Like systemctl, journalctl is also a systemd utility. It’s used for querying and displaying messages from the journal. Since the journal comprises of one or more binary files, journalctl is the standard way to read messages from it.
In the following paragraphs, we will see how journalctl can be used with some of its parameters. Each parameter can be used on its own or combined with other parameters to further narrow the scope of search.
When run without any parameters, the following command will show all journal entries, which can be fairly long:
The entries will start with a banner similar to this which shows the time span covered by the log:
-- Logs begin at Thu 2015-06-25 00:34:38 EDT, end at Sun 2015-06-28 20:30:55 EDT. --
journalctl will stop after displaying each screenful of messages, and you can press PgDn or spacebar to see the next screenful. To quit any time, press q. This works like the standard less command in Linux. Long entries are printed to the width of the screen and truncated off at the end if they don’t fit. The cut-off portion can be viewed using the left and right arrow keys.
To get a full listing of journalctl options, you can visit the journalctl man page.
To see boot-related messages from the current boot, use the -b switch:
To see messages from the last boot, use the -1 modifier; to see boot messages from two boots ago, use -2; and so on. Here, we are trying to see messages from the last boot:
journalctl -b -1
To list the boots of the system, use the following command:
It will show a tabular result like this:
-1 ad5756178e5040d093cd74162d38000f Thu 2015-06-25 00:34:38 EDT-Sat 2015-06-27 21:41:27 EDT
0 7fd49ca34fcf44c59806b2b6f240ae16 Sat 2015-06-27 21:41:30 EDT-Sun 2015-06-28 21:10:00 EDT
The first field is the boot number (0 being the latest boot, -1 being the boot before that, and so on), followed by a Boot ID (a long hexadecimal number), followed by the time stamps of the first and the last messages related to that boot.
To see messages logged within a specific time window, we can use the –since and –until options. The following command shows journal messages logged within the last hour:
journalctl --since "1 hour ago"
To see messages logged in the last two days, the following command can be used:
journalctl --since "2 days ago"
The command below will show messages between two dates and times. All messages logged on or after the since parameter and logged on or before the until parameter will be shown:
journalctl --since "2015-06-26 23:15:00" --until "2015-06-26 23:20:00"
Note that the date and time needs to be specified as “YYYY-MM-DD HH:MM:SS”
To see messages logged by any systemd unit, use the -u switch. The command below will show all messages logged by the nginx web server. You can use the since and until switches here to pinpoint web server errors occurring within a time window:
journalctl -u nginx.service
The -u switch can be used multiple times to specify more than one unit source. For example, if you want to see log entries for both nginx and mysql, the following command can be used:
journalctl -u nginx.service -u mysql.service
Follow or Tail
To run journalctl like the Linux tail command so it continuously prints log messages as they are added, use the -f switch:
The next command “follows” the mysql daemon:
journalctl -u mysql.service -f
To stop following and return to the prompt, press Ctrl+C.
Like the tail command, the -n switch will print the specified number of most recent journal entries. In the command below, we are printing the last 50 messages logged within the last hour:
journalctl -n 50 --since "1 hour ago"
The -r parameter shows journal entries in reverse chronological order so the latest messages are printed. The command below shows the last 10 messages from the sshd daemon, listed in reverse order:
journalctl -u sshd.service -r -n 1
The -o parameter enables us to format the output of journalctl query. -o (or –output if we are using the long form parameter name) can take a few values:
json will show each journal entry in json format in one long line.
json-pretty will show each log entry in easy-to-read json format.
verbose will show very detailed information for each journal record with all fields listed.
cat shows messages in very short form, without any date/time or source server names.
short is the default output format: It shows messages in syslog style.
short-monotonic is similar to short, but the time stamp second value is shown with precision. This can be useful when you are looking at error messages generated from more than one source which apparently are throwing error messages at the same time and you want to go to the granular level.The following command shows last output in json-pretty format:journalctl -u sshd.service -r -n 10 -o json-pretty. One of the journal entries can look like this:
"__CURSOR" : "s=bf93c444c3a2499095953159a3cba8c2;i=40c14;b=fbde6d3112084cd097c250aee3bab030;m=4f30cd3897;t=5199f269b9024;x=a424fc0dd9da81c4",
"__REALTIME_TIMESTAMP" : "1435546221776932",
"__MONOTONIC_TIMESTAMP" : "340121172119",
"_BOOT_ID" : "fbde6d3112084cd097c250aee3bab030",
"_TRANSPORT" : "syslog",
"PRIORITY" : "6",
"SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "sshd",
"MESSAGE" : "pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"",
"_UID" : "0",
"_GID" : "0",
"_COMM" : "sshd",
"_EXE" : "/usr/sbin/sshd",
"_CMDLINE" : "sshd: root [priv] ",
"_CAP_EFFECTIVE" : "1fffffffff", "_SYSTEMD_CGROUP" : "/system.slice/sshd.service",
"_SYSTEMD_UNIT" : "sshd.service",
"_SYSTEMD_SLICE" : "system.slice",
"_MACHINE_ID" : "fd8cf26e06e411e4a9d004010897bd01",
"_HOSTNAME" : "test-centos7",
"SYSLOG_PID" : "32724",
"_PID" : "32724",
"_SOURCE_REALTIME_TIMESTAMP" : "1435546221776510"
Use the -p switch to filter out messages based on a priority level. To see what priority levels are available, see the section on systemd-journald configuration parameters and the possible MaxLevelStore parameter values. If a single priority level is specified, all messages with that priority level and below are returned. To use a range of priority levels, use the FROM…TO clause.As an example, the command below will output all messages with priority between emergency and critical from last boot:
journalctl -b -1 -p "crit"
To find all messages related to a particular user, use the UID for that user. In the following example, we are finding the UID of the user mysql:
This returns a line like this:
uid=108(mysql) gid=116(mysql) groups=116(mysql)
And then we are querying the journal for all messages logged by that user:
The output looked like this:
-- Logs begin at Thu 2015-06-25 00:34:38 EDT, end at Sun 2015-06-28 23:16:08 EDT. --
Jun 25 00:53:21 test-ubuntu15 mysqld_safe: 150625 00:53:21 mysqld_safe Can't log to error log and syslog at the same time. Remove all --log-error configuration options for --syslog to take effect.
Jun 25 00:53:21 test-ubuntu15 mysqld_safe: 150625 00:53:21 mysqld_safe Logging to '/var/log/mysql/error.log'.
Jun 25 00:53:21 test-ubuntu15 mysqld_safe: 150625 00:53:21 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
Jun 27 21:41:26 test-ubuntu15 mysqld_safe: Could not open required defaults file: /etc/mysql/debian.cnf
Jun 27 21:41:26 test-ubuntu15 mysqld_safe: Fatal error in defaults handling. Program aborted
Jun 27 21:41:26 test-ubuntu15 mysqld_safe: 150627 21:41:26 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
<b>-- Reboot --</b>
Jun 27 21:41:33 test-ubuntu15 mysqld_safe: 150627 21:41:33 mysqld_safe Can't log to error log and syslog at the same time. Remove all --log-error configuration options for --syslog to take effect.
Jun 27 21:41:33 test-ubuntu15 mysqld_safe: 150627 21:41:33 mysqld_safe Logging to '/var/log/mysql/error.log'.
Jun 27 21:41:33 test-ubuntu15 mysqld_safe: 150627 21:41:33 mysqld_safe Starting mysqld daemon with d