Magazines is one of the most important sources of information if you encounter any bugs in the Linux operating system. I have said many times previously, and now said again. Earlier in Linux for log retention service uses a separate daemon called syslogd. But with the advent of the init system systemd most of the functions concerning the management of services came under her control. Including and log management.
Now to view logs for a particular service or boot the system you want to use journalctl. In this article we will examine examples of how to use journalctl, and main features of this command and its options. Compared to ordinary log file, journalctl has several advantages. All logs are in one place, they are indexed and structured, so they can be accessed in several convenient formats.
The syntax and options of journalctl
The command syntax is very simple. Simply run the command without options, or by passing it the options you want. If the utility does not output anything, run it as root:
Now let’s look at the main options in journalctl:
- –full-l show all available fields;
- –all, -a show all fields in full withdrawal, even if they include unprintable characters or is too long;
- –pager-end-e – show only last message from the log;
- –lines, -n – number of rows to display on one screen, default 10;
- –no-tail show all lines available lines;
- –reverse, -r – display new events at the beginning of the list.
- –output, -o – sets the output format of a log;
- –output-fields – fields that should be output;
- –catalog, -x – add to the error information explanation, reference to documentation or forums where possible;
- –quiet, -q – do not display any informational messages;
- –merge, -m – show messages from all available journals;
- –boot, -b – show messages since a certain boot. The default is the last download;
- –list-boots – to show a list of saved downloads system;
- –dmesg-k – shows only messages from the kernel. Analog command dmesg;
- –identifier, -t – show messages with the selected identifier;
- –unit, -u, – display messages from a selected service;
- –user-unit is to filter messages of the selected session;
- –priority, -p – to filter messages based on their priority. There are eight priority levels, from 0 to 7;
- –grep, -g – filtering by text message;
- –cursor-c – to start viewing messages with the specified location;
- –since, -S, –until, -U, – filtering by date and time;
- –field, -F – display all the data from the selected field;
- –fields, -N – show all available fields;
- –system – to display system messages;
- –user – print only messages of the user;
- –machine, -M, – display messages from a particular container;
- –header – prints the header fields in the log output;
- –disk-usage – display the total size of log files on disk;
- –list-catalog – show all available clues for errors;
- –sync – sync all saved logs with a file system;
- –flush – to transfer all the data from the directory /run/log/journal to /var/log/journal;
- –rotate – start the rotation of the log;
- –no-pager – display information from the log without the ability to turn pages;
- -f – to display new messages in real time, as in the command tail;
- –vacuum-time is to clear the logs older than the specified period;
- –vacuum-size – to clear the logs to size the storage corresponds.
By default, the log information is output in the format in which it can browse. Let’s look at the shortcuts that you can use for this:
- Down arrow, Enter, e or j to move down one line;
- Up arrow -, y -, or k – move up one line;
- Space – move down one page;
- b – move up one page;
- Right arrow, left arrow – horizontal scrolling;
- g – go to the first line;
- G – go to last line;
- p – go to the position desired percentage of messages. For example, 50p will move the cursor to the middle of the cell.
- / – search the log;
- n – find next occurrence;
- N – previous occurrence;
- q – exit.
Now you know the basic command options and shortcuts which you can use to manage it. Here is a little cheat sheet journalctl.
Cheat sheet for journalctl
The output of journalctl is a whole list of all saved messages. If you run the command journalctl without any parameters, you will get the first messages that were saved. In my case this is the data for January 13:
To find exactly what you need, you must learn to navigate this list. The format of the log output is pretty basic:
Jan 13 20:55:55 sergiy-pc kernel: Linux version 4.15.0-43-generic
- Jan 13 20:55:55 – the date and time of the event;
- sergiy-pc – host where the event occurred;
- kernel – event source, usually a program or service. In this case the core;
- Linux version 4.15.0-43-generic – the message itself.
Let’s move on to examples of filtering and displacement.
1. View logs of the services
The most frequent use journalctl is when you are trying to start a service using systemd, it doesn’t run and systemd gives you that message like follows: Failed to start service use journalctl -xe for details. The system offers you which command to run:
sudo journalctl -xe
As you may remember from the options, this command displays the last message in the log and adds to them additional information, if any. Given that the last thing we did was our service, here are the messages from it and you can quickly understand why it won’t start.
To filter only messages from a specific service, you can use the-u option. For example:
sudo journalctl -eu apache2.service
2. View logs in tail mode
Using the-f option to specify the utility that you need to display new messages in real time:
sudo journalctl -f
In this mode, less is not supported, so to exit, press the key combination Ctrl+C.
3. View logs download
In the journalctl log contains all logs, including logs download. To open a log of the last boot use the-b option:
sudo journalctl -b
View a list of all saved the download with the command:
sudo journalctl -list-boots
Now to view the reports for need download use ID:
sudo journalctl -b 37d5c906c9c6404682f029b2c34ec9dc
4. Filtering by date
With the option –since you can specify the date and time from which you want to display the logs:
sudo journalctl --since "2019-01-20 15:10:10"
Option –until helps to specify what date you want to receive information:
sudo journalctl -e --until "2019-01-20 15:05:50"
Or combine these two options to get the logs for the desired period:
sudo journalctl --since "2019-01-20 15:10:10" --until "2019-01-20 15:05:50"
Except for the date in the format YYYY-MM-DD in these options you can use such words as yesterday, today, and tomorrow. Also a valid design 1 day ago (one day ago) or 3 hours ago (three hours ago). You can also use the signs + and -. For example -1h30min will mean half an hour ago.
5. The kernel log
If you want to view only the kernel messages, use the-k option:
sudo journalctl -ek
6. Configure the output format
By default, journalctl displays information from the utility less, which you can conveniently flip through and view. But the output format can be changed:
- short – is used by default.
- verbose – as well as short, only displays a lot more information;
- the json – output in json format, one log line to one output line;
- json-pretty – formatted json for better perception;
- cat – display only messages without metadata.
To specify the desired format, use the-o option. For example:
sudo journalctl -o json-pretty
sudo journalctl -eo json-pretty
7. Cleaning logs
First we need to see how your logs take up disk space. To do this, use the following command:
sudo journalctl --disk-usage
To reduce the log size, you can use –vacuum-size. For example, if you want your log files held on the disk to 2 GB, run the command:
sudo journalctl --vacuum-size=2G
Now old logs are removed until the total storage capacity will be 2 gigabytes. You can also delete the logs by time. To do this, use the option –vacuum-time. For example, leaving only the logs for last year:
In this article we discussed how to use journalctl in Linux. The presence of this utility in the system does not mean that you can’t use the usual log files. Most of the services like before your main write logs to files, and journalctl log messages are written at the start of the services as well as various system messages.