Systemd Journal (Persistent Binary Logs)
LinuxSystem ConfigurationDisk Image
Location
/var/log/journal/<machine-id>/*.journalDescription
Systemd binary journal files aggregating log output from all systemd services, kernel messages, and stdout/stderr of managed processes. Supports structured fields, forward-secure sealing (FSS), and indexed querying via journalctl.
Forensic Value
The systemd journal aggregates logs from all sources into a single queryable binary format that may contain entries not present in traditional text log files. Forward-secure sealing (FSS) cryptographically protects log integrity, making tamper detection possible. Journal entries include structured metadata fields (unit name, PID, UID) that enable precise filtering. Persistent journals in /var/log/journal survive reboots and may retain longer history than rotated text logs.
Tools Required
journalctlsystemd-journal-remotejournal-briefSIEM (Splunk, Elastic)
Collection Commands
tar
tar czf /forensics/output/systemd_journal.tar.gz /var/log/journal/
journalctl
journalctl --since "2024-01-01" --output json > /forensics/output/journal_export.json
journalctl
journalctl --verify > /forensics/output/journal_integrity.txt 2>&1
journalctl
journalctl -p err --since "7 days ago" > /forensics/output/journal_errors.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
MITRE ATT&CK Techniques
T1070.002T1059.004T1543.002