System logging is essential for diagnosing problems, auditing activity, and maintaining security on Debian 12. When rsyslog
is not installed, Debian relies on alternative logging mechanisms, most notably systemd-journald
. Understanding how to work with these tools allows you to efficiently read and interpret system logs, even in environments where traditional syslog daemons are absent.
Reading Logs with systemd-journald and journalctl
Step 1: Use journalctl
to view logs collected by systemd-journald
. This is the default logging mechanism on Debian 12, and it stores logs in a binary format for performance and reliability. Open a terminal and run:
journalctl
This command displays all system logs in chronological order. You can scroll through the output or use pagination tools like less
for easier navigation.
Step 2: To filter logs by time, boot session, or service, use specific journalctl
options. For example, to view logs from the current boot only:
journalctl -b
To display logs for a particular service, such as ssh
:
journalctl -u ssh.service
These filters help you quickly pinpoint issues related to recent changes or specific system components.
Step 3: If you need real-time updates, similar to tail -f
with traditional log files, use:
journalctl -f
This command streams new log entries as they are written, which is useful for monitoring ongoing processes or troubleshooting live issues.
Step 4: For persistent log storage, ensure that systemd-journald
is configured to keep logs across reboots. By default, logs may be stored in memory and lost after a restart. To enable persistent logging, create the following directory (if it does not exist):
sudo mkdir -p /var/log/journal
Restart the journal service to apply changes:
sudo systemctl restart systemd-journald
With this setup, logs will be saved under /var/log/journal/
and survive system reboots.
Accessing Traditional Log Files
Step 1: Check for existing plain-text log files in /var/log/
. Some applications and services write directly to log files even without rsyslog
. For example, /var/log/auth.log
or /var/log/syslog
may still exist on your system.
Step 2: Use cat
, less
, or tail
to read these files. For example, to view the last 50 lines of auth.log
:
sudo tail -n 50 /var/log/auth.log
These methods are useful for services that do not rely on systemd-journald
and still use legacy logging.
Exporting and Converting systemd Journal Logs
Step 1: Export logs from the journal to a plain-text file for sharing or archival. Use:
journalctl > system-logs.txt
This command saves all logs to system-logs.txt
in your current directory. You can adjust filters to export only relevant logs, such as logs from a specific service or timeframe.
Step 2: Convert binary journal logs to a human-readable format using journalctl --output
options. For example, to export logs in JSON format:
journalctl -o json > logs.json
This approach is helpful for automated log analysis or integrating with log management tools.
Exploring system logs on Debian 12 without rsyslog
is straightforward with journalctl
and the systemd journal. These methods provide flexible ways to monitor, filter, and export logs for troubleshooting and maintenance.
Member discussion