How To Use Journalctl to View and Manipulate Systemd Logs

Journalctl is a powerful command-line utility in Linux for querying and displaying logs managed by systemd-journald. It lets users access detailed information about system events, services, and processes. With journalctl, you can filter logs based on various criteria such as time range, specific units, or log levels, enabling effective troubleshooting and analysis of system activity. This tool is integral for system administrators and users seeking comprehensive insights into the operational history of a Linux system.

What is Journalctl?

Journalctl is a command-line utility in Linux systems that allows users to query and display messages from the journal, a centralized logging system used by systemd. Systemd is a system and service manager for Linux operating systems. The journal contains information about various system events, including system startup messages, hardware events, kernel messages, and messages from various services and applications. journalctl provides a convenient way to view, filter, and analyze these log messages.

Features of Journalctl:

1. Centralized Logging: journalctl is part of the systemd suite, which introduces a centralized logging system. System logs are collected and stored in binary format, making them efficient and easy to access.
2. Rich Metadata: The journal includes rich metadata for log entries, such as the timestamp, log source (unit/service), priority, and other relevant information. This metadata enhances the ability to filter and search for specific entries.
3. Flexible Querying: Users can query the journal based on various criteria, including time range, specific units (services), log priority, user ID, and more. This makes it easy to narrow down the scope of log entries for analysis.
4. Human-Readable Output: journalctl provides human-readable output, making it easier for users to interpret and understand log entries. The command formats and structures the information in a way that is accessible to administrators and developers.
5. Live Monitoring: The -f the option allows users to follow and monitor the journal in real-time. This is particularly useful for observing system changes and facilitating troubleshooting and debugging.

How To Use Journalctl to View and Manipulate Systemd Logs

1. Basic Log Checking with Journalctl

The journalctl command in Linux is used to view system logs. Running it without any options (journalctl) displays logs from all services and programs, providing a comprehensive but potentially overwhelming overview of system activity.

Command:

journalctl

Output:

2. Filters in Journalctl

Using filters with journalctl enhances the precision of system log information, aiding in monitoring and troubleshooting server issues. Common filters include viewing logs for a specific service with the “-u [service]” filter and filtering logs by date and time using options like “–since” and “–until,” as demonstrated by the command:

Command:

journalctl --since yesterday

Output:

To filter logs by a specific date and time using journalctl, the command is structured as follows: journalctl –since “YYYY-MM-DD HH:MM:SS”. This format allows users to narrow down log entries to a precise time range, aiding in focused log analysis for troubleshooting or monitoring purposes.

Command:

journalctl --since " Date and Time "

Output:

The journalctl command efficiently filters logs by a specified time range using the “–since” and “–until” options. The example command, `journalctl –since “2022-02-28 00:00:00” –until “2022-02-28 23:00:00,” displays log messages generated exclusively between 00:00 and 23:00 on February 28, 2022.

Command:

journalctl --since "2022-02-28 00:00:00" --until "2022-02-28 23:00:00"

Output:

3. Filtering logs of specific units/daemons/services.

On Linux systems, distinct services and programs produce specific log messages. Using journalctl -u [service] enables filtering logs for a particular service, such as journalctl -u cronie.service, revealing all log messages and errors associated with the cronie service.

Command:

journalctl -u cronie.service

Output:

Filtering by the unit name using journalctl streamlines the diagnosis of issues within a specific service, eliminating the need to sift through extensive system logs. This proves valuable for the efficient management and troubleshooting of Linux servers.

4. Getting Kernel Logs

The journalctl -k command selectively retrieves log messages solely from the Linux kernel, isolating errors, issues, and events at the kernel level from other program logs. This focused approach helps monitor and troubleshoot the operating system’s core components.

Command:

journalctl -k

Output:

The command journalctl -k -b -1 retrieves kernel logs specifically from the most recent system boot, utilizing the -b option. Alternatively, by specifying a negative number with -b (e.g., -b -1, -b -2), logs from previous system boots can be obtained for further analysis.

Command:

journalctl -k -b -1

Output:

5. Disk Usage

The journalctl –disk-usage command on Linux systems using systemd provides a summary of the current disk space occupied by the system and kernel logs managed by the systemd-journald service. This helps assess the storage impact of logged information.

Command:

journalctl --disk-usage

Output:

Conclusions

In conclusion, the journalctl command allows filtering Linux system logs to extract relevant information for monitoring and troubleshooting. Using options like -u, -b, and -k provides visibility into logs of specific services, boot sessions, and kernel activity. Filters by time, text search further pinpoint logs. This makes inspecting verbose log data easier. Managing log storage is also important to avoid filling filesystems. Overall, journalctl with the right filters helps simplify log analysis for system administration.