How to use the command journalctl (with examples)

Journalctl is a command-line utility for querying the systemd journal, which is a centralized collection of logs from a variety of sources on a Linux system. It allows users to view, filter, and analyze log data.

Use case 1: Show all messages with priority level 3 (errors) from this boot

Code:

journalctl -b --priority=3

Motivation: This use case is helpful when troubleshooting errors or issues on a Linux system. By filtering the journal to show only messages with a priority level of 3 (errors), users can easily identify and address problematic areas.

Explanation:

• -b: Specifies to only show messages from the current boot session.
• --priority=3: Filters the messages based on priority level, in this case, level 3 represents errors.

Example output:

-- Logs begin at Thu 2022-01-20 08:03:36 UTC, end at Thu 2022-01-20 08:22:02 UTC. --
Jan 20 08:12:12 server kernel: [   10.005245] ERROR: Out of memory!
Jan 20 08:12:12 server systemd-journald[123]: Journal stopped

Use case 2: Show all messages from last boot

Code:

journalctl -b -1

Motivation: This use case allows users to review the log messages from the previous boot, which can be useful for identifying any issues that occurred during that session.

Explanation:

• -b: Specifies to only show messages from the selected boot session.
• -1: Refers to the previous boot.

Example output:

-- Logs begin at Thu 2022-01-20 08:03:36 UTC, end at Thu 2022-01-20 08:12:05 UTC. --
Jan 20 08:06:42 server kernel: [   11.005245] INFO: System boot complete.
Jan 20 08:06:42 server systemd[1]: Started Session 123 of user john.

Use case 3: Delete journal logs which are older than 2 days

Code:

journalctl --vacuum-time=2d

Motivation: Over time, the journal logs can accumulate and consume significant storage space. This use case is helpful for managing disk space by deleting older log entries.

Explanation:

• --vacuum-time=2d: Specifies the time threshold for deleting logs, in this case, logs older than 2 days will be removed.

Example output:

Deleted archived journal /var/log/journal/1bb4b…4.journal~ (352.0M).
Deleted archived journal /var/log/journal/1bb4b…5.journal~ (352.0M).

Use case 4: Follow new messages (like tail -f for traditional syslog)

Code:

journalctl -f

Motivation: Similar to tail -f for traditional syslog, this use case helps users monitor the journal in real-time by continuously displaying new log messages as they are written.

Explanation:

• -f: Enables the follow mode, which continuously shows new log messages.

Example output:

-- Logs begin at Thu 2022-01-20 08:03:36 UTC. --
Jan 20 08:22:15 server kernel: [   16.005245] NOTICE: New login detected.
Jan 20 08:22:17 server sshd[123]: Accepted password for john from 192.168.1.1 port 22 ssh2

Use case 5: Show all messages by a specific unit

Code:

journalctl -u unit

Motivation: When troubleshooting a specific service or unit, it is helpful to view all the related log messages. This use case allows users to filter the journal by a specific unit and focus on the relevant logs.

Explanation:

• -u unit: Specifies the unit name to filter the log messages.

Example output:

-- Logs begin at Thu 2022-01-20 08:03:36 UTC, end at Thu 2022-01-20 08:22:02 UTC. --
Jan 20 08:10:22 server systemd[1]: Starting MyService...
Jan 20 08:10:24 server systemd[1]: Started MyService.

Use case 6: Filter messages within a time range

Code:

journalctl --since today --until "2022-01-20 08:10:00"

Motivation: In some cases, users may want to analyze log messages within a specific time range. This use case allows them to filter the journal by a desired time range.

Explanation:

• --since today: Specifies the start time of the time range as the beginning of the current day.
• --until "2022-01-20 08:10:00": Specifies the end time of the time range as a specific date and time.

Example output:

-- Logs begin at Thu 2022-01-20 08:03:36 UTC, end at Thu 2022-01-20 08:10:02 UTC. --
Jan 20 08:08:15 server kernel: [   15.005245] INFO: Network connection established.
Jan 20 08:09:30 server systemd[1]: Starting MyService...

Use case 7: Show all messages by a specific process

Code:

journalctl _PID=pid

Motivation: When investigating issues related to a specific process, users can filter the journal to display all the log messages associated with that particular process, making it easier to identify any relevant errors or warnings.

Explanation:

• _PID=pid: Filters the log messages by the specified process ID (pid).

Example output:

-- Logs begin at Thu 2022-01-20 08:03:36 UTC, end at Thu 2022-01-20 08:22:02 UTC. --
Jan 20 08:14:42 server kernel: [   20.005245] ERROR: Process with PID 123 encountered a segmentation fault.

Use case 8: Show all messages by a specific executable

Code:

journalctl path/to/executable

Motivation: This use case allows users to view all log messages associated with a specific executable, helping them track any issues or errors related to that particular program.

Explanation:

• path/to/executable: Specifies the path to the executable to filter the log messages.

Example output:

-- Logs begin at Thu 2022-01-20 08:03:36 UTC, end at Thu 2022-01-20 08:22:02 UTC. --
Jan 20 08:15:24 server kernel: [   21.005245] INFO: Executable "myapp" started successfully.
Jan 20 08:15:45 server myapp[123]: Application initialized.

Conclusion:

The journalctl command provides powerful capabilities for querying the systemd journal and analyzing log data. By utilizing the various options and filters, users can efficiently explore and troubleshoot system events, errors, and specific units or processes.