Cyberithub

32 Best Journalctl Command Examples in Linux(RedHat/CentOS) Part – 2

In this article, I will take you through 32 Best Journalctl Command Examples Part – 2. If you are following my articles closely then this will be Part-2 of 32 Best Journalctl Command Examples in Linux. By this time you might have seen different usage of journalctl command in the previous article.

In this article, I will take you through further examples of journalctl commands which can be very helpful during any troubleshooting. I hope you will like it.

32 Best Journalctl Command Examples in Linux(RedHat/CentOS) Part - 2 1

journalctl command examples

Also Read: 30 Best Journalctl Command Examples in Linux(RedHat/CentOS) Part – 1

1. Check Logs After a Cursor

If you want to start checking logs from some specified cursor, then you need to pass the cursor name with -c option as shown below.

[root@localhost ~]# journalctl -c "s=dfc90b96023b4ff49c27004952c55e7c;i=802e;b=b9ffa520de304b60922f3e30352bd9bb;m=f5e02c243;t=5a07dbed0b51a;x=79f9431e8e41958c"
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:41:46 UTC. --
Mar 10 10:40:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:16.258001784Z" level=warning msg="unknown container" container=1b59436
Mar 10 10:40:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:18.941626747Z" level=warning msg="unknown container" container=2412096
Mar 10 10:40:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:18.958023358Z" level=warning msg="unknown container" container=2412096
Mar 10 10:40:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:26.566343320Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 10:40:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:26.582282268Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 10:40:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:31.241727290Z" level=warning msg="unknown container" container=1b59436
Mar 10 10:40:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:31.258674146Z" level=warning msg="unknown container" container=1b59436
Mar 10 10:40:33 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:33.941439835Z" level=warning msg="unknown container" container=2412096
Mar 10 10:40:33 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:33.957580825Z" level=warning msg="unknown container" container=2412096
Mar 10 10:40:36 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:36.294053476Z" level=warning msg="unknown container" container=f27b012
Mar 10 10:40:36 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:40:36.311328790Z" level=warning msg="unknown container" container=f27b012
Mar 10 10:40:37 localhost.us-west-2.compute.internal etcd[2774]: store.index: compact 1180175

2. List No of Boots

If you are looking for all the boot events that occurred, then you need to use --list-boots option as shown below.

[root@localhost ~]# journalctl --list-boots
0 b9ffa520de304b60922f3e30352bd9bb Mon 2020-03-09 16:20:16 UTC—Tue 2020-03-10 10:43:11 UTC

3. Check recent log messages of docker User

If you are trying to check all the recent logs at run time for user docker, then you need to use -f option with -u docker as shown below.

[root@localhost ~]# journalctl -f -u docker
-- Logs begin at Mon 2020-03-09 16:20:16 UTC. --
Mar 10 10:46:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:26.566204636Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby
Mar 10 10:46:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:26.581397265Z" level=warning msg="unknown container" container=7fe17cd1577eeb44721627dcc5a87bdb725e59fabcaadafb24bad4939fe32b30 module=libcontainerd namespace=plugins.moby
Mar 10 10:46:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:31.241138617Z" level=warning msg="unknown container" container=1b5943653d8cbf1e3dc72a1930f37749a4bfd31c3ced3055e4dd712cd60a393a module=libcontainerd namespace=plugins.moby
Mar 10 10:46:31 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:46:31.257771041Z" level=warning msg="unknown container" container=1b5943653d8cbf1e3dc72a1930f37749a4bfd31c3ced3055e4dd712cd60a393a module=libcontainerd namespace=plugins.moby

4. Check Disk Usage

If you want to check the total journal disk usage, then you need to use --disk-usage option as shown below.

[root@localhost ~]# journalctl --disk-usage
Archived and active journals take up 48.0M on disk.

5. Check last N lines of Log

If you only want to check the last N lines of journal logs, then you need to use -n option and provide the value. Here I am checking last 10 lines of recent logs.

[root@localhost ~]# journalctl -n 10
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:51:26 UTC. --
Mar 10 10:51:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:06.294465883Z" level=warning msg="unknown container" container=f27b012
Mar 10 10:51:06 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:06.311367769Z" level=warning msg="unknown container" container=f27b012
Mar 10 10:51:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:11.565622653Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 10:51:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:11.581656911Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 10:51:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:16.241094001Z" level=warning msg="unknown container" container=1b59436
Mar 10 10:51:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:16.256985040Z" level=warning msg="unknown container" container=1b59436
Mar 10 10:51:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:18.940588779Z" level=warning msg="unknown container" container=2412096
Mar 10 10:51:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:18.956540995Z" level=warning msg="unknown container" container=2412096
Mar 10 10:51:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:26.565541751Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 10:51:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T10:51:26.581347879Z" level=warning msg="unknown container" container=7fe17cd

6. Check messages from last 1 Hour

If you want to check all the logs of last 1 Hr, then you can use --since "1 hr ago" option as shown in below command.

[root@localhost ~]# journalctl --since "1 hr ago"
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:53:06 UTC. --
Mar 10 09:53:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:11.568459388Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 09:53:11 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:11.585939743Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 09:53:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:16.241294765Z" level=warning msg="unknown container" container=1b59436
Mar 10 09:53:16 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:16.257953973Z" level=warning msg="unknown container" container=1b59436
Mar 10 09:53:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:18.941758865Z" level=warning msg="unknown container" container=2412096
Mar 10 09:53:18 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:18.958096357Z" level=warning msg="unknown container" container=2412096
Mar 10 09:53:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:26.565414542Z" level=warning msg="unknown container" container=7fe17cd
Mar 10 09:53:26 localhost.us-west-2.compute.internal dockerd[2637]: time="2020-03-10T09:53:26.581139608Z" level=warning msg="unknown container" container=7fe17cd

7. List All Catalogs

If you want to list all the journal catalogs, then you need to use --list-catalog option with journalctl command as shown below.

[root@localhost ~]# journalctl --list-catalog
0027229ca0644181a76c4e92458afa2e systemd: One or more messages could not be forwarded to syslog
1dee0369c7fc4736b7099b38ecb46ee7 systemd: Mount point is not empty
24d8d4452573402496068381a6312df2 systemd: A virtual machine or container has been started
3354939424b4456d9802ca8333ed424a systemd: Session @SESSION_ID@ has been terminated
39f53479d3a045ac8e11786248231fbf systemd: Unit @UNIT@ has finished start-up
45f82f4aef7a4bbf942ce861d1f20990 systemd: Time zone change to @TIMEZONE@
58432bd3bace477cb514b56381b8a758 systemd: A virtual machine or container has been terminated
641257651c1b4ec9a8624d7a40a9e1e7 systemd: Process @EXECUTABLE@ could not be executed
6bbd95ee977941e497c48be27c254128 systemd: System sleep state @SLEEP@ entered
7b05ebc668384222baa8881179cfda54 systemd: Unit @UNIT@ has finished reloading its configuration
7d4958e842da4a758f6c1cdc7b36dcc5 systemd: Unit @UNIT@ has begun start-up
8811e6df2a8e40f58a94cea26f8ebf14 systemd: System sleep state @SLEEP@ left
8d45620c1a4348dbb17410da57c60c66 systemd: A new session @SESSION_ID@ has been created for user @USER_ID@
98268866d1d54a499c4e98921d93bc40 systemd: System shutdown initiated
9d1aaa27d60140bd96365438aad20286 systemd: Unit @UNIT@ has finished shutting down
a596d6fe7bfa4994828e72309e95d61e systemd: Messages from a service have been suppressed
b07a249cd024414a82dd00cd181378ff systemd: System start-up is now complete
be02cf6855d2428ba40df7e9d022f03d systemd: Unit @UNIT@ has failed

8. Update Catalogs

If you want to update journal catalogs, then you need to use --update-catalog option with journalctl command as specified below.

[root@localhost ~]# journalctl --update-catalog

9. Check Output in Verbose Mode

If you want to check the output in verbose mode, then you need to use -o verbose option as mentioned below.

[root@localhost ~]# journalctl -o verbose
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 10:56:26 UTC. --
Mon 2020-03-09 16:20:16.734983 UTC [s=7f4235df39a949b0b1384935107baaf0;i=1;b=b9ffa520de304b60922f3e30352bd9bb;m=21f430;t=5a06e60efe707;x=a3f611316212c3d4]
PRIORITY=6
_TRANSPORT=driver
MESSAGE=Runtime journal is using 8.0M (max allowed 1.5G, trying to leave 2.3G free of 15.6G available → current limit 1.5G).
MESSAGE_ID=ec387f577b844b8fa948f33cad9a75e6
_PID=133
_UID=0
_GID=0
_COMM=systemd-journal
_EXE=/usr/lib/systemd/systemd-journald
_CMDLINE=/usr/lib/systemd/systemd-journald
_CAP_EFFECTIVE=5402800cf
_SYSTEMD_CGROUP=/system.slice/systemd-journald.service
_SYSTEMD_UNIT=systemd-journald.service
_SYSTEMD_SLICE=system.slice
_BOOT_ID=b9ffa520de304b60922f3e30352bd9bb
_MACHINE_ID=7c49e088ed35417d918e0c22c04eda4e
_HOSTNAME=localhost

10. Flush log messages

If you want to flush all the systemd messages, then you need to use --flush option with journalctl command as shown below.

[root@localhost ~]# journalctl --flush

11. List all User IDs

If you want to list all User Ids for which systemd generates logs, then you need to use -F _UID option with journalctl command as shown below.

[root@localhost ~]# journalctl -F _UID
999
998
0
32

12. List all Group IDs

If you want to list all User Ids for which systemd generates logs, then you need to use -F _GID option with journalctl command to check that as shown below.

[root@localhost ~]# journalctl -F _GID
1000
998
995
0
32

13. Check Logs of User ID 32 

You can also check the journal logs by using user id instead of User name. In this example, I am checking all the journal logs generated for User ID 32 since yesterday.

[root@localhost ~]# journalctl _UID=32 --since yesterday
-- Logs begin at Mon 2020-03-09 16:20:16 UTC, end at Tue 2020-03-10 11:18:41 UTC. --
Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/rpcbind.xdr for writing
Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration
Mar 09 16:20:17 localhost rpcbind[230]: cannot open file = /run/rpcbind/portmap.xdr for writing
Mar 09 16:20:17 localhost rpcbind[230]: cannot save any registration

14. List all System UNIT Fields

If you want to list all Systemd UNIT, then you need to use --field option with journalctl command as shown below.

[root@localhost ~]# journalctl --field _SYSTEMD_UNIT
session-176.scope
session-166.scope
session-161.scope
session-155.scope
session-145.scope
session-142.scope
session-136.scope
session-127.scope
session-119.scope
session-110.scope
session-106.scope

15. Check any other Options

To check all the other options available with journalctl command, you can use -h option as shown below.

[root@ip-172-31-33-220 ~]# journalctl -h

journalctl [OPTIONS...] [MATCHES...]

Query the journal.

Flags:
--system Show the system journal
--user Show the user journal for the current user
-M --machine=CONTAINER Operate on local container
-S --since=DATE Show entries not older than the specified date
-U --until=DATE Show entries not newer than the specified date
-c --cursor=CURSOR Show entries starting at the specified cursor
--after-cursor=CURSOR Show entries after the specified cursor
--show-cursor Print the cursor after all the entries

16. Verify Journal Details

You can also verify the journals data for any error using --verify option as shown below.

[root@ip-172-31-33-220 ~]# journalctl --verify
391e00: Data object references invalid entry at 2a46160
File corruption detected at /run/log/journal/05cb8c7b39fe0f70e3ce97e5beab809d/system.journal:2a45ed0 (of 50331648 bytes, 88%).
FAIL: /run/log/journal/05cb8c7b39fe0f70e3ce97e5beab809d/system.journal (Bad message)
PASS: /run/log/journal/7c49e088ed35417d918e0c22c04eda4e/system.journal

 

 

Also Read: 6 SSH Authentication Methods to Secure Connection

Leave a Comment