Skip to main content

Journalctl Cheatsheet

·3 mins
Table of Contents

Tip: Long lines are truncated to match the screen width. Use the left/right arrow keys to view the hidden part. Or redirect the output to a file.

Common Options #

Follow Logs #

  • -f: Show new log entries as they are added.
kavish@ubuntu-local:~$ journalctl -u sshd -f
-- Logs begin at Sat 2021-03-13 08:16:22 UTC. --

Boot Message #

  • -b: Show current boot messages
kavish@ubuntu-local:~$ journalctl -b
-- Logs begin at Sat 2021-03-13 08:16:22 UTC, end at Wed 2021-03-24 15:35:44 UTC. --
Mar 24 14:13:46 ubuntu-local kernel: Linux version 5.4.0-67-generic (buildd@lcy01-amd64-025) (gc>
Mar 24 14:13:46 ubuntu-local kernel: Command line: BOOT_IMAGE=/vmlinuz-5.4.0-67-generic root=/de>

--SNIP--

To view logs from last boot, use -b -1. For two boots ago, use -2, and so on.

List all boots #

  • Use --list-boots:
kavish@ubuntu-local:~$ journalctl --list-boots
-7 35c230707679449b9cc65ca48283cc0b Sat 2021-03-13 08:16:22 UTC—Sat 2021-03-13 09:24:09 UTC
-6 44ef24148f6b4ec582f8928df130cff5 Mon 2021-03-15 08:27:20 UTC—Mon 2021-03-15 10:11:00 UTC
-5 da256678eef847bc9b0888a8d7471b31 Mon 2021-03-15 11:35:31 UTC—Mon 2021-03-15 16:04:11 UTC
-4 bb3b549ec5ab4eea87fb98367df0765c Wed 2021-03-17 12:46:00 UTC—Wed 2021-03-17 14:30:35 UTC
-3 4827a8f8713f4f7bb51e8ad7a13e70e9 Mon 2021-03-22 08:43:51 UTC—Mon 2021-03-22 11:23:26 UTC
-2 0b2aea9f426c4f3080358240d84358b4 Mon 2021-03-22 15:34:53 UTC—Mon 2021-03-22 17:06:55 UTC
-1 9dfce1530f224df3902f40ad1497834c Tue 2021-03-23 05:31:09 UTC—Wed 2021-03-24 09:32:50 UTC
 0 c4a280d403044a9abb88d1ba68d00986 Wed 2021-03-24 14:13:46 UTC—Wed 2021-03-24 15:44:25 UTC

Kernel Message #

  • -k: Shows kernel messages or logs from current boot. To list messages for another boot log, use:
journalctl -k -b -2

Messages in reverse #

  • -r: show the messages in reverse; latest first:
journalctl -u sshd -n 100 -r

Time Ranges #

If components of the above format are left off, some defaults will be applied. For instance, if the date is omitted, the current date will be assumed. If the time component is missing, “​00:​00:​00” (midnight) will be substi​tuted. The seconds field can be left off as well to default to “​00”:

jour​nalctl --since "1 hour ago"

jour​nalctl --since yester​day

jour​nalctl --since "2 days ago"

journalctl --since "2020-05-03 23:15:00" --until "2021-03-23 23:20:00"

Priority or Log Levels #

Get logs by priority name or numeric value:

|---|---------|
| 0 | emerg   |
| 1 | alert   |
| 2 | crit    |
| 3 | err     |
| 4 | warning |
| 5 | notice  |
| 6 | info    |
| 7 | debug   |

The above numbers or names can be used interc​han​geably with the -p option. Selecting a priority will display messages marked at the specified level and those above it:

journalctl -u ssh -p warning -n 100

By Process, User, or Group ID #

PID #

journalctl _PID=3345

UID #

journalctl _UID=101

journalctl _UID=100 _UID=200 --since today

journalctl _UID=`id -u admin`

GID #

journalctl _GID=101

Output Format #

Verbose #

journalctl -o verbose

journalctl -o verbose --output-fields=MESSAGE

journalctl -o verbose --output-fields=MESSAGE,PRIOTIRY,_TRANSPORT

Json #

journalctl -o json-pretty

journalctl -o verbose --output-fields=MESSAGE,PRIOTIRY,_TRANSPORT -o json-pretty

Filtering #

Executable #

journalctl _COMM=sudo -r

journalctl /usr/bin/bash

Hostname #

journalctl _HOSTNAME=hostname

Manage Journal Size #

How much disk space is currently taken up by the journal #

kavish@ubuntu-local:~$ journalctl --disk-usage
Archived and active journals take up 64.0M in the file system.

Verify the integrity of the journal #

If the some parts of the journal is corrupted, enough details will be provided on how to salvage the remaining data. More details can be found here.

kavish@ubuntu-local:~$ journalctl --verify
PASS: /var/log/journal/c72622c6fd9c42989ab119192791eeb8/system.journal
PASS: /var/log/journal/c72622c6fd9c42989ab119192791eeb8/user-1000.journal

Vacuum by size #

Retain only 100MB of journal entries:

journalctl --vacuum-size=100M

Vacuum by time #

Specified with the usual “s”, “m”, “h”, “days”, “months”, “weeks” and “years” suffixes:

journalctl --vacuum-time="1d"

Vacuum by files #

Deletes all but the specified number of journal files. Tthis won’t delete any journal files that are actively in use:

journalctl --vacuum-files=2

Which executables have been logging errors at a loglevel lower than error in the past month? #

journalctl --since -1month -p 7..4 -o json | jq -r 'select (.MESSAGE | contains("error")) | ._EXE'  | sort -u