System log/kernel log in Ubuntu

If you have experience with digging system log, you may be familiar with the dmesg command or the content of /var/log/dmesg.

However, the content of /var/log/dmesg is usually not up to date as what is printed by dmesg command. This post will make everything clear.

What does the dmesg command do?

Linux kernel has its own log buffer initialized when the system boots. This log buffer is flushed continuously by the kernel. When being invoked the dmesg prints last N lines of the buffer.  

What does /var/log/dmesg store?

After the system booted, the kernel buffer is written to /var/log/dmesg (by the dmesg command with a particular flag). Afterward, the system log is not flush with this file anymore. This explains why var/log/dmesg only contains a part of the kernel log.

How to get a full kernel log?

syslog service is a service that keeps flushing kernel log buffer content to /var/log/kern.log.

# systemctl list-unit-files | grep syslog
rsyslog.service                            enabled        
syslog.service                             enabled        
syslog.socket                              static

Note: both dmesg and kern.log is rotated in a common manner. i.e. the previous log can be found from dmesg.0, dmesg.1.gz, kern.log.1, kern.log.2.gz, ...

How to get kernel log in pretty printed format?

journalctl is a handy tool for this purpose, it can be invoked with the following flags

  • k (dmesg): kernel log only
  • -b <boot_number>: boot order (0, -1, -2, ...)

Source: https://unix.stackexchange.com/questions/181067/how-to-read-dmesg-from-previous-session-dmesg-0