The journalctl command is used to query and view logs from the systemd journal, which is a centralized logging system used by most modern Linux distributions. It provides a structured and comprehensive way to access system logs, including kernel messages, service logs, and other system events.
Basic Usage:
You can use journalctl with various options to filter and display logs in different ways. Here are some common use cases:
View All Logs
To view all available logs, simply run:
1
$ journalctl
Filter by Unit (Service)
To view logs related to a specific service, use the -u or --unit option followed by the service name. For example:
1
2
$ journalctl -u sshd
$ journalctl -u apache
Filter by Time
You can specify a time range to view logs from a specific time interval. For example, to view logs from the last hour:
1
2
3
$ journalctl --since "1 hour ago"
$ journalctl -S "yesterday"
$ journalctl -S "2 hours ago" -U "now"
Real-Time Logging
To continuously monitor and display logs in real-time, use the -f or --follow option:
1
$ journalctl -f
View logs with a specific priority level
Use the -p option to filter logs by priority level. For example, to view only error and critical messages:
1
journalctl -p err -p crit
View logs for a specific user
You can filter logs for a specific user using the _UID field. Replace username with the username you want to filter for.
1
$ journalctl _UID=$(id -u username)
View logs for a specific process ID (PID)
To view logs for a specific process ID, use the _PID field. Replace pid with the process ID you’re interested in.
1
$ journalctl _PID=pid
View logs with specific fields and in a custom format
You can use the --output option to specify the desired output format. For example, to display logs in JSON format:
1
2
3
$ journalctl --output=json
$ journalctl --output=json-pretty
$ journalctl --output=verbose