Linux journalctl Command to Check System Logs
The journalctl command is a powerful tool for inspecting system logs in Linux.
It provides a unified interface to query and filter systemd journal entries, which include logs from various system components and applications.
Linux journalctl Command Basix Syntax:
journalctl [options]
Command Options:
Option | Description |
---|---|
-f: | Follows the journal, continuously displaying new entries as they are added. |
-p | Filters entries by priority (e.g., emerg, alert, crit, err, warning, info, debug, notice). |
-u | Filters entries for a specific systemd unit (e.g., systemd-networkd). |
-s | Searches for entries containing a specific string. |
-r | Reverses the order of the entries (newest first). |
-n | Displays the last |
-b | Displays entries from the previous boot. |
-b -1 | Displays entries from the second-to-last boot. |
--since= | Displays entries since a specific timestamp. |
--until= | Displays entries until a specific timestamp. |
-o short | Displays entries in a short format. |
-o verbose | Displays entries in a verbose format. |
-o json | Displays entries in JSON format. |
-o table | Displays entries in a table format |
Prerequisites to Use Linux journalctl Command
To start using journalctl command in Linux, your machine needs to meet all the below specifications:
- A Linux VPS running a compatible Linux distribution (e.g., Ubuntu, Debian, CentOS).
- A non-root user with
sudo
privileges. - Access to Terminal.
17 Practical Examples of journalctl Command in Linux
Let’s go through this tutorial to review the explained examples that help in learning how to use Linux journalctl command.
1. Displaying all Logs
To view the most recent journal entries, you must run journalctl
without any options.
These entries are typically from the current boot and include information about system events, errors, and warnings.
Syntax:
journalctl
Example Output:
-- Logs begin at Tue 2024-08-27 00:06:21 CEST, end at Tue 2024-08-27 02:52:24 CEST --
Aug 27 02:52:23 systemd[1]: Stopping journald.service.
Aug 27 02:52:23 systemd[1]: journald.service stopped.
Aug 27 02:52:23 systemd-shutdown[1]: Shutdown initiated.
Aug 27 02:52:23 systemd-shutdown[1]: Sending SIGTERM to processes.
Aug 27 02:52:23 systemd-shutdown[1]: Sending SIGTERM to jobs.
Aug 27 02:52:23 systemd-shutdown[1]: Powering off.
Note: The output is continuously updated as new entries are added to the journal
As you see in the above output, it:
- Includes the start and end times of the journal entries.
- Each line represents a journal entry, with information about the timestamp, systemd unit, and message.
2. Viewing Journal Entries in Reverse Order
The -r
option in journalctl reverses the order of the displayed journal entries.
By default, entries are shown in chronological order (newest first). Adding the -r flag will display them in reverse order (oldest first).
This can be useful for tracing the sequence of events leading up to a particular issue.
Syntax:
journalctl -r
Example Output:
-- Logs begin at Tue 2024-08-27 00:06:21 CEST, end at Tue 2024-08-27 02:52:24 CEST --
systemd-shutdown[1]: Powering off.
systemd-shutdown[1]: Sending SIGTERM to jobs.
systemd-shutdown[1]: Sending SIGTERM to processes.
systemd-shutdown[1]: Shutdown initiated.
systemd[1]: journald.service stopped.
systemd[1]: Stopping journald.service.
systemd-networkd[1]: Network service deactivated.
systemd-networkd[1]: Interface enp0s3: removed.
systemd-networkd[1]: Interface enp0s3: removing.
systemd-networkd[1]: Network service stopped.
...
In this example, the output starts with the final shutdown process and then traces back through the system’s startup sequence.
The output will now show the oldest entries at the top and the newest entries at the bottom.
3. Displaying a Specific Number of Journal Entries
The -n
option in journalctl allows you to specify the number of journal entries to display. It is particularly helpful when dealing with large volumes of journal entries.
This is also useful for limiting the output to a specific range or for quickly reviewing recent events.
Syntax:
journalctl -n <number>
Example:
- Run the command below to view the last 10 journal entries:
journalctl -n 10
This will output the most recent 10 entries, providing a concise overview of recent system activity.
4. Following the Journal in Real Time
The -f
option in journalctl allows you to follow the journal in real time, continuously displaying new entries as they are added.
This is useful for monitoring system activity and troubleshooting issues in real time.
Syntax:
journalctl -f
Example Output:
-- Logs begin at Tue 2024-08-27 00:06:21 CEST, end at Tue 2024-08-27 02:52:24 CEST --
Aug 27 02:52:23 systemd[1]: Stopping journald.service.
Aug 27 02:52:23 systemd[1]: journald.service stopped.
Aug 27 02:52:23 systemd-shutdown[1]: Shutdown initiated.
Aug 27 02:52:23 systemd-shutdown[1]: Sending SIGTERM to processes.
Aug 27 02:52:23 systemd-shutdown[1]: Sending SIGTERM to jobs.
Aug 27 02:52:23 systemd-shutdown[1]: Powering off.
The output will continuously update as new entries are added to the journal.
5. Displays logs with timestamps in UTC
The --utc
option in journalctl allows you to display timestamps in Coordinated Universal Time (UTC) instead of the local time zone.
This is useful for comparing logs across different systems or for analyzing events that occur at specific UTC times.
Display logs in UTC time is also heplful for comparing logs across different systems or for analyzing events that occur at specific UTC times.
Syntax:
journalctl --utc
Example Output:
-- Logs begin at Tue 2024-08-27 00:06:21 CEST, end at Tue 2024-08-27 02:52:24 CEST --
systemd-shutdown[1]: Powering off.
systemd-shutdown[1]: Sending SIGTERM to jobs.
systemd-shutdown[1]: Sending SIGTERM to processes.
systemd-shutdown[1]: Shutdown initiated.
systemd[1]: journald.service stopped.
systemd[1]: Stopping journald.service.
systemd-networkd[1]: Network service deactivated.
systemd-networkd[1]: Interface enp0s3: removed.
systemd-networkd[1]: Interface enp0s3: removing.
systemd-networkd[1]: Network service stopped.
...
The timestamps in the output will now be displayed in UTC format.
By using --utc
, you can ensure that your journal entries are displayed in a consistent time zone, making it easier to analyze and compare data.
6. Displaying Linux kernel logs
The -k
option in journalctl is used to display the journal in a compact format.
This format is designed to be more human-readable and easier to scan than the default verbose output.
This can be especially helpful when dealing with large volumes of journal entries or when you need to quickly identify relevant information.
Syntax:
journalctl -k
Example:
journalctl -k -u networkd
In this example, the output highlights potential errors or warnings related to network connectivity.
You might see messages about failed network interfaces, DHCP lease issues, or other network-related problems.
Example Output:
-- Logs begin at Tue 2024-08-27 00:06:21 CEST, end at Tue 2024-08-27 02:52:24 CEST --
networkd[1]: Network service failed to start.
networkd[1]: Interface enp0s3: failed to bring up interface.
networkd[1]: Network service deactivated.
The -k
option provides a more concise and readable output format.
When you use -k
, the output will be formatted in a way that highlights the most important information, such as the timestamp, unit name, and a truncated version of the message.
7. Accessing All Journal Logs using sudo
The Linux journalctl
command requires specific privileges to access all system journal entries.
By default, only the root user or users with appropriate permissions can view all logs.
Syntax:
sudo journalctl
This command is used to execute the subsequent command with elevated privileges (typically root).
Example:
- Viewing Systemd Unit Logs:
sudo journalctl -u systemd-networkd -f
This command uses sudo
to gain root privileges and then follows the journal for entries related to the systemd-networkd
unit.
This is useful for monitoring network-related events and troubleshooting network connectivity issues.
Example Output:
-- Logs begin at Tue 2024-08-27 00:06:21 CEST, end at Tue 2024-08-27 02:52:24 CEST --
Aug 27 02:52:23 systemd-networkd[1]: Network service stopped.
Aug 27 02:52:23 systemd-networkd[1]: Interface enp0s3: removing.
Aug 27 02:52:23 systemd-networkd[1]: Interface enp0s3: removed.
Aug 27 02:52:23 systemd-networkd[1]: Network service deactivated.
8. Listing Boot Instances using journalctl –list-boots
The --list-boots
option in journalctl is used to list all recorded boot instances. This is helpful for navigating and analyzing logs from different system boots.
You can use these boot numbers to filter journal entries from specific boot instances.
Syntax:
journalctl --list-boots
Example Output:
booted booted_at booted_at_sec
-------- --------------------- -----------------
1 Tue 2024-08-27 00:06:21 1703865181
The output will display a list of boot instances, including the booted
number and the booted_at
timestamp in both human-readable and seconds-since-epoch formats.
Example:
- To view journal entries from the second boot instance, run:
journalctl -b -2
This will display logs from the boot instance with the booted
number of 2.
9. Filter by Unit using journalctl -u service_name
To view logs specific to a particular systemd
service, you can use the -u
option with journalctl
.
Syntax:
journalctl -u <service_name>
The -u
option in journalctl allows you to filter journal entries based on a specific systemd unit. This is useful for isolating logs related to a particular service or process.
Example:
- Run the command below to view logs for the
systemd-networkd
service (which manages network interfaces):
journalctl -u systemd-networkd
The output will display all journal entries related to the systemd-networkd
service. You can use this to troubleshoot network issues or monitor the service’s status.
Note: To search for specific keywords or errors, use journalctl -u <service_name> -s <keyword>
.
10. Filtering Logs by Time Interval
The Linux journalctl
command allows you to filter logs by specific time intervals using the --since
and --until
options, providing a targeted view of system events within a defined timeframe.
Syntax:
journalctl --since=<timestamp> --until=<timestamp>
--since=<timestamp>
: Specifies the start time for the filter.--until=<timestamp>
: Specifies the end time for the filter.
Timestamps can be specified in various formats, including:
ISO 8601: YYYY-MM-DD HH:MM:SS
(e.g., 2024-12-25 12:00:00
)
Relative time: 1 hour ago
, yesterday
, last week
, etc.
Example:
- Use the command below to display logs from the past hour:
journalctl --since 1 hour ago
- To display logs between specific dates and times, run:
journalctl --since 2023-12-25 12:00:00 --until 2024-12-26 08:00:00
Output:
The output will only include journal entries that fall within the specified time interval.
11. Filtering Logs Based on UID, GID, and PID
Syntax:
journalctl --user=<uid> --group=<gid> --pid=<pid>
--user=<uid>
: Filters logs based on the user ID (UID) of the process.--group=<gid>
: Filters logs based on the group ID (GID) of the process.--pid=<pid>
: Filters logs based on the process ID (PID) of the process.
Example:
- To view logs for processes with a UID of 1000, run:
journalctl --user=1000
- Use the command below to view logs for processes belonging to the
sudo
group:
journalctl --group=sudo
- To view logs for a specific process with PID 1234, type:
journalctl --pid=1234
Output:
The output will only include journal entries that match the specified UID, GID, or PID.
12. Checking Disk Space Usage of Journal Logs
The --disk-usage
option in journalctl
provides information about the disk space consumed by the journal.
Syntax:
journalctl --disk-usage
Output:
The output will display the following information:
- Stored: The total size of the journal.
- Rotated: The size of the rotated journal files (if enabled).
- Free: The remaining disk space available for the journal.
Example:
Stored: 1.2G
Rotated: 0B
Free: 10.8G
This output indicates that the journal is currently using 1.2GB of disk space, there are no rotated journal files, and there are 10.8GB of free space remaining for the journal.
Note: To limit the disk space used by the journal, you can configure rotation settings using systemctl edit journald.service
.
13. Filtering Logs for Errors
The -p
option in journalctl allows you to filter logs based on their priority level. Setting -p err
specifically filters for entries with a priority level of “error.”
Syntax:
journalctl -p err
Output:
The output will only include journal entries that have been classified as errors. These entries typically indicate critical issues or problems that require attention.
14. Viewing Recent Journal Entries with journalctl -xe
The -xe
options in journalctl are used to display the last few journal entries in a compact and readable format.
This is particularly useful for quickly reviewing recent system activity.
Syntax:
journalctl -xe
-x
: This option displays the entries in a compact, human-readable format, highlighting key information.-e
: This option ensures that the output is scrolled to the end, showing the most recent entries.journalctl -xe
provides a quick and efficient way to review the most recent journal entries.
Output:
The output is formatted in a compact and readable manner, making it easier to scan and identify relevant information.
15. Filtering Logs using grep
You can use grep command alongside journalctl to extract log entries that contain a specific keyword or phrase.
Syntax:
journalctl | grep <pattern>
By using grep
with journalctl
, you can efficiently search for specific keywords or patterns within your journal entries, making it easier to troubleshoot and analyze system activity.
journalctl
: The command to view journal entries.|
: The pipe character, which passes the output of journalctl to grep.grep
: A command used to search for text patterns.<pattern>
: The pattern you want to search for.
Example:
To search for journal entries containing the word “error”, run:
journalctl | grep error
Output:
The output will only include journal entries that contain the specified pattern.
16. Viewing journal Entries in Verbose Mode
The -o verbose
option in journalctl
displays journal entries in a verbose format, providing additional details about each entry.
This can be helpful for debugging and troubleshooting complex issues.
Syntax:
journalctl -o verbose
Output:
The verbose output includes the following information for each entry:
- Timestamp: The time when the entry was recorded.
- Unit: The systemd unit that generated the entry.
- PID: The process ID (PID) of the unit.
- Message: The detailed message describing the event.
- Priority: The priority level of the message (e.g.,
emerg
,alert
,crit
,err
,warning
,info
,debug
,notice
).
17. Getting Help with journalctl
The --help
option in journalctl provides a detailed usage guide, listing all available options and their descriptions.
This is a valuable resource for understanding the full capabilities of the journalctl
command.
Syntax:
journalctl --help
This will display the complete usage information for the journalctl
command.
Output:
The output will display a comprehensive list of options and their usage, including:
- General options (e.g.,
-f
,-p
,-u
) - Time-based filtering options (e.g.,
--since
,--until
) - Output formatting options (e.g.,
-o short
,-o verbose
) - Other options (e.g.,
--list-boots
,--disk-usage
)
How to Combine journalctl command with more than one Option?
By combining options, you can create highly specific filters to isolate the exact logs you need for troubleshooting or analysis.
To combine multiple options in journalctl for more tailored log viewing, simply separate them with spaces.
Here are some examples:
Filtering by unit and priority
journalctl -u systemd-networkd -p err
This will filter for error messages related to the systemd-networkd
unit.
Filtering by time and keyword
journalctl --since yesterday --until today -s "error"
This will filter for error messages that occurred yesterday.
Combining multiple filters
journalctl -u systemd-networkd -p err --since yesterday --until today -s "failed"
This will filter for error messages related to the systemd-networkd
unit that occurred yesterday and contain the keyword “failed.”
How to view the most recent journal entries?
Simply run journalctl
without any options.
How to filter journal entries by unit?
Use the -u
option followed by the unit name. For example, journalctl -u systemd-networkd
.
How to search for specific keywords in journal entries?
Use the -s
option followed by the keyword or pattern.
For example: journalctl -s "error"
.
How to view journal entries in a specific time range?
Use the --since
and --until
options with timestamps.
For example: journalctl --since yesterday --until today
.
Why journalctl is not working?
To troubleshoot journalctl command, consider:
- Ensure that you have the
systemd
package installed. - Check if the
journald.service
unit is running. If not, start it usingsudo systemctl start journald
.
How to find journal Files?
The journal
files are typically located in /run/log/journal
. You may need to adjust the storage location in the journald.service
unit file.
How to troubleshoot the journal taking up too much space?
Use the --vacuum-size
option to set a maximum size for the journal and automatically delete older entries.
Conclusion
Throughout this guide, we have explored 17 practical examples of the journalctl command in Linux.
By understanding the various options and filters available, you can effectively use journalctl to analyze system logs, troubleshoot issues, and gain valuable insights into your system’s behavior.
Using Linux journalctl command, you will Troubleshoot system issues, Monitor system performance, Audit system activity, and Debug applications.