Changed the journal section.

lvicoun · lvicoun · commit fbb2bac184b7 · 2025-12-05T16:26:16.000+01:00
diff --git a/concepts/journal-about-journald.xml b/concepts/journal-about-journald.xml
@@ -27,55 +27,8 @@
   </info>
   <para>
     On &productname; the <literal>systemd-journald</literal> service is enabled and started by
-    default. The service logs the data into the journal described in <xref linkend="journal-what-it-is"./>
-    </para>
-        
-        
-        as its logging system. The <command>systemd-journald</command> service is enabled by default.</para>
-    <para>All system events are written to the journal, a system service managed by <command>systemd-journald</command> service. This allows you to search and manage all system logs. It collects and stores logging data by maintaining structured indexed journals based on logging information received from the kernel, user processes, standard input, and system service errors. The journal records nearly every type of event generated on the system, including kernel messages, initrd (initial RAM disk) messages, service startup/shutdown, application events, and authentication and session data. Journal allows centralization and unification of logs from all sources, and it records events in structured manner which in turn helps identifying errors and in crash recovery.</para>
-   <para><command>journalctl</command> is the command-line tool to view and analyze the logs from the <command>systemd-journald</command> service.</para></abstract>
-  
-   </info>
-   <section><title>Understanding <command>journalctl</command> configuration and structure</title>
-  <para>
-   This section describes the <command>journalctl</command> location, configuring the location for persistent logs, and the <command>journalctl</command> entry structure.
-  </para>
-<itemizedlist>
-<listitem><para>Verify the logs location:</para>
-<screen>&prompt.sudo; ls /var/log/journal
-&prompt.sudo; ls /run/log/journal
-</screen>
-  <para>The <command>journald</command> command collects log data from several sources simultaneously logs and are then managed in a structured, binary format within files in <filename>/run/log/journal/</filename> by default. Because the <filename>/run/ directory</filename> is volatile by nature, log data is lost at reboot. To make the log data persistent, create a directory <filename>/var/log/journal/</filename> so the <command>systemd-journald</command> service can store its data. To switch to persistent logging across reboots, create <filename>/var/log/journal</filename>:</para>
-  <screen>&prompt.sudo;  mkdir /var/log/journal
-&prompt.sudo;  systemd-tmpfiles --create --prefix=/var/log/journal
-&prompt.sudo;  journalctl --flush</screen>
-<para>All log data stored in <filename>/run/log/journal/</filename> are flushed into <filename>/var/log/journal/</filename>.</para>
-</listitem>
-<listitem><para>View the journal entry structure:</para>
-<screen>&prompt.sudo; journalctl -n 1 -o verbose</screen>
-<para>Log entry in the journal is a data structure containing the log message and  metadata fields:</para>
-<itemizedlist><listitem><para>Timestamp: The exact time the event occurred.</para></listitem>
-<listitem><para>Source Fields</para>
-<itemizedlist>
-  <listitem><para>_PID: Process ID of the sender.</para></listitem>
-  <listitem><para>_UID/_GID: User/Group ID of the sender.</para></listitem>
-  <listitem><para>_EXE: Path to the executable.</para></listitem>
-  <listitem><para>_COMM: Name of the executable.</para></listitem>
-</itemizedlist>
-</listitem>
-<listitem><para>System Fields</para>
-<itemizedlist>
-  <listitem><para>_SYSTEMD_UNIT: The systemd unit (service) that generated the log (e.g., sshd.service).</para></listitem>
-  <listitem><para>_BOOT_ID: A unique identifier for the specific system boot session.</para></listitem>
-</itemizedlist>
-</listitem>
-<listitem><para>Kernel Fields</para>
-<itemizedlist>
-  <listitem><para>_TRANSPORT: How the message was logged (e.g., kernel, syslog, stdout).</para></listitem>
-</itemizedlist>
-</listitem><listitem><para>Priority level: A numeric value indicating the severity of the message (0=emerg, 7=debug).</para></listitem>
-</itemizedlist>
-</listitem>
-</itemizedlist>
-</section>
+    default. The service logs the data into the journal described in <xref linkend="journal-what-it-is"/>.
+    </para>        
+      
+
 </topic>
diff --git a/concepts/journal-structure.xml b/concepts/journal-structure.xml
@@ -23,7 +23,7 @@
     <meta name="maintainer" content="shalaka.harne@suse.com" its:translate="no"/>
     <abstract><!-- can be changed via merge in the assembly -->
       <para>
-       Journal is a  centralization and unification of logs from all sources, and it stores events in structured manner which in turn helps identifying errors and in crash recovery.
+       Journal is a centralization and unification of logs from all sources, and it stores events in structured manner which in turn helps identifying errors and in crash recovery.
       </para>
     </abstract>
   </info>
@@ -33,13 +33,119 @@
       By default, <literal>journald</literal> stores the collected data in the volatile memory in
       <filename>/run/log/journal</filename>, so after reboot the data is lost.
     </para>
+    <para>
+      If <literal>systemd-journald</literal> is configured to store the logs in a persistent
+      manner, you can find the journal in <filename>/var/log/journal</filename>. Ensure that the
+      directoy exists:
+    </para>
+    <procedure>
+      <step>
+        <para>
+          Check if the directory exist:
+        </para>
+          <screen>&prompt.sudo;<command>ls /var/log</command>
+...        
+journal                             
+...
+
+          </screen>
+        
+      </step>
+      <step>
+        <para>If the <filename>/var/log/journal</filename> directory does not exist, create
+        it:</para>
+        <screen>&prompt.sudo;<command>mkdir /var/log/journal</command>     
+        </screen>
+      </step>
+      <step>
+        <para>
+          Set correct ownership and access perimissions:
+        </para>
+        <screen>&prompt.sudo;  systemd-tmpfiles --create --prefix=/var/log/journal</screen>
+      </step>
+      <step performance="optional">
+        <para>
+          To flush the data from RAM to the directory:
+        </para>
+        <screen>&prompt.sudo;  <command>journalctl --flush</command></screen>
+      </step>
+    </procedure>
+    <para>For details about
+      the service configuration, refer to <xref linkend="journal-configure-journald"/>.
+    </para>
   </section>
   <section xml:id="journal-what-it-is-structure">
-    <title>The structure of the journal</title>
+    <title>The journal logs structure</title>
     <para>
-      A paragraph of text, answering the question above and explaining the
-      mechanism behind foo bar.
+      The logs are stored in binary format across several files. To view the structure of a log
+      entry, proceed as follows:
     </para>
+    <screen>&prompt.sudo; <command>journalctl -n 1 -o verbose</command>
     
+    Fri 2025-12-05 10:52:53.284321 CET [s=5b7ae2e926794210bf832d014f5f560a;i=d49752&gt;
+    _UID=1000
+    _AUDIT_SESSION=3
+    _AUDIT_LOGINUID=1000
+    _SYSTEMD_OWNER_UID=1000
+    _SYSTEMD_UNIT=user@1000.service
+    _SYSTEMD_SLICE=user-1000.slice
+    _MACHINE_ID=d3489468c8534c5d81a2860cf9a2a20e
+    _RUNTIME_SCOPE=system
+    _SELINUX_CONTEXT=unconfined
+    PRIORITY=6
+    _TRANSPORT=syslog
+    _BOOT_ID=d095069bd59b4bc4bf67c8c71999243b
+   SYSLOG_IDENTIFIER=sudo
+    SYSLOG_TIMESTAMP=Dec  5 10:52:53 
+    _PID=25806
+    _COMM=sudo
+    _EXE=/usr/bin/sudo
+    _CMDLINE=sudo journalctl -n 1 -o verbose
+
+    ...
+    </screen>
+    <para>The log entry is a data structure containing the log message and metadata fields:</para>
+    <variablelist>
+      <varlistentry>
+        <term>Timestamp</term>
+        <listitem>
+          <para>
+The exact time the event occured
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>Source Fields</term>
+        <listitem>
+          
+            <itemizedlist>
+  <listitem><para><literal>_PID</literal>: process ID of the sender</para></listitem>
+  <listitem><para><literal>_UID/_GID</literal>: User/Group ID of the sender</para></listitem>
+  <listitem><para><literal>_EXE</literal>: path to the executable</para></listitem>
+  <listitem><para><literal>_COMM</literal>: name of the executable</para></listitem>
+</itemizedlist>          
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>System Fields</term>
+        <listitem>
+          <itemizedlist>
+  <listitem><para><literal>_SYSTEMD_UNIT</literal>: The systemd unit (service) that generated the
+  log (for example, <literal>sshd.service</literal>)</para></listitem>
+  <listitem><para><literal>_BOOT_ID</literal>: A unique identifier for the specific system boot session</para></listitem>
+</itemizedlist>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>Kernel Fields</term>
+        <listitem><para><literal>_TRANSPORT</literal>: How the message was logged (e.g., kernel, syslog, stdout).</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>Priority level</term>
+        <listitem>
+          <para>A numeric value indicating the severity of the message (0=emerg, 7=debug)</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
   </section>
 </topic>
