Unix - System Logging in UNIX/Linux
(syslog & journalctl)
1. What Is System Logging?
System logging is the process of recording system events and messages generated by:
-
Kernel
-
System services
-
Applications
-
Security components
Logs help in:
-
Troubleshooting errors
-
Security monitoring
-
Auditing and forensics
-
Performance analysis
2. Syslog Overview
What Is Syslog?
Syslog is a traditional logging mechanism in UNIX/Linux systems.
It:
-
Collects log messages
-
Categorizes them
-
Stores them in log files
Common syslog implementations:
-
rsyslog(most Linux systems) -
syslog-ng
Syslog Architecture
-
Log source → Applications, kernel
-
Syslog daemon → rsyslog
-
Log file →
/var/log/*
Common Syslog Log Files
| File | Purpose |
|---|---|
/var/log/syslog |
General system logs |
/var/log/messages |
System messages |
/var/log/auth.log |
Authentication logs |
/var/log/kern.log |
Kernel messages |
/var/log/cron |
Cron job logs |
Syslog Message Format
<priority>timestamp hostname service: message
Syslog Severity Levels
| Level | Meaning |
|---|---|
| 0 | Emergency |
| 1 | Alert |
| 2 | Critical |
| 3 | Error |
| 4 | Warning |
| 5 | Notice |
| 6 | Informational |
| 7 | Debug |
Syslog Facilities (Examples)
-
auth, authpriv
-
kern
-
daemon
-
cron
-
user
Syslog Configuration File
/etc/rsyslog.conf
/etc/rsyslog.d/*.conf
Example rule:
authpriv.* /var/log/auth.log
3. journalctl Overview
What Is journalctl?
journalctl is the command-line tool for systemd journal, a modern binary logging system.
It:
-
Collects logs from systemd services
-
Stores logs in binary format
-
Supports powerful querying and filtering
Journal Log Storage
| Type | Location |
|---|---|
| Volatile | /run/log/journal |
| Persistent | /var/log/journal |
Basic journalctl Commands
journalctl
Shows all logs.
journalctl -b
Logs from current boot.
journalctl -u ssh
Logs for SSH service.
journalctl -f
Follow logs (like tail -f).
Time-Based Filtering
journalctl --since "today"
journalctl --since "2025-12-15" --until "2025-12-16"
Priority Filtering
journalctl -p err
Shows error-level logs only.
User & Process Filtering
journalctl _UID=1000
journalctl _PID=1234
4. Syslog vs journalctl
| Feature | Syslog | journalctl |
|---|---|---|
| Log format | Text | Binary |
| Storage | Files | Journal |
| Boot-time logs | Limited | Yes |
| Filtering | Basic | Advanced |
| systemd integration | No | Yes |