When you’re working with Linux systems, particularly those using systemd, journalctl is an essential tool for accessing and managing logs.
journalctl provides a powerful and flexible way to query logs, troubleshoot issues, and monitor system events.
In this guide, we’ll walk through everything you need to know about journalctl—from basic commands to advanced filtering techniques.
Table of Contents
1. Introduction to journalctl
journalctl is the command-line utility used for querying and displaying logs collected by systemd‘s journal service.
Get Your Linux Course!
Join our Linux Course and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux today!These logs include system, service, and kernel messages, as well as logs generated by various services running on your system.
systemd uses a binary log format, and journalctl is the tool to access this format.
This makes journalctl a powerful tool because it can efficiently query large volumes of logs, filter them by various criteria, and display logs in an easy-to-read format.
2. Basic Commands
Here are some basic commands to get started with journalctl:
- View all logs: To view the entire system log (usually logs from the current boot session), simply run:
journalctl - View logs from the current boot session: To see logs from the current boot only:
journalctl -b - View logs from the previous boot: To view logs from the previous boot:
journalctl -b -1 - Follow logs in real-time: To view logs as they come in (like
tail -f):journalctl -f - Show only new logs: Show only the most recent entries since the last time
journalctlwas run:journalctl --new
3. Filtering Logs
One of the most powerful features of journalctl is its ability to filter logs based on a variety of criteria:
- Filter by Unit (Service): To view logs for a specific service, use:
journalctl -u <service-name>Example: To view logs for the
nginxservice:journalctl -u nginx - Filter by Priority: Logs have different levels of severity, ranging from debug messages (
0level) to critical errors (7level). To filter logs by priority, use the-pflag:journalctl -p <priority-level>Example: To view only error logs:
journalctl -p errYou can also use numerical priority values (
0for emerg,1for alert, etc.) or named levels such asinfo,debug,warning,err,crit, andalert. - Filter by Time: You can filter logs by specific time ranges. Here are a few examples:
- Logs from today:
journalctl --since today - Logs from the last hour:
journalctl --since "1 hour ago" - Logs from a specific date:
journalctl --since "2023-01-01" --until "2023-01-02"
- Logs from today:
- Combining Filters: You can combine multiple filters:
journalctl -u nginx -p err --since "2023-01-01"
4. Viewing Logs by Time
journalctl makes it easy to view logs based on time-related criteria:
- Logs since a specific time: Use the
--sinceoption followed by a date, time, or relative time:journalctl --since "2023-01-01 10:00:00" - Logs until a specific time: Use the
--untiloption to specify the end time:journalctl --until "2023-01-02 10:00:00" - Logs between two times: You can combine
--sinceand--untilto view logs between two times:journalctl --since "2023-01-01 10:00:00" --until "2023-01-01 12:00:00" - View logs for the past N minutes or hours:
journalctl --since "30 minutes ago" journalctl --since "2 hours ago"
5. Viewing Logs for Specific Units
If you’re troubleshooting a specific service, journalctl allows you to filter logs based on the systemd unit (service) name:
- Logs for a specific service:
journalctl -u <service-name>Example: To view logs for the SSH service (
sshd):journalctl -u sshd - Logs for multiple services:
journalctl -u nginx -u apache2
6. Persistent vs. Volatile Logs
By default, systemd uses volatile logs, which are stored in memory and are lost after a reboot. To make logs persistent across reboots, you need to configure systemd to store logs on disk.
- Check for persistent logging: If
/var/log/journal/exists, logs are being stored persistently. You can check this with:ls /var/log/journal/ - Enable persistent logging:
- Create the persistent log directory if it doesn’t exist:
sudo mkdir -p /var/log/journal - Set appropriate permissions:
sudo systemd-tmpfiles --create - Restart
systemd-journaldto apply the changes:sudo systemctl restart systemd-journald
- Create the persistent log directory if it doesn’t exist:
7. Saving Logs to a File
To save logs to a text file for later analysis, you can redirect the output of journalctl to a file:
- Save logs to a file:
journalctl > /path/to/output.log - Save logs for a specific unit to a file:
journalctl -u <service-name> > /path/to/output.log
8. Searching Logs
To search for specific terms in logs, you can use the grep command along with journalctl:
- Search for a specific term:
journalctl | grep "search-term" - Search for logs of a specific service that contain a certain keyword:
journalctl -u nginx | grep "error" - Case-insensitive search:
journalctl | grep -i "error"
9. Using journalctl with Systemd Boot Logs
journalctl also provides powerful tools for viewing logs related to the system boot process. You can use it to troubleshoot issues during system startup.
- View logs from the current boot:
journalctl -b - View logs from the previous boot:
journalctl -b -1 - View the last boot:
journalctl -b -1
10. Advanced Usage and Troubleshooting
Here are some advanced tips for using journalctl effectively:
- Limit the number of log entries: If you only want to view a limited number of entries (e.g., the last 100 lines):
journalctl -n 100 - Show logs with timestamps in a specific format: You can use
-oto specify the output format:journalctl -o json-pretty - Show logs from a specific priority:
journalctl -p err - Clear logs: You can clear logs from the journal by running:
sudo journalctl --vacuum-time=2weeks
Conclusion
journalctl is a powerful and flexible tool that allows system administrators to access and manage logs generated by systemd. Whether you’re troubleshooting issues with specific services, searching