Show Menu

Journalctl Cheat Sheet by

Query the systemd Journal
linux     systemd     monitoring     system-log

Useful Switches

-f
Show new log entries as they are added.
example: jour­nalctl -u mysql.s­ervice -f
-k
Show kernel messages.
example: Kernel logs from five boots ago;
journalctl -k -b -5
-u
Show messages for specified systemd service.
example: journalctl -u httpd -u apache2
-b
Show current boot messages.
Logs from the last boot, use the -1 modifier; to see boot logs from two boots ago, use -2; and so on. List system boots with: jour­nalctl --list­-bo­ots
-r
Show the messages in reverse order; latest first.
-p
Show the messages by priority
example: jour­nalctl -p err
Shows you all messages marked as error, critical, alert, or emerge­ncy.

Time Ranges

jour­nalctl --since "1 hour ago"
Show journal messages logged within the last hour:
jour­nalctl --since 09:00 --until "1 hour ago"
Show reports starting at 9:00 AM and continuing until an hour ago
jour­nalctl --since yester­day
Show journal messages logged since yesterday:
jour­nalctl --since "2 days ago"
Show logged in the last two days
jour­nalctl --since "­201­7-05-23 23:15:­00" --until "­201­7-05-23 23:20:­00"
All messages logged on or after the since parameter and logged on or before the until parameter will be shown:
*Hint: If components of the above format are left off, some defaults will be applied. For instance, if the date is omitted, the current date will be assumed. If the time component is missing, "­00:­00:­00" (midnight) will be substi­tuted. The seconds field can be left off as well to default to "­00":
 

By Process, User, or Group ID

jour­nalctl _PID=123
Show messages produced by a specific process ID:
*Hint: Find the PID for a specific service:
systemctl status SERVICE
jour­nalctl _UID=100
Show messages belonging to a specific user ID:
example: jour­nalctl _UID=100 _UID=200 --since today
*Hint: You can find your user ID by typing: id -u USERNAME
jour­nalctl _GID=800
Show messages belonging to a specific group ID:

By Priority

You can use either the priority name or its corres­ponding numeric value. In order of highest to lowest priority:
0
emerg
1
alert
2
crit
3
err
4
warn­ing
5
notice
6
info
7
debug
The above numbers or names can be used interc­han­geably with the -p option. Selecting a priority will display messages marked at the specified level and those above it.

Access control and config

usermod -a -G adm USER
Add USER to adm group
* Hint: by default, Journal users can only watch their own logs, unless they are root or in the adm group.
nano /etc/s­yst­emd­/jo­urn­ald.conf
Edit the journal config file
Forwar­dTo­Con­sol­e=yes TTYPat­h=/­dev­/tty12
Forward the Journal to /dev/ttyX
*Hint: Add changes to journal config file
 

Advanced Filtering

jour­nalctl /usr/b­in/­bash
Show messages related to a specific execut­able, specify the full path to the executable
jour­nalctl _HOSTN­AME­=my­host
Show messages for specified hostname.
jour­nalctl _COMM=­ava­hi-­dae­mon
The name, the executable path, and the command line of the process the journal entry originates from
jour­nalctl -F
The -F option can be used to show all of the available values for a given journal field.
jour­nalctl _SE <T­AB>
Tab completion works on fields
jour­nalctl _SELIN­UX_­CON­TEXT= <T­AB>
Tab completion also works on labels in fields
jour­nalctl _SELIN­UX_­CON­TEX­T=s­yst­em_­u:s­yst­em_­r:p­oli­cyk­it_­t:s0
Show messages logged under Policy­Kit's security label.
For a full list of common, well-known fields, see the man page.

Output

Control the formatting of journal entries.
jour­nalctl -o short
The default and generates an output that is mostly identical to the formatting of classic syslog files, showing one line per journal entry.
jour­nalctl -o short-­full
Very similar, but shows timestamps in the format --since= and --until= options
jour­nalctl -o verbose
Show the full-s­tru­ctured entry items with all fields.
jour­nalctl -o json-p­retty
Formats entries as JSON data struct­ures, in multiple lines in order to make them more readable by humans.
jour­nalctl -o export
Serializes the journal into a binary (but mostly text-b­ased) stream suitable for backups and network transfer
Import the binary stream back into native journald format with journal-remote

Download the Journalctl Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/airlove_journalctl.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

Like this cheat sheet? Check out our sponsors!

Readable.io is a collection of tools to make your writing better. More readable content means higher conversion rates and better reader engagement. Measure website and document readability, measure keyword density and more!

Click Here To Get Started!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Linux Command Line Cheat Sheet
          systemd Cheat Sheet