journalctl

journalctl

The journalctl command in Linux is used to query and display logs from the systemd journal, which is the logging system provided by the systemd init system. It is a powerful and flexible tool for managing and viewing system logs, providing features like filtering, searching, and exporting logs.

Understanding journalctl

The journalctl command can access logs collected by the systemd journal service, which includes logs from the kernel, system services, and various other sources.

Basic Usage

To display all logs, simply run:

journalctl

Example Output

Here’s an example of what the journalctl command might return:

-- Logs begin at Mon 2023-04-10 10:12:13 UTC, end at Tue 2023-04-11 12:34:56 UTC. --
Apr 10 10:12:13 myhostname systemd[1]: Starting Journal Service...
Apr 10 10:12:13 myhostname systemd[1]: Started Journal Service.
Apr 10 10:12:13 myhostname kernel: Initializing cgroup subsys cpuset
Apr 10 10:12:13 myhostname kernel: Initializing cgroup subsys cpu
Apr 10 10:12:13 myhostname kernel: Initializing cgroup subsys cpuacct

Key Options

1. -b / --boot: Show logs from the current boot or a specific boot.

   journalctl -b

   To view logs from a previous boot, you can specify the boot ID or an offset:

   journalctl -b -1

2. -k / --dmesg: Show only kernel messages (similar to dmesg).

   journalctl -k

3. -u / --unit [unit]: Show logs from a specific systemd service or unit.

   journalctl -u ssh.service

4. -f / --follow: Follow new log entries in real-time (similar to tail -f).

   journalctl -f

5. -p / --priority [priority]: Show logs with a specific priority level or higher.

   journalctl -p err

   Valid priority levels are: emerg, alert, crit, err, warning, notice, info, and debug.

6. -o / --output [output]: Specify the output format (e.g., short, json, cat, etc.).

   journalctl -o json

7. -n / --lines [number]: Show the last specified number of lines.

   journalctl -n 50

8. --since / --until [time]: Show logs since or until a specific time.

   journalctl --since "2023-05-01 10:00:00" --until "2023-05-01 12:00:00"

9. -S / --since [time]: Show logs since a specific time.

   journalctl -S "2023-05-01 10:00:00"

10. --disk-usage: Show the disk usage of the journal logs.

    journalctl --disk-usage

Practical Examples

1. View Logs from a Specific Boot:

   journalctl -b -1

   This command shows logs from the previous boot.

2. Show Kernel Messages:

   journalctl -k

3. View Logs for a Specific Service:

   journalctl -u apache2.service

4. Follow Logs in Real-Time:

   journalctl -f

5. Filter Logs by Priority:

   journalctl -p warning

6. Output Logs in JSON Format:

   journalctl -o json-pretty

7. View Logs Since a Specific Time:

   journalctl --since "2024-05-30 10:00:00"

8. Check Journal Disk Usage:

   journalctl --disk-usage

Related Commands

1. systemctl: The command to control the systemd system and service manager. Useful for starting, stopping, and managing services.

   systemctl status ssh.service

2. dmesg: Display kernel ring buffer messages.

   dmesg

3. logrotate: A utility to manage the automatic rotation and compression of log files.

   sudo logrotate /etc/logrotate.conf

Conclusion

The journalctl command is a comprehensive tool for managing and querying system logs in systems using systemd. Its powerful filtering and formatting options make it an indispensable tool for system administrators and users who need to troubleshoot and analyze system behavior.

help