journalctl Command in Linux with Examples

The `journalctl` command is part of the systemd suite of utilities and is used to query and display log messages from the systemd journal. The systemd journal is a centralized logging system that collects and stores log data from various sources, including system services, kernel events, and user applications. The journalctl command provides a user-friendly interface to access and retrieve log information, allowing users to effectively monitor system activity and diagnose issues.

Syntax of the `journalctl` command in Linux

The basic syntax of the `journalctl` command is as follows:

journalctl [options] [unit]

Here,

[options] = The various command-line options available to customize the output.

[unit] = The specific system unit or log source to query. If no unit is specified, `journalctl` will display the message from all available units.

Setting the System Time

To set the system time using timedatectl and view the changes with journalctl, follow these steps:

• Set the System Time:

sudo timedatectl set-time 'YYYY-MM-DD HH:MM:SS'

• Verify the System Time:

timedatectl status

• View Journal Logs: Use journalctl to see logs, including those around the time change.

journalctl --since "YYYY-MM-DD HH:MM:SS" --until "YYYY-MM-DD HH:MM:SS"

Replace YYYY-MM-DD HH:MM:SS with the appropriate time range.

Working with journalctl command

1. To display all logs

journalctl

This command will display the recent log messages from all units in reverse chronological order, starting from the most recent entries.

2. Reversing the log order

To reverse the order or to display the new entries first.

journalctl -r

This command displays logs in reverse chronological order, showing the most recent entries at the top.

3. Limiting the number of log entries

If you only want to display a specific number of log entries, you can use the -n option followed by the desired number

journalctl -n 2

This will display just 2 log entries.

4. Filtering logs by keyword

To retrieve log entries containing a specific keyword or phrase, you can use the grep command in combination with journalctl.

journalctl | grep Centaur

This will display all the entries containing the word Centaur in them.

Advanced Usage of the journalctl Command

The journalctl command provides additional options and features to further refine log queries and retrieve specific information. Here are a few examples

1. Filtering logs by priority level

To display log entries based on their priority level, you can use the -p option followed by the desired level (e.g., emerg, alert, crit, err, warning, notice, info, or debug). For instance

journalctl -p warning

It displays all log entries with priority as a warning.

2. Customizing output format

You can modify the format in which log entries are displayed using the -o option. For instance, to display verbose output, use

journalctl -o verbose

This will display the formatted output in verbose mode.

3. Listing system boots

To view information about previous system boots, you can use the --list-boots option.

journalctl --list-boots

This command provides a list of system boots along with their boot IDs and timestamps.

4. Accessing help documentation

To access the journalctl command's help section, you can use the --help option.

journalctl --help

This command displays detailed information about the command's usage, options, and functionalities.

Filtering by Message Interest

To filter logs in journalctl by message interest, you can use the -g or --grep option. This allows you to search for logs containing specific keywords. Here are the steps:

• Basic Filtering by Keyword:

journalctl -g "keyword"

Example: To filter logs containing the keyword "error":

journalctl -g "error"

• Filtering by Keyword within a Time Range:

journalctl -g "keyword" --since "YYYY-MM-DD HH:MM:SS" --until "YYYY-MM-DD HH:MM:SS"

Example: To filter logs containing the keyword "error" from June 1, 2024, 08:00 AM to June 1, 2024, 10:00 AM:

journalctl -g "error" --since "2024-06-01 08:00:00" --until "2024-06-01 10:00:00"

• Filtering by Multiple Keywords:

journalctl -g "keyword1" -g "keyword2"

Example: To filter logs containing either "error" or "warning":

journalctl -g "error" -g "warning"

• Filtering by Exact Match:

journalctl -g "^exact_message$"

Example: To filter logs that exactly match the message "Service started":

journalctl -g "^Service started$"

Modifying the Journal Display

To modify the display of logs in journalctl, you can use various options to adjust the output format and control what information is shown. Here are some common ways to customize the journal display:

• Default Output: Displays logs in the default format with detailed information.

journalctl

• Output in Short Format: Displays logs in a concise format, showing only the essential details.

journalctl -o short

• Output in JSON Format: Displays logs in JSON format, useful for parsing logs programmatically.

journalctl -o json

• Output in JSON Pretty Format: Displays logs in a human-readable JSON format.

journalctl -o json-pretty

• Output in Verbose Format: Displays logs with the maximum amount of detail.

journalctl -o verbose

• Output with UTC Timestamps: Displays logs with timestamps in UTC rather than local time.

journalctl --utc

• Output with Customized Fields: Displays logs with selected fields using jq for JSON parsing (ensure jq is installed).

journalctl -o json | jq '.MESSAGE, ._PID, ._COMM'

• Follow Logs in Real-Time: Continuously displays new log entries as they are added (similar to tail -f).

journalctl -f

• Display Logs with Color: Displays the last 100 log entries with color highlighting (useful for quickly spotting important logs).

journalctl --output=short-iso --no-pager --lines=100 --color=always

Journal Maintenance

Maintaining the journal logs in journalctl is important to manage disk space and ensure efficient log storage. Here are some key practices for journal maintenance:

Managing Journal Size

• Limit the Size of Journal Logs: Set a maximum size for the journal logs to prevent them from consuming too much disk space.

sudo journalctl --vacuum-size=1G

This command will reduce the size of the logs to 1 GB, removing older logs as needed.

• Limit the Age of Journal Logs: Remove logs older than a specified time.

sudo journalctl --vacuum-time=2weeks

This command will keep logs for the last 2 weeks and delete older entries.

Configuring Persistent Storage

1. Enable Persistent Log Storage: By default, journalctl may store logs only in memory, which are lost on reboot. To enable persistent storage:

sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald

This command creates a directory for persistent logs and restarts the journald service.

Compressing Old Logs

• Compress Old Logs: Compressing old logs can save disk space while retaining log information.

sudo journalctl --vacuum-files=5

This command keeps the last 5 archived log files and compresses or deletes older ones.

Viewing Disk Usage

• Check Disk Usage of Journal Logs: To see how much space the journal logs are using:

journalctl --disk-usage

This command displays the current disk usage of the journal logs.

Conclusion

In this article we have discussed the `journalctl` command in linux which is a powerful tool for accessing and analyzing system, kernel, and journal Overall, we can say that by understanding the `journalctl` command and leveraging its capabilities, system administrators and users can give valuable insights into system activity and resolve issues effectively