LoggingThe Ultimate Guide

your open-source resource for understanding, analyzing, and troubleshooting system logs

curated byloggly

9

Using journalctl

Like systemctl, journalctl is also a systemd utility. It’s used for querying and displaying messages from the journal. Since the journal  comprises of one or more binary files, journalctl is the standard way to read messages from it.

In the following paragraphs, we will see how journalctl can be used with some of its parameters. Each parameter can be used on its own or combined with other parameters to further narrow the scope of search.

When run without any parameters, the following command will show all journal entries, which can be fairly long:

The entries will start with a banner similar to this which shows the time span covered by the log:

journalctl will stop after displaying each screenful of messages, and you can press PgDn or spacebar to see the next screenful. To quit any time, press q. This works like the standard less command in Linux. Long entries are printed to the width of the screen and truncated off at the end if they don’t fit. The cut-off portion can be viewed using the left and right arrow keys.

To get a full listing of journalctl options, you can visit the journalctl man page.

Boot Messages

To see boot-related messages from the current boot, use the -b switch:

To see messages from the last boot, use the -1 modifier; to see boot messages from two boots ago, use -2; and so on. Here, we are trying to see messages from the last boot:

To list the boots of the system, use the following command:

It will show a tabular result like this:

The first field is the boot number (0 being the latest boot, -1 being the boot before that, and so on), followed by a Boot ID (a long hexadecimal number), followed by the time stamps of the first and the last messages related to that boot.

Time Ranges

To see messages logged within a specific time window, we can use the –since and –until options. The following command shows journal messages logged within the last hour:

To see messages logged in the last two days, the following command can be used:

The command below will show messages between two dates and times. All messages  logged on or after the since parameter and logged on or before the until parameter will be shown:

Note that the date and time needs to be specified as “YYYY-MM-DD HH:MM:SS”

By Unit

To see messages logged by any systemd unit, use the -u switch. The command below will show all messages logged by the nginx web server. You can use the since and until switches here to pinpoint web server errors occurring within a time window:

The -u switch can be used multiple times to specify more than one unit source. For example, if you want to see log entries for both nginx and mysql, the following command can be used:

Follow or Tail

To run journalctl like the Linux tail command so it continuously prints log messages as they are added, use the -f switch:

The next command “follows” the mysql daemon:

To stop following and return to the prompt, press Ctrl+C.

Like the tail command, the -n switch will print the specified number of most recent journal entries. In the command below, we are printing the last 50 messages logged within the last hour:

The -r parameter shows journal entries in reverse chronological order so the latest messages are printed. The command below shows the last 10 messages from the sshd daemon, listed in reverse order:

Output Formats

The -o parameter enables us to format the output of journalctl query. -o (or –output if we are using the long form parameter name) can take a few values:

json will show each journal entry in json format in one long line.

json-pretty will show each log entry in easy-to-read json format.

verbose will show very detailed information for each journal record with all fields listed.

cat shows messages in very short form, without any date/time or source server names.

short is the default output format: It shows messages in syslog style.

short-monotonic is similar to short, but the time stamp second value is shown with precision. This can be useful when you are looking at error messages generated from more than one source which apparently are throwing error messages at the same time and you want to go to the granular level.The following command shows last output in json-pretty format:journalctl -u sshd.service -r -n 10 -o json-pretty. One of the journal entries can look like this:

By Priority

Use the -p switch to filter out messages based on a priority level. To see what priority levels are available, see the section on systemd-journald configuration parameters and the possible MaxLevelStore parameter values. If a single priority level is specified, all messages with that priority level and below are returned. To use a range of priority levels, use the FROM…TO clause.As an example, the command below will output all messages with priority between emergency and critical from last boot:

By User

To find all messages related to a particular user, use the UID for that user. In the following example, we are finding the UID of the user mysql:

This returns a line like this:

And then we are querying the journal for all messages logged by that user:

The output looked like this:

Written & Contributed by

Sadequl

This guide will help software developers and system administrators become experts at using logs to better run their systems. This is a vendor-neutral, community effort featuring examples from a variety of solutions

Meet Our Contributors Become a contributor