Cyberithub

32 Best Journalctl Command Examples in Linux(RedHat/CentOS) Part – 1

In this article, i will take you through 32 Best journalctl command examples in Linux. journalctl command is used for querying all the logged messages generated by Systemd Services. You can always use this command when you see some Systemd services getting failed or not starting due to some issue. You can easily query the Systemd logs using journalctl command and get the relevant information to find the root cause of any issues.

This tool can be very handy and is the most widely used tool in larger Organization and Firms to troubleshoot the Systemd Services Error. I will take you through all the important available options that you can be used with journalctl command to query Systemd Log messages.

32 Best Journalctl Command Examples in Linux(RedHat/CentOS) Part - 1 1

journalctl command in Linux

Also Read: 30 Useful Commands to Manage Systemd Services through Systemctl

1. Check journalctl version

You can use --version option to check the version of journalctl command.

[root@localhost ~]# journalctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN

2. Show all journalctl log fields

You need to use --all option to check the complete Systemd logs with all the fields showing as shown in the below output. Here output will be in long format as it will show everything.

[root@localhost ~]# journalctl --all
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 09:56:48 UTC. --
Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G).
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct
Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Tue Feb 4 23:02:59 UTC 2020
Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 console=ttyS0,115200n8 crashkernel=auto console=ttyS0,115200 LANG=en_US.UTF-8
Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009dfff] usable
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x000000000009e000-0x000000000009ffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000efffffff] usable
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000fc000000-0x00000000ffffffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000100000000-0x000000080fffffff] usable

3. Show Recent Logs Continuously

If you want to see the recent logs generating continuously, then you need to use -f option as shown below. It will keep appending the recent logs and shows the output continuously.

[root@localhost ~]# journalctl -f
-- Logs begin at Mon 2020-03-09 16:20:16 UTC. --
Mar 10 10:01:03 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:03.941935782Z" level=warning msg="unknown container" container=24120967295dfd2e975afd5e17f6e053062d2f08da4dfa584a3288a553131ad0 module=libcontainerd namespace=plugins.moby
Mar 10 10:01:03 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:03.957711633Z" level=warning msg="unknown container" container=24120967295dfd2e975afd5e17f6e053062d2f08da4dfa584a3288a553131ad0 module=libcontainerd namespace=plugins.moby
Mar 10 10:01:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:06.293649643Z" level=warning msg="unknown container" container=f27b0124867a5aef799fff85708a02ae60c71abf93bd3b44ce404a21655cbb2a module=libcontainerd namespace=plugins.moby
Mar 10 10:01:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:06.310383214Z" level=warning msg="unknown container" container=f27b0124867a5aef799fff85708a02ae60c71abf93bd3b44ce404a21655cbb2a module=libcontainerd namespace=plugins.moby
Mar 10 10:01:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:11.567483031Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby
Mar 10 10:01:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:11.583299030Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby
Mar 10 10:01:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:16.240973297Z" level=warning msg="unknown container" container=1b5943653d8cbf1e3dc72a1930f37749a4bfd31c3ced3055e4dd712cd60a393a module=libcontainerd namespace=plugins.moby

4. Show output for docker user

If you want to see all the logs for a specific user, then you need to use -u option as shown below. In this example, I am checking all the logs generated for User docker.

[root@localhost ~]# journalctl -u docker
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:02:18 UTC. --
Mar 09 16:20:26 localhost.us-west-2.compute.internal systemd[1]: Starting Docker Application Container Engine...
Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26.340364044Z" level=warning msg="could not change group /var/run/dock
Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26.346591232Z" level=info msg="libcontainerd: started new docker-conta
Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="starting containerd" module=containerd revision=8
Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="setting subreaper..." module=containerd
Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="changing OOM score to -500" module=containerd
Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="loading plugin "io.containerd.content.v1.content"

5. Show User Recent Logs

If you want to see only the recent logs from reverse output for user docker, then you need to use -ru option as shown below. It will only show the logs generated for user docker.

[root@localhost ~]# journalctl -ru docker
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue
2020-03-10 10:03:16 UTC. --
Mar 10 10:03:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:16.258141655Z" level=warning msg="unknown container" container=1b59436
Mar 10 10:03:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:16.241620678Z" level=warning msg="unknown container" container=1b59436
Mar 10 10:03:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:11.582332316Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 10:03:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:11.565574818Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 10:03:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:06.310758910Z" level=warning msg="unknown container" container=f27b012

6. Show time in UTC

If you want journalctl to show the time in UTC, then you need to use --utc option as shown below.

[root@localhost ~]# journalctl --utc
-- Logs begin at Mon 2020-03-09 16:20:16 GMT, end at Tue 2020-03-10 10:04:36 GMT. --
Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G).
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct
Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) )
Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons
Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:

7. Show output in JSON Format

You can also check the output in JSON format by using -o json option as shown below.

[root@localhost ~]# journalctl -o json
{ "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=1;b=b9ffa520de304b60922f3e30352bd9bb;m=21f430;t=5a06e60efe707;x=a3f611316212c3d4", "__REALTIME_TIMESTAMP" : "158377
{ "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=2;b=b9ffa520de304b60922f3e30352bd9bb;m=21f491;t=5a06e60efe768;x=5ddb8b4268751f4", "__REALTIME_TIMESTAMP" : "1583770
{ "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=3;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4a8;t=5a06e60efe77e;x=dd7708cec6912773", "__REALTIME_TIMESTAMP" : "158377
{ "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=4;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4b6;t=5a06e60efe78d;x=ff625ef0f935a2df", "__REALTIME_TIMESTAMP" : "158377
{ "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=5;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4c0;t=5a06e60efe797;x=4a2cc41df3716a8", "__REALTIME_TIMESTAMP" : "1583770
{ "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=6;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4cc;t=5a06e60efe7a3;x=3968329d14a0dde4", "__REALTIME_TIMESTAMP" : "158377

8. Show Interleaved Logs

If you want to see all the logs interleaved from all the available journals, then you need to use -m option as shown below.

[root@localhost ~]# journalctl -m
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:10:46 UTC. --
Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G).
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct
Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) )
Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons
Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009dfff] usable
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x000000000009e000-0x000000000009ffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000efffffff] usable
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000fc000000-0x00000000ffffffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000100000000-0x000000080fffffff] usable

9. Show bootable messages

If you only want to see all boot messages, then you need to use -b option as mentioned below. Here we are not using any argument with -b option so it will only show the current boot messages.

[root@localhost ~]# journalctl -b
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:12:18 UTC. --
Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G).
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct
Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) )
Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons
Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009dfff] usable
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x000000000009e000-0x000000000009ffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000efffffff] usable
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000fc000000-0x00000000ffffffff] reserved
Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000100000000-0x000000080fffffff] usable

10. Show Output Quietly

If you want to suppress all informational and warning messages while checking the journal output, then you need to use -q option as shown below.

[root@localhost ~]# journalctl -q
Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G).
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct
Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) )
Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons
Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:

11. Show Kernel Messages

If you want to see all the Kernel log messages, then you need to use -k option as shown below.

[root@localhost ~]# journalctl -k
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:16:46 UTC. --
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct
Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) )
Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons
Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:

12. Show Priority Level Messages

In Systemd, there are 8 different priority messages from 0-7. If you want to see only Priority 3 Log messages which is basically all the error messages, then you need to use -p 3 option as shown below. Here are the list of other priority messages:-

0 – Emergency
1 – Alert
2 – Critical
3 – Error
4 – Warning
5 – Notice
6 – Info
7 – Debug

[root@localhost ~]# journalctl -p 3
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:19:36 UTC. --
Mar 09 16:20:16 localhost kernel: Cannot get hvm parameter CONSOLE_EVTCHN (18): -22!
Mar 09 16:20:16 localhost kernel: Cannot get hvm parameter CONSOLE_EVTCHN (18): -22!
Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/rpcbind.xdr for writing
Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration
Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/portmap.xdr for writing
Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration
Mar 09 16:20:19 localhost.us-west-2.compute.internal kernel: piix4_smbus 0000:00:01.3: SMBus base address uninitialized - upgrade BIOS or use force_addr=0xaddr
Mar 09 16:20:19 localhost.us-west-2.compute.internal etcd[1630]: listen tcp 172.31.33.220:2380: bind: cannot assign requested address
Mar 09 16:20:19 localhost.us-west-2.compute.internal systemd[1]: Failed to start etcd.

13. Show header Information

If you want to see all the header information of the journal fields only, then you need to use --header option as shown below. This will not show the contents of the journal logs only the internal fields header.

[root@localhost ~]# journalctl --header
Rotate Suggested: no
Head Sequential Number: 1
Tail Sequential Number: 32285
Head Realtime Timestamp: Mon 2020-03-09 16:20:18 UTC
Tail Realtime Timestamp: Tue 2020-03-10 10:21:41 UTC
Tail Monotonic Timestamp: 18h 1min 27.072s
Objects: 67499
Entry Objects: 32285
Data Objects: 34091
Data Hash Table Fill: 14.6%
Field Objects: 46
Field Hash Table Fill: 13.8%
Tag Objects: 0
Entry Array Objects: 1075
Disk usage: 40.0M

14. Show Cursors 

If you want to see cursor after the last entry of two dashes, then you need to use --show-cursor option as shown below.

[root@localhost ~]# journalctl --show-cursor
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:36:36 UTC. --
Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G).
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu
Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct
Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) )
Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons
Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:

15. Show recent Cursor

If you want to see only one recent cursor from reverse output, then you need to use -r -n 1 option as shown below.

[root@localhost ~]# journalctl --show-cursor -r -n 1
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:40:16 UTC. --
Mar 10 10:40:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:16.258001784Z" level=warning msg="unknown container" container=1b59436
-- cursor: s=dfc90b96023b4ff49c27004952c55e7c;i=802e;b=b9ffa520de304b60922f3e30352bd9bb;m=f5e02c243;t=5a07dbed0b51a;x=79f9431e8e41958c

16. Delete Older Data

If you want to delete older logs from journal, then you can use below journalctl command and delete it. In this example only last 10M of logs will be retained and rest will be deleted. Since I don’t have any logs here so you won’t see any logs to be deleted.

[root@localhost ~]# journalctl --vacuum-size=10M
Vacuuming done, freed 0B of archived journals on disk.
Vacuuming done, freed 0B of archived journals on disk.

 

Also Read: How to configure SSH Based Authentication Per User

Reference: Journalctl Man Page

Leave a Comment