From Bonus Bits
Jump to: navigation, search


This article gives examples of using journalcrl BASH command to read systemd logs.

Useful Switches

Switch Description Example
-f Show new log entries as they are added.
-k Show kernel messages.
-u Show messages for specified systemd service.
-b Show current boot messages.
-r Show the messages in reverse order; latest first.
-p Shows you all messages marked as error, critical, alert, or emerge­ncy. jour­nalctl -p err

Time Ranges

Example Description
jour­nalctl --since "1 hour ago" Show journal messages logged within the last hour
jour­nalctl --since 09:00 --until "1 hour ago" Show reports starting at 9:00 AM and continuing until an hour ago
jour­nalctl --since yester­day Show journal messages logged since yesterday
jour­nalctl --since "2 days ago" Show logged in the last two days
jour­nalctl --since "­201­7-05-23 23:15:­00" --until "­201­7-05-23 23:20:­00" All messages logged on or after the since parameter and logged on or before the until parameter will be shown

Icon-Tip-Square-Green.png If components of the above format are left off, some defaults will be applied. For instance, if the date is omitted, the current date will be assumed. If the time component is missing, "­00:­00:­00" (midnight) will be substi­tuted. The seconds field can be left off as well to default to "­00

By Process, User, or Group ID

Argument Example Description
_GID= jour­nalctl _GID=800 Show messages belonging to a specific group ID
_PID= jour­nalctl _PID=123 Show messages produced by a specific process ID
_UID= jour­nalctl _UID=100, jour­nalctl _UID=100 _UID=200 --since today Show messages belonging to a specific user ID

By Priority

You can use either the priority name or its corres­ponding numeric value. In order of highest to lowest priority

Number Name Example Description
0 emerg journalctl -p 0 Emergency
1 alert journalctl -p 1 Alerts
2 crit journalctl -p 2 Critial
3 err journalctl -p 3 Errors
4 warn­ing journalctl -p 4 Warning
5 notice journalctl -p 5 Notice
6 info journalctl -p 6 Informational
7 debug journalctl -p 7 Debug


journalctl [OPTIONS...] [MATCHES...]

Query the journal.

     --system              Show the system journal
     --user                Show the user journal for the current user
  -M --machine=CONTAINER   Operate on local container
  -S --since=DATE          Show entries not older than the specified date
  -U --until=DATE          Show entries not newer than the specified date
  -c --cursor=CURSOR       Show entries starting at the specified cursor
     --after-cursor=CURSOR Show entries after the specified cursor
     --show-cursor         Print the cursor after all the entries
  -b --boot[=ID]           Show current boot or the specified boot
     --list-boots          Show terse information about recorded boots
  -k --dmesg               Show kernel message log from the current boot
  -u --unit=UNIT           Show logs from the specified unit
  -t --identifier=STRING   Show entries with the specified syslog identifier
  -p --priority=RANGE      Show entries with the specified priority
  -e --pager-end           Immediately jump to the end in the pager
  -f --follow              Follow the journal
  -n --lines[=INTEGER]     Number of journal entries to show
     --no-tail             Show all lines, even in follow mode
  -r --reverse             Show the newest entries first
  -o --output=STRING       Change journal output mode (short, short-iso,
                                   short-precise, short-monotonic, verbose,
                                   export, json, json-pretty, json-sse, cat)
     --utc                 Express time in Coordinated Universal Time (UTC)
  -x --catalog             Add message explanations where available
     --no-full             Ellipsize fields
  -a --all                 Show all fields, including long and unprintable
  -q --quiet               Do not show privilege warning
     --no-pager            Do not pipe output into a pager
  -m --merge               Show entries from all available journals
  -D --directory=PATH      Show journal files from directory
     --file=PATH           Show journal file
     --root=ROOT           Operate on catalog files underneath the root ROOT
     --interval=TIME       Time interval for changing the FSS sealing key
     --verify-key=KEY      Specify FSS verification key
     --force               Override of the FSS key pair with --setup-keys

  -h --help                Show this help text
     --version             Show package version
  -F --field=FIELD         List all values that a specified field takes
     --new-id128           Generate a new 128-bit ID
     --disk-usage          Show total disk usage of all journal files
     --vacuum-size=BYTES   Reduce disk usage below specified size
     --vacuum-time=TIME    Remove journal files older than specified date
     --flush               Flush all journal data from /run into /var
     --header              Show journal header information
     --list-catalog        Show all message IDs in the catalog
     --dump-catalog        Show entries in the message catalog
     --update-catalog      Update the message catalog database
     --setup-keys          Generate a new FSS key pair
     --verify              Verify journal file consistency

Related Articles