How to access logs without booting the system?

I’ve been looking around but haven’t found an explanation on how to access logs without booting the system in question, i.e. when booted to a USB stick and examining the system drive without running the system, i.e. while running a live system from USB, another OS on a dual-boot machine, or after putting the system drive in a USB dock on a different computer.

What I managed to figure out:

  • In my case, the system partition uses BTRFS, in which case Manjaro gives /var/log its own subvolume. This means that if I mount the drive to, say /mnt/syspart/, the logs are not at /mnt/syspart/var/log/ (which is just an empty mountpoint for the subvolume), but at /mnt/syspart/@log/
  • In the base dir of that subvolume, I see Xorg.0.log.
  • I can see a file ./journal/86584354b897c65a6654e6548f/system.journal (that gibberish part is made up by me, but it looks like a very long hex number). Right next to it, there’s also a file user-100.journal.
  • However, the *.journal files appear to be binary – how to I figure out what’s in them? Or are they not what they appear to be?
  • There’s also a directory called timeshift which I presume contains logs from snapshot operations, and cups, which concerns itself with printer-related things.

In my particular case (trying not to hijack this thread for my troubleshooting, just to explain the scenario that got me here):
My computer has crashed (frozen for a second, then monitor turned off and machine stopped responding entirely, not even num lock worked), and not for the first time. I don’t want to accidentally make matters worse, and because I suspect a hardware issue with the SATA controller for drive containing the home dir, I try to avoid booting the system before I know more. The root partition lives on a separate SSD, and I can access it from a live system (using a Manjaro live image on a USB stick).

I can read the Xorg.0.log alright, although its contents don’t help me much right now.
In my case, the `system.log’ file’s modification time is very close to the time the machine crashed, making it a “file of interest” to me – can anyone here tell me how to get to its contents, without booting the system?

You need to use journalctl.

1 Like

If any error messages from the log is not related to your machine crash, that would probably be a power failure due to the damaged power supply. Any log does not help when power failure. Useless, any log process needs power to write error messages to a disk. That is a limit of the log. I knew someone had experienced this problem.

if you need a automatic notification of journalctl for any desktop environment, just install journalctl-desktop-notification-git from AUR.

Boot live system, mount the partition that contains the journal (/var/log/journal) to a mount point, and use journalctl -D using that mount point.