Being able to view logs based on the name of the service instead of the name of the logfile. `journalctl -u <unit>` vs `less /var/log/service/something.log`
Being able to specify date ranges instead of grepping around multiple files. `journalctl -u <unit> -s <start> -e <end>` instead of horrid combinations of grep and gzcat.
"Okay," you say, "but that's all for logs on the host. Shouldn't you be using Splunk or an ELK stack?"
Journalctl can export logs in a json format that can be natively consumed by splunk for free metadata markup. I wrote some container sidecars to do exactly that, and it worked great.
The only thing I don't like about journalctl is that it doesn't line wrap by default.
Being able to specify date ranges instead of grepping around multiple files. `journalctl -u <unit> -s <start> -e <end>` instead of horrid combinations of grep and gzcat.
"Okay," you say, "but that's all for logs on the host. Shouldn't you be using Splunk or an ELK stack?"
Journalctl can export logs in a json format that can be natively consumed by splunk for free metadata markup. I wrote some container sidecars to do exactly that, and it worked great.
The only thing I don't like about journalctl is that it doesn't line wrap by default.