journalctl cheat sheet
Common journalctl options
Long option | Short option | What the option does |
---|---|---|
--disk-usage | Show size of the archived and active journals | |
--follow | -f | Track changes, like tail -f |
--lines= | -n | Show X number of lines (most recent) |
--output= | -o | Define what output format should be used for journal entries |
--reverse | -r | Reverse output, newest on top |
--since= | -S | Limit the data to a specific period (begin) |
--unit | -u | Specify the unit when querying the logs or taking an action |
--until= | -U | Limit the data to a specific period (end) |
--vacuum-files | Trim journal logs by number | |
--vacuum-size | Clear log entries from journal logs by specifying total size | |
--vacuum-time | Clear log entries from journal logs by specifying time (age) | |
--verify | Integrity check of the journals |
Showing basic details of the journals
The size of the journals can displayed with --disk-usage, which may be useful when the file system is getting full.
# journalctl --disk-usage
Archived and active journals take up 160.0M in the file system.
To verify the integrity of the journals, use the --verify option.
# journalctl --verify
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000000001-00060ed90326924f.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000036b8-000611a51acdc7d0.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000004e2-00060ed9041f690a.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000014c26-000613a20f360102.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-0000000000014e03-000613d7a3bb17e3.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000003334-0006113d51794916.journal
Querying the journals
There are many ways to query the journals. One of them is simply running journalctl
and start scrolling. But there are better ways!
Query by time or period
Show messages of today with the --since= option and define the period.
journalctl --since="today"
To shorten the period, we can tell it to show only very recent entries of fifteen minutes ago or newer.
journalctl --since="15 minutes ago"
We can also provide a range, with the combination of since and until.
journalctl --since="2024-02-01" --until="2024-04-01"
For troubleshooting it may help to increase the period, but include a unit name to strip out much of the unneeded entries.
journalctl --unit ssh.service --since="1 week ago"
Query by priority or facility
Journalctl allows to query by priority. Here are the available levels:
Priority level | Name |
---|---|
0 | emerg |
1 | alert |
2 | crit |
3 | err |
4 | warning |
5 | notice |
6 | debug |
7 | info |
Use the short notation, but now include the unit name in the output, and limit messages to a priority (including the ones with lower number, meaning a higher priority).
journalctl -S "today" --output=with-unit --priority=err
Only show some levels (notice, debug, and info)
journalctl -p 5..7
When querying by facility, which are common with syslog, define the right value. To know the available facilities, use the ‘help’.
# journalctl --facility=help
Available facilities:
kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
authpriv
ftp
12
13
14
15
local0
local1
local2
local3
local4
local5
local6
local7
Query by string
Similar to the grep tool, there are a few options available to search in the journals. It shares the same name, but is an option instead.
journalctl --grep "[bB]lock"
Regular expressions are allowed, so be aware of case-sensitive filtering.
Want to search and not worry about lowercase and uppercase?
journalctl --case-sensitive=false --grep "block"
Query only by priority ERROR
Show only the entries flagged with priority ERROR.
journalctl -p err
Or since last boot:
journalctl -b -p err
Limit output and follow
Journalctl allows to limit the output to a specific number of lines. To show the last 10 lines, which is equal to --lines=10, we can use -n.
journalctl -n
We can also combine it with a unit, and show only 5 lines.
journalctl -u ssh.service -n 5
Keep track of new additions, we can use the --follow option, similar to tail -f
.
journalctl --follow
Cleaning up the journals
When the journal gets too big, decrease its size by performing a vacuum action.
journalctl --vacuum-size=256M
It is also possible to set a time period instead.
journalctl --vacuum-time="4weeks"
Another possibility is defining the number of logs.
journalctl --vacuum-files=5
Other useful options?
Did I miss something that really should be included in this cheat sheet? Let it know!