The systemd-journald service stores logging data in a structured, indexed binary file called a journal.
This is stored on /run/log so if the system is rebooted the journal is lost
To get the journal details use the journalctl command
Journalctl options
| option | what it does |
|---|---|
| -n X | by default the -n option shows last 10 entries you can adjust it by enterring a number |
| -f | Works similarly to tail -f but for the journal |
| -p priority | to filter out messages by priority |
| -u unit | to filter out by specific unit (service) |
| –since today | show only entries fro today |
| -o verbose | enable verbosity |
| -r | to show most recent entries in the journal |
| _UID | to display all log events with a particular UID same as -u |
| _PID | to display all log events with a particular process PID |
example
journalctl --since "2022-03-11 20:30" --until "2022-03-14 10:00"
commands can be chained
edit the file at /etc/systemd/journald.conf modify the line (or just add a line)
you can then create the /var/log/journal directory and restart the systemd-journald
on reboot you can check that logs are stored