How to Read Linux System Logs using Journalctl – Guide
Journalctl is a utility for querying and viewing logs from journald, the systemd log service. Because journald stores log data in binary format rather than plain text, journalctl is the standard method for reading log messages processed by journald. In the following sections, we’ll show you several ways you can use journalctl to get, format, and parse your logs. These methods can be used alone or in combination with other commands to refine your search. For a complete list of journalctl options, see the Journalctl man page. To get started using journalctl, first make sure that journald is running on your system:
systemctl status journald
If you are not already familiar with using journalctl, we recommend reading our introductory article on the subject before continuing.
To query your logs now:
journalctl -f
This will display all of the logs that have been stored since your last reboot or system shutdown. You can also use -b (or –boot) to display only boot-related logs:
journalctl -b
You can also filter logs by time using the –since and –until options:
journalcyl -f –since “1 day ago” ..
Some of the most attractive benefits of systemd are process and system logging. Typically, when using other tools, logs are distributed across the system, processed by multiple daemons and processes, and can be quite difficult to interpret if they span multiple applications. systemd tries to solve these problems by providing a centralized management solution to log all kernel and user processes. The system that collects and manages these logs is called a journal. The journal is implemented with the journal daemon, which processes all messages generated by the kernel, the initrd, services, and so on. In that guide, let’s discuss using the journalctl utility to access and manipulate the data kept in the journal.
Using journalctl for the first time
journalctl -u username ..
sudo ./output.sh If you don’t have sudo installed, you can try running the script as root by using the following command: sudo ./output.sh ..
sudo apt-get install python3 python3-pip sudo pip3 install -U git If you don’t see the output, try running it with sudo: git clone https://github.com/apache/commons-lang.git cd commons-lang sudo apt-get install build-essential gcc g++ libssl-dev libreadline6 libsqlite3 libxml2 sudo make sudo make install
Default log format and ordering
Journalctl -l This will show you the logs for the server on localhost, as well as the process name and message for each log.
Debian sshd[15844]: pam_unix(sshd:session): session opened for user example_user by (uid=0)
-r
Paging your records
journalctl pipes its output to the less command, which displays your logs one page at a time in your terminal. If a log line exceeds the horizontal width of your terminal window, you can use the left and right arrow keys to scroll horizontally and see the rest of the line. ..
- Logs can be browsed and searched using the following key commands: “log -a”, “log -b”, “log -c”, and “log -d”.
- The “log” command can also be used to view all the logs in a particular directory.
View journalctl without pagination
log –no-pager
It is not recommended that you perform this action without first filtering the number of logs shown. ..
Monitor new log messages
journalctl -f
The minus key commands are not available in this mode. Type Control-C on the keyboard to return to the command prompt this way.
Filter output journalctl
Journalctl is a powerful tool that allows you to search your logs for specific messages. You can use filters to narrow the output, and you can also use the –no-pager and -f options to disable pagination and focus on just the latest log messages. ..
Show records within a time range
Since Tue, Apr 1 10:00:00 PDT 2016 This command shows logs for the past 10 hours.
This command prints the last 10 minutes of activity on the system.
Logs up to the specified date and time will be displayed. ..
journalctl -t until “2018-09-02 12:05:50”
On January 1st, 2017 at 10:00 PM, the server logged into the account of user “jane” On January 2nd, 2017 at 10:00 PM, the server logged out of the account of user “jane” ..
On August 30, 2018 at 14:10:10 UTC, journalctl started. On September 2, 2018 at 12:05:50 UTC, journalctl ended. ..
All dates and times must be specified in the correct format. If the time is omitted (that is, only the date is specified), the time is assumed to be midnight. ..
-d “1/1/2015” will return 1 January 2015 -d “1/15/2015” will return 15 January 2015 -d “1/1/2015 10:00 PM” will return 1 January 2015 at 10 PM -d “12/25/2014 12:00 AM” will return 25 December 2014 at 12 AM ..
Yesterday is the day before today. Today is the day of the present. Tomorrow is the day after today. ..
The time stamp on a post is important to remember when trying to figure out when something happened. Terms like “1 day ago” or “3 hours ago” are recognized by the site and can be used in place of a timestamp. ..
The – and + symbols can be used to specify relative dates. For example, -1h15min specifies 1 hour and 15 minutes ago and +3h30min specifies 3 hours and 30 minutes in the future. ..
Final note
Journalctl is a powerful tool to read Linux system logs. It provides a convenient way to view logs in a chronological order and search for specific messages. This guide will show you how to use Journalctl to read system logs. ..
