Analysis Options

Before we had systemd, if your system didn't recognise an external drive such as a USB stick, your only choice was to examine the output of dmesg using the command tail -n 10. This would show the last ten lines of output, hopefully displaying when the stick was connected. Journalctl has a built-in function for this. Use journalctl -n <value> to display the last x number of lines.

System admins also used to use the command tail -f to keep track of logfiles. On operating systems using systemd, you can now achieve the same thing by running journalctl -f. By way of example, run the command journalctl -u apache2 -f. Use Ctrl+C to interrupt the continuous output.

Output to other formats

If you want to analyze a journal in a different way, you can output data to other formats. See Listing 7 for an example of how to save all syslog Error levels as a simple text file. For other file types, use the -o or --output to specify the format. The default output is short and matches the syslog output.

The option -o verbose provides a more comprehensive output with all metadata and fields. Use -o cat as an alternative to short. Use the option -o short-monotonic for a more precise time-stamp. This will allow a more reliable comparison of outputs from different sources.

For further analysis of journal data using web tools, you can use the output options -o json or -o json-pretty. If you simply want to send the journal over the network in binary format, use -o export.

Safety and security

As efficient as the binary files are, if the logs do become corrupted, there's currently no way to repair them. However, their contents will usually be preserved. You can use your built-in Linux commands such as strings and grep to filter only uncorrupted data, as shown in Listing 8.