Skip to main content

Basic work with journald

· 2 min read
Andres Saar
Customer Care Engineer

read-journald-logs-and-learn-how-to-clear-it

Journald is a logging system used in modern Linux-based operating systems to record system events. It collects information about the operation of various services, applications, and system processes to help administrators monitor system health and diagnose errors.

Unlike standard text logs, journald stores data in a binary format. This allows logs to be stored more compactly and managed more efficiently, but at the same time, you cannot simply open these logs in a text editor. Special tools are required to view and analyze them.

In this article, we will look at how to view the records maintained by journald and how to clear them to save disk space.

How to view journal logs

To read logs, use the journalctl command:

  • All logs:
sudo journalctl
  • Logs since the last reboot:
sudo journalctl -b
  • Logs for a specific service:
sudo journalctl -u nginx
  • Logs for a specific day:
sudo journalctl --since "2024-11-01" --until "2024-11-02"
  • View the last n entries (for example, the last 100):
sudo journalctl -n 100
  • Filter by priority level (for example, for errors):
sudo journalctl -p err
  • View journal entries in reverse order, starting from the newest (useful when you need to see the latest log entries quickly):
sudo journalctl -r
  • View journal entries in real time (similar to tail -f):
sudo journalctl -f

You can combine these options. For example, to display all errors from the nginx service on November 10, 2024, showing only the last 10 entries:

sudo journalctl -u nginx --since "2024-11-10" --until "2024-11-10 23:59:59" -n 10

How to clear the Journal

If logs occupy too much space, you can use the following commands to clear them:

  • Clear old logs (e.g., older than 7 days):
sudo journalctl --vacuum-time=7d
  • Clear logs exceeding a specified size (e.g., 1 GB):
sudo journalctl --vacuum-size=1G
  • Completely clear all logs:
sudo journalctl --vacuum-files=0

How to reduce the Journal size

By default, journald can occupy a lot of disk space if logs are not limited. To set a maximum size for logs, open the journald.conf configuration file:

sudo nano /etc/systemd/journald.conf

In this file, you can configure the following parameters:

  • SystemMaxUse — the maximum size for all journals:
SystemMaxUse=1G
  • RuntimeMaxUse — the maximum size for temporary journals:
RuntimeMaxUse=500M
  • MaxRetentionSec — the maximum time to retain logs:
MaxRetentionSec=1month

Set values suitable for your system and needs, then save the file using Ctrl + O, and exit the editor using Ctrl + X. 

To apply the changes, restart the journald service:

sudo systemctl restart systemd-journald

You can also enable logging to RAM or even disable it entirely. Neither option is recommended in a production environment, as the journal contains important diagnostic information. Its accuracy and relevance are crucial for proper diagnostics of processes on your server.

If you still want to activate storing the journal in RAM, set the following value in /etc/systemd/journald.conf:

Storage=volatile

To completely disable logging, specify:

Storage=none