, <code>h<\/code>, <code>days<\/code>, <code>months<\/code>, <code>weeks<\/code>, and <code>years<\/code> suffixes:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl --vacuum-time=1month<\/strong> <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This command deletes all archive files except for the four most recent ones. If there are fewer than four archive files, nothing will happen, and the original number of files remains:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl --vacuum-files=4<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This last <code>vacuum<\/code> command deletes archive files until 200MB or less of archived files are left:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@testvm1 ~]# <strong>journalctl --vacuum-size=200M<\/strong><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Only complete files are deleted. The vacuum commands do not truncate archive files to meet the specification. They also work only on archive files, not active ones.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"final-thoughts\">Final thoughts<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This article looked at using the <code>journalctl<\/code> command to extract various types of data from the systemd journal in different formats. It also explored managing journal files and how to add entries to the log from commands and scripts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The systemd journal system provides a significant amount of metadata and context for entries compared to the old syslogd program. This additional data and the context available from the other journal entries around the time of an incident can help the sysadmin locate and resolve problems much faster than having to search multiple syslog files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In my opinion, the <code>journalctl<\/code> command meets the Unix philosophy that programs should do one thing and do it well. The only thing <code>journalctl<\/code> does is extract data from the journal and provide many options for selecting and formatting that data. At about 85K, it is not very big. Of course, that does not include shared libraries, but those are, by definition, shared with other programs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You should now have enough information to use the systemd journal more effectively. If you would like to know more than what I covered here, look in the man pages for <code>journalctl<\/code> and <code>systemd-cat<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"resources\">Resources<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There is a great deal of information about systemd available on the internet, but much is terse, obtuse, or even misleading. In addition to the resources mentioned in this article, the following webpages offer more detailed and reliable information about systemd startup.&nbsp;This list has grown since I started this series of articles to reflect&nbsp;the research I have done.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DigitalOcean has a very good article about <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-use-journalctl-to-view-and-manipulate-systemd-logs\" target=\"_blank\" rel=\"noreferrer noopener\">journalctl and how to view and manipulate systemd logs<\/a>.<\/li>\n\n\n\n<li>The Fedora Project has a good, practical <a href=\"https:\/\/docs.fedoraproject.org\/en-US\/quick-docs\/understanding-and-administering-systemd\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">guide<\/a> <a href=\"https:\/\/docs.fedoraproject.org\/en-US\/quick-docs\/understanding-and-administering-systemd\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">to systemd<\/a>. It has pretty much everything you need to know in order to configure, manage, and maintain a Fedora computer using systemd.<\/li>\n\n\n\n<li>The Fedora Project also has a good <a href=\"https:\/\/fedoraproject.org\/wiki\/SysVinit_to_Systemd_Cheatsheet\" target=\"_blank\" rel=\"noreferrer noopener\">cheat sheet<\/a> that cross-references the old SystemV commands to comparable systemd ones.<\/li>\n\n\n\n<li>Red Hat documentation contains a good description of the <a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_enterprise_linux\/8\/html\/configuring_basic_system_settings\/managing-services-with-systemd_configuring-basic-system-settings#Managing_Services_with_systemd-Unit_File_Structure\" target=\"_blank\" rel=\"noreferrer noopener\">Unit file structure<\/a> as well as other important information. &nbsp;<\/li>\n\n\n\n<li>For detailed technical information about systemd and the reasons for creating it, check out Freedesktop.org&#8217;s <a href=\"https:\/\/www.freedesktop.org\/wiki\/Software\/systemd\/\" target=\"_blank\" rel=\"noreferrer noopener\">description of systemd<\/a>.<\/li>\n\n\n\n<li><a href=\"http:\/\/Linux.com\" target=\"_blank\" rel=\"noreferrer noopener\">Linux.com<\/a>&#8216;s &#8220;More systemd fun&#8221; offers more advanced systemd <a href=\"https:\/\/www.linux.com\/training-tutorials\/more-systemd-fun-blame-game-and-stopping-services-prejudice\/\" target=\"_blank\" rel=\"noreferrer noopener\">information and tips<\/a>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">There is also a series of deeply technical articles for Linux sysadmins by Lennart Poettering, the designer and primary developer of systemd. These articles were written between April 2010 and September 2011, but they are just as relevant now as they were then. Much of everything else good that has been written about systemd and its ecosystem is based on these papers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/systemd.html\" target=\"_blank\" rel=\"noreferrer noopener\">Rethinking PID 1<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/systemd-for-admins-1.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part I<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/systemd-for-admins-2.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part II<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/systemd-for-admins-3.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part III<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/systemd-for-admins-4.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part IV<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/three-levels-of-off.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part V<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/changing-roots\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part VI<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/blame-game.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part VII<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/the-new-configuration-files.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part VIII<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/on-etc-sysinit.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part IX<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/instances.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part X<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/0pointer.de\/blog\/projects\/inetd.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd for Administrators, Part XI<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Find the root cause of hard-to-track errors by diving into your systemd journals.<\/p>\n","protected":false},"author":2,"featured_media":3879,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"no","_lmt_disable":"","footnotes":""},"categories":[5,160,178],"tags":[250,162,242,176],"class_list":["post-3876","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-systemd","category-tools","tag-journals","tag-problem-determination","tag-systemctl","tag-systemd"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/3876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3876"}],"version-history":[{"count":12,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/3876\/revisions"}],"predecessor-version":[{"id":9338,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/3876\/revisions\/9338"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/3879"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}