1

Is there a way to get the size of logs (in bytes) which journalctl creates per day?

Background: we want to get our logs into a central database.

But before doing this I would like to have rough estimate how much bytes will get transferred.

My question to journalctl in humang language: "Dear journalctl, how many bytes of logs did you create during the last 24 hours?".

How to ask this question journaltcl?

HBruijn
  • 72,524
  • 21
  • 127
  • 192
guettli
  • 3,113
  • 14
  • 59
  • 110

1 Answers1

4

My question to journalctl in human language: "Dear journalctl, how many bytes of logs did you create during the last 24 hours?"

Typically the manual is much better at providing answers in human friendly languages...

man journalctl

--disk-usage Shows the current disk usage of all journal files. This shows the sum of the disk usage of all archived and active journal files.

That suggests that there is more than one file but doesn't give the sizes of individual logs files or the granularity you want.

Now where would the actual log files be?

Nearly every manual ends with a section SEE ALSO:

SEE ALSO
       systemd(1), systemd-journald.service(8), systemctl(1), coredumpctl(1), systemd.journal-
       fields(7), journald.conf(5)

Let's try man systemd-journald.service first (an educated guess):

...
By default, the journal stores log data in /run/log/journal/. Since /run/ is volatile, log data is lost at reboot. To make the data persistent, it is sufficient to create /var/log/journal/ where systemd-journald will then store the data.
...

As a first level approach check how data much is actually stored per day in either/both of those directories:

find /run/log/journal/ -type f -ls

If you don't see files older than today or yesterday journald probably records a lot of data and the files are rolling over...
You may want to tune that in /etc/systemd/journald.conf so that more will be stored and you can get an idea of the total amount data that gets generated and collected.
If you do get a lot of journal data probably you will also want to investigate the source and will need to decide of it is (potentially) useful to continue to collect that data or maybe you should tune something that's too verbose to become less so.

HBruijn
  • 72,524
  • 21
  • 127
  • 192