journalctl
To show you all of the journal entries that have been collected since the most recent reboot.
# journalctl -b
To Save Past boots, Some distro/version savves them by default
# mkdir -p /var/log/journal
# vi /etc/systemd/journald.conf
Under the [Journal] section, set the Storage= option to “persistent” to enable persistent logging:
. . .
[Journal]
Storage=persistent
# journalctl --list-boots
journal from the previous boot, use the -1
# journalctl -b -1
journalctl --dmesg
journalctl -u chronyd -b
Display kernal messages
# journalctl -k
# journalctl -k --since today. # -S for Since
# journalctl -k --since "2025-06-17 12:00:00"
Time Window (YYYY-MM-DD HH:MM:SS)
# journalctl --since "2025-06-17 12:00:00"
# journalctl --since "2015-01-10" --until "2015-01-11 03:00" # -U for Until
# journalctl --since yesterday
If you received reports of a service interruption starting at 9:00 AM and continuing until an hour ago, you could type:
# journalctl --since 09:00 --until "1 hour ago"
By Unit
# journalctl -u nginx.service
# journalctl -u nginx.service --since today
# journalctl -u nginx.service -u php-fpm.service --since today
By Process, User, or Group ID
# journalctl _PID=8088
#journalctl _UID=<UID> --since today
Component Path
# journalctl /usr/bin/bash
will display all of the entries that involve the executable in question. For instance, to find those entries that involve the bash executable
Priority
# journalctl -p err
# journalctl -p warning
# journalctl -p crit
# journalctl -p emerg
# journalctl -p alert
0: emerg
1: alert
2: crit
3: err
4: warning
5: notice
6: info
7: debug
# journalctl -p 3
# journalctl -p 3..5
# journalctl -p 3..5 --since today
The journal implements the standard syslog message levels. You can use either the priority name or its corresponding numeric value.
output format
journalctl -b -u nginx -o json
journalctl --no-pager
journalctl -b -u nginx -o json-pretty
The following formats can be used for display:
cat: Displays only the message field itself.
export: A binary format suitable for transferring or backing up.
json: Standard JSON with one entry per line.
json-pretty: JSON formatted for better human-readability
json-sse: JSON formatted output wrapped to make add server-sent event compatible
short: The default syslog style output
short-iso: The default format augmented to show ISO 8601 wallclock timestamps.
short-monotonic: The default format with monotonic timestamps.
short-precise: The default format with microsecond precision
verbose: Shows every journal field available for the entry, including those usually hidden internally.
# journalctl -b -u nginx -o short-iso
# journalctl -b -u nginx -o short-precise
# journalctl -b -u nginx -o verbose
Recent Log Entries
# journalctl -n 100
# journalctl -n 100 --no-pager
# journalctl -f
# journalctl -f --no-pager
# journalctl -f -u nginx.service
# journalctl -f -u nginx.service --no-pager
# journalctl -f -u nginx.service --no-pager --since today
# journalctl -f -u nginx.service --no-pager --since "2025-06-17 12:00:00"
# journalctl -f -u nginx.service --no-pager --since yesterday
# journalctl -f -u nginx.service --no-pager --since "2025-06-17 12:00:00" --until "2025-06-17 13:00:00"
# journalctl -f -u nginx.service --no-pager --since "2025-06-17 12:00:00" --until "1 hour ago"
# journalctl --rotate
# journalctl --disk-usage
Delete old Logs
# journalctl --vacuum-size=1G
# journalctl --vacuum-time=1month
# journalctl --vacuum-files=4
# journalctl --vacuum-size=200M
--facility=help
journalctl --facility=mail
--file [journal filename] This names a specific journal file in /var/log/journal/<journal subdirectory>.
--sync This writes all unwritten journal entries (still in RAM but not in /run/log/journal) to the persistent filesystem. All journal entries known to the journaling system at the time the command is entered are moved to persistent storage.
Adding journal entries
[root@testvm1 ~]# echo "Hello world" | systemd-cat -p info -t myprog
[root@testvm1 ~]# journalctl -n 10
No comments:
Post a Comment