System logging is essential for diagnosing problems, auditing activity, and maintaining security on Debian 12. When rsyslog is not installed, Debian relies on alternative logging mechanisms, most notably systemd-journald. Understanding how to work with these tools allows you to efficiently read and interpret system logs, even in environments where traditional syslog daemons are absent.

Reading Logs with systemd-journald and journalctl

Step 1: Use journalctl to view logs collected by systemd-journald. This is the default logging mechanism on Debian 12, and it stores logs in a binary format for performance and reliability. Open a terminal and run:

journalctl

This command displays all system logs in chronological order. You can scroll through the output or use pagination tools like less for easier navigation.

Step 2: To filter logs by time, boot session, or service, use specific journalctl options. For example, to view logs from the current boot only:

journalctl -b

To display logs for a particular service, such as ssh:

journalctl -u ssh.service

These filters help you quickly pinpoint issues related to recent changes or specific system components.

Step 3: If you need real-time updates, similar to tail -f with traditional log files, use:

journalctl -f

This command streams new log entries as they are written, which is useful for monitoring ongoing processes or troubleshooting live issues.

Step 4: For persistent log storage, ensure that systemd-journald is configured to keep logs across reboots. By default, logs may be stored in memory and lost after a restart. To enable persistent logging, create the following directory (if it does not exist):

sudo mkdir -p /var/log/journal

Restart the journal service to apply changes:

sudo systemctl restart systemd-journald

With this setup, logs will be saved under /var/log/journal/ and survive system reboots.


Accessing Traditional Log Files

Step 1: Check for existing plain-text log files in /var/log/. Some applications and services write directly to log files even without rsyslog. For example, /var/log/auth.log or /var/log/syslog may still exist on your system.

Step 2: Use cat, less, or tail to read these files. For example, to view the last 50 lines of auth.log:

sudo tail -n 50 /var/log/auth.log

These methods are useful for services that do not rely on systemd-journald and still use legacy logging.


Exporting and Converting systemd Journal Logs

Step 1: Export logs from the journal to a plain-text file for sharing or archival. Use:

journalctl > system-logs.txt

This command saves all logs to system-logs.txt in your current directory. You can adjust filters to export only relevant logs, such as logs from a specific service or timeframe.

Step 2: Convert binary journal logs to a human-readable format using journalctl --output options. For example, to export logs in JSON format:

journalctl -o json > logs.json

This approach is helpful for automated log analysis or integrating with log management tools.


Exploring system logs on Debian 12 without rsyslog is straightforward with journalctl and the systemd journal. These methods provide flexible ways to monitor, filter, and export logs for troubleshooting and maintenance.