Table of Contents
In this article, I will take you through 32 Best Journalctl Command Examples Part – 2. If you are following my articles closely then this will be Part-2 of 32 Best Journalctl Command Examples in Linux. By this time you might have seen different usage of journalctl command in the previous article.
In this article, I will take you through further examples of journalctl commands which can be very helpful during any troubleshooting. I hope you will like it.
journalctl command examples
Also Read: 30 Best Journalctl Command Examples in Linux(RedHat/CentOS) Part – 1
1. Check Logs After a Cursor
If you want to start checking logs from some specified cursor, then you need to pass the cursor name with -c option as shown below.
[root@localhost ~]# journalctl -c "s=dfc90b96023b4ff49c27004952c55e7c;i=802e;b=b9ffa520de304b60922f3e30352bd9bb;m=f5e02c243;t=5a07dbed0b51a;x=79f9431e8e41958c" -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:41:46 UTC. -- Mar 10 10:40:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:16.258001784Z" level=warning msg="unknown container" container=1b59436 Mar 10 10:40:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:18.941626747Z" level=warning msg="unknown container" container=2412096 Mar 10 10:40:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:18.958023358Z" level=warning msg="unknown container" container=2412096 Mar 10 10:40:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:26.566343320Z" level=warning msg="unknown container" container=7fe17cd Mar 10 10:40:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:26.582282268Z" level=warning msg="unknown container" container=7fe17cd Mar 10 10:40:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:31.241727290Z" level=warning msg="unknown container" container=1b59436 Mar 10 10:40:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:31.258674146Z" level=warning msg="unknown container" container=1b59436 Mar 10 10:40:33 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:33.941439835Z" level=warning msg="unknown container" container=2412096 Mar 10 10:40:33 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:33.957580825Z" level=warning msg="unknown container" container=2412096 Mar 10 10:40:36 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:36.294053476Z" level=warning msg="unknown container" container=f27b012 Mar 10 10:40:36 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:36.311328790Z" level=warning msg="unknown container" container=f27b012 Mar 10 10:40:37 localhost.us-west-2.compute.internal etcd[2774]: store.index: compact 1180175
2. List No of Boots
If you are looking for all the boot events that occurred, then you need to use --list-boots option as shown below.
[root@localhost ~]# journalctl --list-boots 0 b9ffa520de304b60922f3e30352bd9bb Mon 2020-03-09 16:20:16 UTC—Tue 2020-03-10 10:43:11 UTC
3. Check recent log messages of docker User
If you are trying to check all the recent logs at run time for user docker, then you need to use -f option with -u docker as shown below.
[root@localhost ~]# journalctl -f -u docker -- Logs begin at Mon 2020-03-09 16:20:16 UTC. -- Mar 10 10:46:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:26.566204636Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby Mar 10 10:46:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:26.581397265Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby Mar 10 10:46:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:31.241138617Z" level=warning msg="unknown container" container=1b5943653d8cbf1e3dc72a1930f37749a4bfd31c3ced3055e4dd712cd60a393a module=libcontainerd namespace=plugins.moby Mar 10 10:46:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:31.257771041Z" level=warning msg="unknown container" container=1b5943653d8cbf1e3dc72a1930f37749a4bfd31c3ced3055e4dd712cd60a393a module=libcontainerd namespace=plugins.moby
4. Check Disk Usage
If you want to check the total journal disk usage, then you need to use --disk-usage option as shown below.
[root@localhost ~]# journalctl --disk-usage Archived and active journals take up 48.0M on disk.
5. Check last N lines of Log
If you only want to check the last N lines of journal logs, then you need to use -n option and provide the value. Here I am checking last 10 lines of recent logs.
[root@localhost ~]# journalctl -n 10 -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:51:26 UTC. -- Mar 10 10:51:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:06.294465883Z" level=warning msg="unknown container" container=f27b012 Mar 10 10:51:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:06.311367769Z" level=warning msg="unknown container" container=f27b012 Mar 10 10:51:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:11.565622653Z" level=warning msg="unknown container" container=7fe17cd Mar 10 10:51:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:11.581656911Z" level=warning msg="unknown container" container=7fe17cd Mar 10 10:51:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:16.241094001Z" level=warning msg="unknown container" container=1b59436 Mar 10 10:51:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:16.256985040Z" level=warning msg="unknown container" container=1b59436 Mar 10 10:51:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:18.940588779Z" level=warning msg="unknown container" container=2412096 Mar 10 10:51:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:18.956540995Z" level=warning msg="unknown container" container=2412096 Mar 10 10:51:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:26.565541751Z" level=warning msg="unknown container" container=7fe17cd Mar 10 10:51:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:26.581347879Z" level=warning msg="unknown container" container=7fe17cd
6. Check messages from last 1 Hour
If you want to check all the logs of last 1 Hr, then you can use --since "1 hr ago" option as shown in below command.
[root@localhost ~]# journalctl --since "1 hr ago" -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:53:06 UTC. -- Mar 10 09:53:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:11.568459388Z" level=warning msg="unknown container" container=7fe17cd Mar 10 09:53:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:11.585939743Z" level=warning msg="unknown container" container=7fe17cd Mar 10 09:53:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:16.241294765Z" level=warning msg="unknown container" container=1b59436 Mar 10 09:53:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:16.257953973Z" level=warning msg="unknown container" container=1b59436 Mar 10 09:53:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:18.941758865Z" level=warning msg="unknown container" container=2412096 Mar 10 09:53:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:18.958096357Z" level=warning msg="unknown container" container=2412096 Mar 10 09:53:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:26.565414542Z" level=warning msg="unknown container" container=7fe17cd Mar 10 09:53:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:26.581139608Z" level=warning msg="unknown container" container=7fe17cd
7. List All Catalogs
If you want to list all the journal catalogs, then you need to use --list-catalog option with journalctl command as shown below.
[root@localhost ~]# journalctl --list-catalog 0027229ca0644181a76c4e92458afa2e systemd: One or more messages could not be forwarded to syslog 1dee0369c7fc4736b7099b38ecb46ee7 systemd: Mount point is not empty 24d8d4452573402496068381a6312df2 systemd: A virtual machine or container has been started 3354939424b4456d9802ca8333ed424a systemd: Session @SESSION_ID@ has been terminated 39f53479d3a045ac8e11786248231fbf systemd: Unit @UNIT@ has finished start-up 45f82f4aef7a4bbf942ce861d1f20990 systemd: Time zone change to @TIMEZONE@ 58432bd3bace477cb514b56381b8a758 systemd: A virtual machine or container has been terminated 641257651c1b4ec9a8624d7a40a9e1e7 systemd: Process @EXECUTABLE@ could not be executed 6bbd95ee977941e497c48be27c254128 systemd: System sleep state @SLEEP@ entered 7b05ebc668384222baa8881179cfda54 systemd: Unit @UNIT@ has finished reloading its configuration 7d4958e842da4a758f6c1cdc7b36dcc5 systemd: Unit @UNIT@ has begun start-up 8811e6df2a8e40f58a94cea26f8ebf14 systemd: System sleep state @SLEEP@ left 8d45620c1a4348dbb17410da57c60c66 systemd: A new session @SESSION_ID@ has been created for user @USER_ID@ 98268866d1d54a499c4e98921d93bc40 systemd: System shutdown initiated 9d1aaa27d60140bd96365438aad20286 systemd: Unit @UNIT@ has finished shutting down a596d6fe7bfa4994828e72309e95d61e systemd: Messages from a service have been suppressed b07a249cd024414a82dd00cd181378ff systemd: System start-up is now complete be02cf6855d2428ba40df7e9d022f03d systemd: Unit @UNIT@ has failed
8. Update Catalogs
If you want to update journal catalogs, then you need to use --update-catalog option with journalctl command as specified below.
[root@localhost ~]# journalctl --update-catalog
9. Check Output in Verbose Mode
If you want to check the output in verbose mode, then you need to use -o verbose option as mentioned below.
[root@localhost ~]# journalctl -o verbose -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:56:26 UTC. -- Mon 2020-03-09 16:20:16.734983 UTC [s=7f4235df39a949b0b1384935107baaf0;i=1;b=b9ffa520de304b60922f3e30352bd9bb;m=21f430;t=5a06e60efe707;x=a3f611316212c3d4] PRIORITY=6 _TRANSPORT=driver MESSAGE=Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G). MESSAGE_ID=ec387f577b844b8fa948f33cad9a75e6 _PID=133 _UID=0 _GID=0 _COMM=systemd-journal _EXE=/usr/lib/systemd/systemd-journald _CMDLINE=/usr/lib/systemd/systemd-journald _CAP_EFFECTIVE=5402800cf _SYSTEMD_CGROUP=/system.slice/systemd-journald.service _SYSTEMD_UNIT=systemd-journald.service _SYSTEMD_SLICE=system.slice _BOOT_ID=b9ffa520de304b60922f3e30352bd9bb _MACHINE_ID=7c49e088ed35417d918e0c22c04eda4e _HOSTNAME=localhost
10. Flush log messages
If you want to flush all the systemd messages, then you need to use --flush option with journalctl command as shown below.
[root@localhost ~]# journalctl --flush
11. List all User IDs
If you want to list all User Ids for which systemd generates logs, then you need to use -F _UID option with journalctl command as shown below.
[root@localhost ~]# journalctl -F _UID 999 998 0 32
12. List all Group IDs
If you want to list all User Ids for which systemd generates logs, then you need to use -F _GID option with journalctl command to check that as shown below.
[root@localhost ~]# journalctl -F _GID 1000 998 995 0 32
13. Check Logs of User ID 32
You can also check the journal logs by using user id instead of User name. In this example, I am checking all the journal logs generated for User ID 32 since yesterday.
[root@localhost ~]# journalctl _UID=32 --since yesterday -- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 11:18:41 UTC. -- Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/rpcbind.xdr for writing Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/portmap.xdr for writing Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration
14. List all System UNIT Fields
If you want to list all Systemd UNIT, then you need to use --field option with journalctl command as shown below.
[root@localhost ~]# journalctl --field _SYSTEMD_UNIT session-176.scope session-166.scope session-161.scope session-155.scope session-145.scope session-142.scope session-136.scope session-127.scope session-119.scope session-110.scope session-106.scope
15. Check any other Options
To check all the other options available with journalctl command, you can use -h option as shown below.
[root@ip-172-31-33-220 ~]# journalctl -h journalctl [OPTIONS...] [MATCHES...] Query the journal. Flags: --system Show the system journal --user Show the user journal for the current user -M --machine=CONTAINER Operate on local container -S --since=DATE Show entries not older than the specified date -U --until=DATE Show entries not newer than the specified date -c --cursor=CURSOR Show entries starting at the specified cursor --after-cursor=CURSOR Show entries after the specified cursor --show-cursor Print the cursor after all the entries
16. Verify Journal Details
You can also verify the journals data for any error using --verify option as shown below.
[root@ip-172-31-33-220 ~]# journalctl --verify 391e00: Data object references invalid entry at 2a46160 File corruption detected at /run/log/journal/05cb8c7b39fe0f70e3ce97e5beab809d/system.journal:2a45ed0 (of 50331648 bytes, 88%). FAIL: /run/log/journal/05cb8c7b39fe0f70e3ce97e5beab809d/system.journal (Bad message) PASS: /run/log/journal/7c49e088ed35417d918e0c22c04eda4e/system.journal
Also Read: 6 SSH Authentication Methods to Secure Connection