Tip: Long lines are truncated to match the screen width. Use the left/right arrow keys to view the hidden part. Or redirect the output to a file.
Common Options
Follow Logs
- -f: Show new log entries as they are added.
kavish@ubuntu-local:~$ journalctl -u sshd -f
-- Logs begin at Sat 2021-03-13 08:16:22 UTC. --
Boot Message
- -b: Show current boot messages
kavish@ubuntu-local:~$ journalctl -b
-- Logs begin at Sat 2021-03-13 08:16:22 UTC, end at Wed 2021-03-24 15:35:44 UTC. --
Mar 24 14:13:46 ubuntu-local kernel: Linux version 5.4.0-67-generic (buildd@lcy01-amd64-025) (gc>
Mar 24 14:13:46 ubuntu-local kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.0-67-generic root=/de>
--SNIP--
To view logs from last boot, use -b -1. For two boots ago, use -2, and so on.
List all boots
- Use
--list-boots:
kavish@ubuntu-local:~$ journalctl --list-boots
-7 35c230707679449b9cc65ca48283cc0b Sat 2021-03-13 08:16:22 UTC—Sat 2021-03-13 09:24:09 UTC
-6 44ef24148f6b4ec582f8928df130cff5 Mon 2021-03-15 08:27:20 UTC—Mon 2021-03-15 10:11:00 UTC
-5 da256678eef847bc9b0888a8d7471b31 Mon 2021-03-15 11:35:31 UTC—Mon 2021-03-15 16:04:11 UTC
-4 bb3b549ec5ab4eea87fb98367df0765c Wed 2021-03-17 12:46:00 UTC—Wed 2021-03-17 14:30:35 UTC
-3 4827a8f8713f4f7bb51e8ad7a13e70e9 Mon 2021-03-22 08:43:51 UTC—Mon 2021-03-22 11:23:26 UTC
-2 0b2aea9f426c4f3080358240d84358b4 Mon 2021-03-22 15:34:53 UTC—Mon 2021-03-22 17:06:55 UTC
-1 9dfce1530f224df3902f40ad1497834c Tue 2021-03-23 05:31:09 UTC—Wed 2021-03-24 09:32:50 UTC
0 c4a280d403044a9abb88d1ba68d00986 Wed 2021-03-24 14:13:46 UTC—Wed 2021-03-24 15:44:25 UTC
Kernel Message
- -k: Shows kernel messages or logs from current boot. To list messages for another boot log, use:
journalctl -k -b -2
Messages in reverse
- -r: show the messages in reverse; latest first:
journalctl -u sshd -n 100 -r
Time Ranges
If components of the above format are left off, some defaults will be applied. For instance, if the date is omitted, the current date will be assumed. If the time component is missing, “00:00:00” (midnight) will be substituted. The seconds field can be left off as well to default to “00”:
journalctl --since "1 hour ago"
journalctl --since yesterday
journalctl --since "2 days ago"
journalctl --since "2020-05-03 23:15:00" --until "2021-03-23 23:20:00"
Priority or Log Levels
Get logs by priority name or numeric value:
|---|---------|
| 0 | emerg |
| 1 | alert |
| 2 | crit |
| 3 | err |
| 4 | warning |
| 5 | notice |
| 6 | info |
| 7 | debug |
The above numbers or names can be used interchangeably with the -p option. Selecting a priority will display messages marked at the specified level and those above it:
journalctl -u ssh -p warning -n 100
By Process, User, or Group ID
PID
journalctl _PID=3345
UID
journalctl _UID=101
journalctl _UID=100 _UID=200 --since today
journalctl _UID=`id -u admin`
GID
journalctl _GID=101
Output Format
Verbose
journalctl -o verbose
journalctl -o verbose --output-fields=MESSAGE
journalctl -o verbose --output-fields=MESSAGE,PRIOTIRY,_TRANSPORT
Json
journalctl -o json-pretty
journalctl -o verbose --output-fields=MESSAGE,PRIOTIRY,_TRANSPORT -o json-pretty
Filtering
Executable
journalctl _COMM=sudo -r
journalctl /usr/bin/bash
Hostname
journalctl _HOSTNAME=hostname
Manage Journal Size
How much disk space is currently taken up by the journal
kavish@ubuntu-local:~$ journalctl --disk-usage
Archived and active journals take up 64.0M in the file system.
Verify the integrity of the journal
If the some parts of the journal is corrupted, enough details will be provided on how to salvage the remaining data. More details can be found here.
kavish@ubuntu-local:~$ journalctl --verify
PASS: /var/log/journal/c72622c6fd9c42989ab119192791eeb8/system.journal
PASS: /var/log/journal/c72622c6fd9c42989ab119192791eeb8/user-1000.journal
Vacuum by size
Retain only 100MB of journal entries:
journalctl --vacuum-size=100M
Vacuum by time
Specified with the usual “s”, “m”, “h”, “days”, “months”, “weeks” and “years” suffixes:
journalctl --vacuum-time="1d"
Vacuum by files
Deletes all but the specified number of journal files. Tthis won’t delete any journal files that are actively in use:
journalctl --vacuum-files=2
Which executables have been logging errors at a loglevel lower than error in the past month?
journalctl --since -1month -p 7..4 -o json | jq -r 'select (.MESSAGE | contains("error")) | ._EXE' | sort -u