Table of Contents
In this article, i will take you through 32 Best journalctl command examples in Linux. journalctl command is used for querying all the logged messages generated by Systemd Services. You can always use this command when you see some Systemd services getting failed or not starting due to some issue. You can easily query the Systemd logs using journalctl command and get the relevant information to find the root cause of any issues.
This tool can be very handy and is the most widely used tool in larger Organization and Firms to troubleshoot the Systemd Services Error. I will take you through all the important available options that you can be used with journalctl command to query Systemd Log messages.
journalctl command in Linux
Also Read: 30 Useful Commands to Manage Systemd Services through Systemctl
1. Check journalctl version
You can use --version option to check the version of journalctl command.
[root@localhost ~]# journalctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
2. Show all journalctl log fields
You need to use --all option to check the complete Systemd logs with all the fields showing as shown in the below output. Here output will be in long format as it will show everything.
[root@localhost ~]# journalctl --all -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 09:56:48 UTC. -- Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G). Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Tue Feb 4 23:02:59 UTC 2020 Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 console=ttyS0,115200n8 crashkernel=auto console=ttyS0,115200 LANG=en_US.UTF-8 Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map: Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009dfff] usable Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x000000000009e000-0x000000000009ffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000efffffff] usable Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000fc000000-0x00000000ffffffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000100000000-0x000000080fffffff] usable
3. Show Recent Logs Continuously
If you want to see the recent logs generating continuously, then you need to use -f option as shown below. It will keep appending the recent logs and shows the output continuously.
[root@localhost ~]# journalctl -f -- Logs begin at Mon 2020-03-09 16:20:16 UTC. -- Mar 10 10:01:03 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:03.941935782Z" level=warning msg="unknown container" container=24120967295dfd2e975afd5e17f6e053062d2f08da4dfa584a3288a553131ad0 module=libcontainerd namespace=plugins.moby Mar 10 10:01:03 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:03.957711633Z" level=warning msg="unknown container" container=24120967295dfd2e975afd5e17f6e053062d2f08da4dfa584a3288a553131ad0 module=libcontainerd namespace=plugins.moby Mar 10 10:01:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:06.293649643Z" level=warning msg="unknown container" container=f27b0124867a5aef799fff85708a02ae60c71abf93bd3b44ce404a21655cbb2a module=libcontainerd namespace=plugins.moby Mar 10 10:01:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:06.310383214Z" level=warning msg="unknown container" container=f27b0124867a5aef799fff85708a02ae60c71abf93bd3b44ce404a21655cbb2a module=libcontainerd namespace=plugins.moby Mar 10 10:01:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:11.567483031Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby Mar 10 10:01:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:11.583299030Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby Mar 10 10:01:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:01:16.240973297Z" level=warning msg="unknown container" container=1b5943653d8cbf1e3dc72a1930f37749a4bfd31c3ced3055e4dd712cd60a393a module=libcontainerd namespace=plugins.moby
4. Show output for docker user
If you want to see all the logs for a specific user, then you need to use -u option as shown below. In this example, I am checking all the logs generated for User docker.
[root@localhost ~]# journalctl -u docker -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:02:18 UTC. -- Mar 09 16:20:26 localhost.us-west-2.compute.internal systemd[1]: Starting Docker Application Container Engine... Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26.340364044Z" level=warning msg="could not change group /var/run/dock Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26.346591232Z" level=info msg="libcontainerd: started new docker-conta Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="starting containerd" module=containerd revision=8 Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="setting subreaper..." module=containerd Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="changing OOM score to -500" module=containerd Mar 09 16:20:26 localhost.us-west-2.compute.internal dockerd[2260]: time="2020-03-09T16:20:26Z" level=info msg="loading plugin "io.containerd.content.v1.content"
5. Show User Recent Logs
If you want to see only the recent logs from reverse output for user docker, then you need to use -ru option as shown below. It will only show the logs generated for user docker.
[root@localhost ~]# journalctl -ru docker -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:03:16 UTC. -- Mar 10 10:03:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:16.258141655Z" level=warning msg="unknown container" container=1b59436 Mar 10 10:03:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:16.241620678Z" level=warning msg="unknown container" container=1b59436 Mar 10 10:03:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:11.582332316Z" level=warning msg="unknown container" container=7fe17cd Mar 10 10:03:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:11.565574818Z" level=warning msg="unknown container" container=7fe17cd Mar 10 10:03:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:03:06.310758910Z" level=warning msg="unknown container" container=f27b012
6. Show time in UTC
If you want journalctl to show the time in UTC, then you need to use --utc option as shown below.
[root@localhost ~]# journalctl --utc -- Logs begin at Mon 2020-03-09 16:20:16 GMT, end at Tue 2020-03-10 10:04:36 GMT. -- Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G). Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:
7. Show output in JSON Format
You can also check the output in JSON format by using -o json option as shown below.
[root@localhost ~]# journalctl -o json { "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=1;b=b9ffa520de304b60922f3e30352bd9bb;m=21f430;t=5a06e60efe707;x=a3f611316212c3d4", "__REALTIME_TIMESTAMP" : "158377 { "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=2;b=b9ffa520de304b60922f3e30352bd9bb;m=21f491;t=5a06e60efe768;x=5ddb8b4268751f4", "__REALTIME_TIMESTAMP" : "1583770 { "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=3;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4a8;t=5a06e60efe77e;x=dd7708cec6912773", "__REALTIME_TIMESTAMP" : "158377 { "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=4;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4b6;t=5a06e60efe78d;x=ff625ef0f935a2df", "__REALTIME_TIMESTAMP" : "158377 { "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=5;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4c0;t=5a06e60efe797;x=4a2cc41df3716a8", "__REALTIME_TIMESTAMP" : "1583770 { "__CURSOR" : "s=7f4235df39a949b0b1384935107baaf0;i=6;b=b9ffa520de304b60922f3e30352bd9bb;m=21f4cc;t=5a06e60efe7a3;x=3968329d14a0dde4", "__REALTIME_TIMESTAMP" : "158377
8. Show Interleaved Logs
If you want to see all the logs interleaved from all the available journals, then you need to use -m option as shown below.
[root@localhost ~]# journalctl -m -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:10:46 UTC. -- Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G). Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map: Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009dfff] usable Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x000000000009e000-0x000000000009ffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000efffffff] usable Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000fc000000-0x00000000ffffffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000100000000-0x000000080fffffff] usable
9. Show bootable messages
If you only want to see all boot messages, then you need to use -b option as mentioned below. Here we are not using any argument with -b option so it will only show the current boot messages.
[root@localhost ~]# journalctl -b -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:12:18 UTC. -- Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G). Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map: Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009dfff] usable Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x000000000009e000-0x000000000009ffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000efffffff] usable Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x00000000fc000000-0x00000000ffffffff] reserved Mar 09 16:20:16 localhost kernel: BIOS-e820: [mem 0x0000000100000000-0x000000080fffffff] usable
10. Show Output Quietly
If you want to suppress all informational and warning messages while checking the journal output, then you need to use -q option as shown below.
[root@localhost ~]# journalctl -q Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G). Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:
11. Show Kernel Messages
If you want to see all the Kernel log messages, then you need to use -k option as shown below.
[root@localhost ~]# journalctl -k -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:16:46 UTC. -- Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:
12. Show Priority Level Messages
In Systemd, there are 8 different priority messages from 0-7. If you want to see only Priority 3 Log messages which is basically all the error messages, then you need to use -p 3 option as shown below. Here are the list of other priority messages:-
0 – Emergency
1 – Alert
2 – Critical
3 – Error
4 – Warning
5 – Notice
6 – Info
7 – Debug
[root@localhost ~]# journalctl -p 3 -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:19:36 UTC. -- Mar 09 16:20:16 localhost kernel: Cannot get hvm parameter CONSOLE_EVTCHN (18): -22! Mar 09 16:20:16 localhost kernel: Cannot get hvm parameter CONSOLE_EVTCHN (18): -22! Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/rpcbind.xdr for writing Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/portmap.xdr for writing Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration Mar 09 16:20:19 localhost.us-west-2.compute.internal kernel: piix4_smbus 0000:00:01.3: SMBus base address uninitialized - upgrade BIOS or use force_addr=0xaddr Mar 09 16:20:19 localhost.us-west-2.compute.internal etcd[1630]: listen tcp 172.31.33.220:2380: bind: cannot assign requested address Mar 09 16:20:19 localhost.us-west-2.compute.internal systemd[1]: Failed to start etcd.
13. Show header Information
If you want to see all the header information of the journal fields only, then you need to use --header option as shown below. This will not show the contents of the journal logs only the internal fields header.
[root@localhost ~]# journalctl --header Rotate Suggested: no Head Sequential Number: 1 Tail Sequential Number: 32285 Head Realtime Timestamp: Mon 2020-03-09 16:20:18 UTC Tail Realtime Timestamp: Tue 2020-03-10 10:21:41 UTC Tail Monotonic Timestamp: 18h 1min 27.072s Objects: 67499 Entry Objects: 32285 Data Objects: 34091 Data Hash Table Fill: 14.6% Field Objects: 46 Field Hash Table Fill: 13.8% Tag Objects: 0 Entry Array Objects: 1075 Disk usage: 40.0M
14. Show Cursors
If you want to see cursor after the last entry of two dashes, then you need to use --show-cursor option as shown below.
[root@localhost ~]# journalctl --show-cursor -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:36:36 UTC. -- Mar 09 16:20:16 localhost systemd-journal[133]: Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G). Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuset Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpu Mar 09 16:20:16 localhost kernel: Initializing cgroup subsys cpuacct Mar 09 16:20:16 localhost kernel: Linux version 3.10.0-1062.12.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) Mar 09 16:20:16 localhost kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=f41e390f-835b-4223-a9bb-9b45984ddf8d ro console=tty0 cons Mar 09 16:20:16 localhost kernel: e820: BIOS-provided physical RAM map:
15. Show recent Cursor
If you want to see only one recent cursor from reverse output, then you need to use -r -n 1 option as shown below.
[root@localhost ~]# journalctl --show-cursor -r -n 1 -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:40:16 UTC. -- Mar 10 10:40:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:16.258001784Z" level=warning msg="unknown container" container=1b59436 -- cursor: s=dfc90b96023b4ff49c27004952c55e7c;i=802e;b=b9ffa520de304b60922f3e30352bd9bb;m=f5e02c243;t=5a07dbed0b51a;x=79f9431e8e41958c
16. Delete Older Data
If you want to delete older logs from journal, then you can use below journalctl command and delete it. In this example only last 10M of logs will be retained and rest will be deleted. Since I don’t have any logs here so you won’t see any logs to be deleted.
[root@localhost ~]# journalctl --vacuum-size=10M Vacuuming done, freed 0B of archived journals on disk. Vacuuming done, freed 0B of archived journals on disk.
Also Read: How to configure SSH Based Authentication Per User
Reference: Journalctl Man Page