Introduction
Before we begin talking about how to use Linux journalctl command, let's briefly understand-What is journalctl Command ?
Users can browse, filter, and examine the systemd journal's log data by using the journalctl command. It allows you to filter journal entries by unit or system service, see journal entries for a certain period of time, and view information about journal files.
Unlike text-based logs, the journal stores log data in a binary format that makes finding and filtering easier.
This tutorial will walk you through the basics of using the journalctl command efficiently. We will also address a few FAQs on how to use Linux journalctl command.
How to use the journalctl Command on Linux?
The journalctl command has a variety of uses depending on what you want to do in the end. However, its fundamental syntax is described below:
journalctl [Options…] [Matches…]
Depending on which option you use when executing the journalctl command, you'll see a varied set of results. In contrast, the "MATCHES" argument is used to filter the journal output according to predetermined standards. Journal entries can be filtered by unit, process ID, syslog priority, and a variety of other fields using matches.
Example 1: Viewing the Entire Journal Entries
All the log data that the systemd journal has logged is referred to as the "Entire Journal" in the context of the journalctl command. This log data contains details such as messages sent during system startup and shutdown, messages from system services, and diagnostic data.
To view all the journal information listed below, run the command below:
journalctl
Due to the fact that this operating system was installed on this day, the data in the image above is from "Nov 15". Scrolling down will reveal the remaining information, which will be displayed in ascending order.
Example 2: Display the Information in Reverse Order
You can use the journalctl command and the '-r' option to examine all the data in reverse or descending order, as shown below:
journalctl -r
You can see in the image above that it is now showing data from "Jan 16," which is the date that this article is being written.
Example 3: Displaying Few Entries
The journalctl command and the "-n" option will only display the number of entries you specify. For instance, you can type the command below to just see the most recent 10 entries:
journalctl -n 10
The above image shows you that only the first 10 entries are now displayed.
Example 4: Display the Priority Messages
The journalctl command offers a variety of priority message types, including emergency, error, alert and critical. So, as shown below, you can view any of these by using the "-p" option in addition to any priority messages that you want to see:
journalctl -p alert
Example 5: List Boot Entries
Every time a computer is turned on or restarted, a new boot entry is created and logged in the system journal. These "boot entries" refer to the specific instances of the system starting up. These boot entries are recognized by a distinctive "boot ID," which is a group of characters that designates that particular boot instance.
The following command can be entered in the terminal to check the boot entries:
journalctl --list-boots
FAQs to Use Linux Journalctl Command
How can I use journalctl to view system logs?
The basic command to view system logs is simply journalctl. This will display all available logs starting from the newest entries.
Can I limit the number of log lines displayed by journalctl?
Yes, you can use the -n option followed by a number to limit the output to a certain number of log lines. For example, journalctl -n 100 will show the last 100 log lines.
How can I view logs from a specific time period using journalctl?
You can use the --since and --until options along with a timestamp or date-time parameter to view logs from a specified time range. For example, journalctl --since "2022-01-01" --until "2022-01-31" will display logs within that defined period.
Can I filter logs based on specific units or services?
Yes, you can use the -u <unit_name> option with journalctl to filter logs for a specific systemd unit or service. For example, journalctl -u nginx will show logs related to the NGINX service
How can I view logs in real time with journalctl?
You can use the -f option to follow logs in real time. This allows you to continuously monitor the latest log entries as they are added to the journal.
Can I view logs from a remote Linux machine using journalctl?
Yes, you can use the -b option followed by the remote machine's hostname or IP address to view logs from a remote Linux machine. For example, journalctl -b -u sshd my_remote_machine will display logs from the specified machine.
How can I filter logs by priority or severity level with journalctl?
You can use the -p <priority_level> option to filter logs based on their priority or severity level. For example, journalctl -p err will display logs with an error-level priority or higher.
Conclusion
On Linux, the journalctl command is a useful tool for managing and examining system logs. You can use it to read, filter, and examine the systemd journal's log data. One of journalctl's main advantages is that it provides more effective log data management because it stores log data in a binary format for quicker searching and filtering.
In this tutorial, the journalctl command's use as well as its many options have been covered in detail.
If you have any queries or doubts, please leave them in the comment below. We'll be happy to address them.