قالب وردپرس درنا توس
Home / Tips and Tricks / How to use journalctl to read Linux system logs

How to use journalctl to read Linux system logs



  A terminal window on the graphic desktop of a Linux laptop.
Fatmawati Achmad Zaenuri / Shutterstock

Logging of Linux systems has been changed with the introduction of systemd . Learn how to use the journalctl command to read and filter system log messages.

Centralized logging

No stranger to controversy, the system systemd introduced an important change in the way system logs are collected. Logs used to be in different places in the file system according to the service or daemon that created them. But they all had one thing in common. They were normal text files.

With systemd all system, boot and kernel log files are collected and managed by a central, special logging solution. The format in which they are stored is binary. One thing that facilitates this is being able to extract the data in different formats, such as JSON, as we will see.

it can also make it easier to refer to related information that would previously have been recorded in separate log files. Because the data is now stored in a single diary, the data can be selected from different sources of interest and displayed in a single intertwined list of entries.

journalctl is the tool used to work with the diary.

journalctl With No Frills

You can call journalctl without command line parameters:

  journalctl 

  journalctl in a terminal window

journalctl gives the whole diary again, with the oldest entries at the top of the list. The list is displayed in less so that you can browse and search with the usual navigation functions of less . You can also use the Left Arrow and Right Arrow keys to scroll sideways to read wide log entries.

 Output of journalctl in a terminal window [19659006] If you press the End key, you jump directly to the bottom of the list and the latest log entries.

 Output of journalctl in a terminal window with the latest entries

Press Ctrl + C to close.

RELATED: How to use the less command on Linux

Although journalctl can be called without using sudo make sure you see all the details in the log if you are using sudo .

  sudo journalctl 

  sudo journalctl in a terminal window

If necessary, you can have journalctl send the output to the terminal window instead of to less of the option - no-pager .

  sudo journalctl - no-pager 

  sudo journalctl - no-pager in a terminal window

The output scrolls quickly through the terminal window and you return to the command prompt.

 output of sudo journalctl --no-pager in a terminal window

To limit the number of lines that journalctl returns, use the option -n (lines). Let's ask for ten lines of execution:

  sudo journalctl -n 10 

  sudo journalctl -n 10 in a terminal window

Next Journal Updates

To show journalctl newest items on arrival in the journal, use the option -f (follow).

  sudo journalctl -f 

  sudo journalctl -f in a terminal window

 output of sudo journalctl -f in a terminal window

The latest entry has a timestamp of 07: 09:07. While new activity is taking place, the new entries are added at the bottom of the screen. Almost real-time updates – cool!

 output of sudo journalctl -f in a terminal window with new entries

At 07:09:59 an application called geek-app has injected a log entry into the journal with the text: "New message from HTG."

Changing the display format

Because the journal is a binary file, the data must be translated into it or converted to text before the journal can be shown to you. With different parsers, different output formats can be created based on the same binary source data. There are different formats that journalctl can use.

The standard output is the short format, which is very similar to the classic system log format. To request the short format explicitly, use the option -o (output) with the modification short .

  sudo journalctl -n 10 -o short-full 

  sudo journalctl -n 10 -o short in a terminal window

From left to right the fields are:

  • The time that the message is made in local time.
  • The host name.
  • The process name. This is the process that generated the message.
  • The logbook message.

Use the short-full modifier:

  sudo journalctl -n 10 -o to obtain a full date and time stamp. short-full 

  sudo journalctl -n 10 -o short-full in a terminal window

The date and time formats in this output are the format in which you must specify dates and times when you select log messages per period , as we will see soon.

To see all metadata associated with each log message, use the verbose modifier.

  sudo journalctl -n 10 -o verbose 

  sudo journalctl -n 10 -o extended in a terminal window

There are many possible fields, but it is rare that all fields are present in a message.

 Output of sudo journalctl -n 10 -o extended in a terminal window

An area worth discussing is the field Priority . In this example, it has a value of 6. The value represents the importance of the message:

  • 0 : Emergency. The system is unusable.
  • 1 : Alert. A condition has been marked that must be corrected immediately.
  • 2 : Criticism. This includes crashes, core dumps and significant failures in primary applications.
  • 3 : Error. An error has been reported, but it is not considered serious.
  • 4 : Warning. Brings a condition to your attention that, if ignored, can become an error.
  • 5 : Note. Used to report events that are unusual but no errors.
  • 6 : Information. Regular operational messages. These do not require any action.
  • 7 : Debug. Messages placed in applications to make it easier to debug them.

If you want the output to be presented as correctly formed JavaScript Object Notation (JSON) objects, use the modification json :

  sudo journalctl -n 10 -o json 

  sudo journalctl -n 10 -o json in a terminal window

Each message is correctly packaged as a well-formed JSON object and displays one message per line of output.

To have the JSON output printed nicely, use the modification json-pretty .

  sudo journalctl -n 10 -o json-pretty 

  sudo journalctl -n 10 -o json -pretty in a terminal window

Each JSON object is divided into multiple lines, each with a name-value pair on a new line.

 output of sudo journalctl -n 10 -o json-pretty in a terminal window

Use only the modifier cat to view the log entry messages, without time stamps or other metadata: [1 9659011] sudo journalctl -n 10 -o cat

  sudo journalctl -n 10 -o cat in a terminal window

This display format can make it difficult to identify which process caused the log event, although some messages does contain a clue.

 Output of sudo journalctl -n 10 -o cat in a terminal window

Selecting log messages by time period

Restricting the output of journalctl for a period in which you are interested , use the options -S (since) and -U (tot).

To view the log entries since a certain time and date, use this command:

  sudo journalctl -S "2020-91-12 7:00:00" 

  sudo journalctl -S "2020-91- 12 07:00:00 "in a terminal window

The display only shows messages that have arrived in the command after the date and time.

 Output of sudo journalctl -S "2020-91-12 7:00:00" in a terminal window

Use the options -S (since) and -U (tot) together to define a period for which you want to report. This command views log messages of a 15-minute period .: Cialis19659011 {sudo journalctl -S "2020-91-12 7:00:00" -U "2020-91-12 07:15:00"

  sudo journalctl - S

This is a great combination use if you know that something strange has happened on your system, and roughly when it happened.

 output of sudo journalctl -S "2020-91-12 7:00:00" -U "2020-91-12 7:15:00" in a terminal window

Using relative time periods

You can use relative addressing when you select your time periods. That means you can say things like & # 39; show me all the events from a day ago so far & # 39 ;. This is exactly what this assignment means. The "d" stands for "day" and the "-1" means a day in the past.

  sudo journalctl -S -1d 

  sudo journalctl -S -1d in a terminal window [19659006] The log messages are displayed yesterday from 00:00:00 to & # 39; now & # 39 ;.

 Output of sudo journalctl -S -1d in a terminal window

If you want to investigate something that happened in the recent past, you can specify a relative time period, measured in hours. Here we view log messages from the last hour:

  sudo journalctl -S -1h 

  sudo journalctl -S -1h in a terminal window

The messages from the last hour are displayed for you. You can also use "m" to measure relative time periods in minutes and "w" for weeks.

 Output of sudo journalctl -S -1h in a terminal window

journalctl understands today yesterday and tomorrow . These modifications provide a convenient way to specify general time periods. Use this command to see all the events that happened yesterday:

  sudo journalctl -S yesterday 

  sudo journalctl - S yesterday in a terminal window

All journal log events that happened yesterday, until midnight 00:00 : 00, will be picked up and displayed for you.

 Output of sudo journalctl - S yesterday in a terminal window

Use this command to view all log messages received so far today. :

  sudo journalctl -S today 

  sudo journalctl -S today in a terminal window

Everything from 00:00:00 until the time the command is issued is displayed.

 Output of sudo journalctl -S today in a terminal window

You can combine the different time period modifications. Use this command to view everything from two days ago to the start of today:

  sudo journalctl -S -2d -U today 

  sudo journalctl -S -2d -U today in a terminal window [19659006] Everything since the day before yesterday is retrieved and displayed until today.

 Output of sudo journalctl -S -2d -U today in a terminal window

Selecting log messages on data fields [19659005] You can search for log messages that correspond to a wide range of journal fields. These searches try to find matches in the metadata that is attached to each message. It is recommended that you refer to the list of fields and choose the fields that are most useful to you.

Keep in mind whether an application completely fills in each field or is not entirely due to the authors of the application. You cannot guarantee that every field will be filled.

All diary field pointers are used in the same way. We will use a few in our examples below. Use the modifier _COMM (command) to search for log messages from a specific application. If you also use the -f (follow) option, journalctl will follow new messages from this application as they arrive.

  sudo journalctl -f _COMM = geek app [19659124] sudo journalctl -f _COMM = geek app in a terminal window " width="646" height="247" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

You can search for log entries with the process ID of the process that generated the log message. . Use the ps command to find the process ID of the daemon or application that you are looking for.

  sudo journalctl _PID = 751 

  sudo journalctl _PID = 751 in a terminal window

On the machine used to examine this article, the SSH daemon process is 751.

 output from sudo journalctl _PID = 751 in a terminal window

You can also search by user ID. This is the user ID of the person who started the application or assignment or who owns the process.

  sudo journalctl _UID = 1000 

  sudo journalctl _UID = 1000 in a terminal window

All associated messages with other user IDs are filtered out. Only messages related to user 1000 are displayed:

 output of sudo journalctl _UID = 1000 in a terminal window

Another way to search for log messages related to a specific application is the path to the executable file.

  sudo journalctl / usr / bin / anacron 

  sudo journalctl / usr / bin / anacron in a terminal window

All anacron logbook messages from the planner are retrieved and displayed.

 Output of sudo journalctl / usr / bin / anacron in a terminal window

To facilitate the search, we can ask journalctl to state all values ​​applies to each of the diary fields.

To see the user ID & # 39; s for which journalctl registered log messages, use the option -F (fields) and enter the _UID field ID.

  journalctl -F _UID 

  journalctl -F _UID in a terminal window

Let's do that again and look at the group ID & # 39; s (GID & # 39; s): [19659011] journalctl -F _GID

  journalctl -F _GID in a terminal window

You can do this with any journal field ID & # 39; s.

Viewing kernel messages

There is a built-in way to quickly isolate kernel messages. You do not have to search for and isolate them yourself. The option -k (kernel) deletes all other messages and immediately gives you an overview of the kernel log entries.

  sudo journalctl -k 

  sudo journalctl -k in a terminal window

The marking reflects the importance of the message, according to the values ​​in the field Priority .

 Output of sudo journalctl -k in a terminal window

Rating Startup Messages

If you have a problem with the startup that you want to investigate, journalctl has you covered. You may have added new hardware and it is not responding, or a previously working hardware component no longer works after your last system upgrade.

Use the to view the log entries related to your last boat - b (boat) option:

  journalctl -b 

  journalctl -b in a terminal window

The log entries for the last boat are displayed for you.

 Output from journalctl -b in a terminal window

When we & # 39; last start up & # 39; say, we mean the startup process that brought your computer to life for your current logged in session. To see previous boots, you can use a number to tell journalctl which boat you are interested in. Use this command to see the third previous boat:

  journalctl -b 3 

  Output from journalctl -b 3 in a terminal window

Generally, if you had a problem and you had to restart your machine startup, this is an earlier startup sequence that you are interested in. This is therefore a commonly used form of assignment.

 Output of journalctl -b 3 in a terminal window

It is easy to get confused with the series of boots. To help, we can ask journalctl for a list of the boots it has included in its diary, using the option - list-boots .

  journalctl - list-boots [19659168] journalctl - list-boots in a terminal window " width="646" height="262" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

You can identify the boat for which you want to view messages by the date and time stamp and then the Use the number in the left column to view the log messages for that startup sequence. You can also choose the 32-bit startup ID and pass it on to journalctl .

  sudo journalctl -b 1f00248226ed4ab9a1abac86e0d540d7 

<img class = "alignnone size-full wp-image-508949" data-pagespeed-lazy-src = "https://www.howtogeek.com/wp-content/uploads /2020/01/56.png "alt =" sudo journalctl -b 1f00248226ed4ab99999109910999109109109109109109109199 log messages of the boot sequence that we requested are retrieved and displayed.

 output of sudo journalctl -b14007a14007a1f004a14004a14007a1fd4249d400d9a4f4e9104d4a9d4e9e </p>
<h2>  Management of Journal Hard Drive Space </h2>
<p>  Of course, the journal and all log messages are stored on your hard disk, which means that they take up space on the hard disk Use the option <code> - disk use </code> </p>
<pre>  journalctl - disk-utility </pre>
<p> <img class=

With today's hard disks, 152 MB helema not much space, but we will still shorten it for demonstration purposes. There are two ways we can do this. The first is to set a maximum size to which you want to return the journal. It will of course grow again, but we can now prune it ready for that new growth.

We will use the beautifully titled - vacuum format option and pass on the size that we would like to reduce the diary to. We ask for 100 MB. The way to think this is that we are asking journalctl to "throw away what you can, but don't go below 100 MB."

  journalctl --vacuum-size = 100M [19659181] journalctl --vacuum-size = 100M in a terminal window "width =" 646 "height =" 212 "src =" / pagespeed_static / 1.JiBnMqyl6S.gif "onload = "pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);" onerror = "this.onerror = null; pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);" /> 

The other way to reduce the size of the journal is, option - vacuum-time This option tells journalctl to delete messages that are older than the period you specify on the command line You can weeks days 19659103] months and years use in the period.

Let's delete all messages older than one week:

  journalctl --vacuum-time = 1weeks 

 journalctl --vacuum-time = 1 week in a terminal window

Data versus information

Data is not useful unless you can try and use it. Then it becomes useful information. The assignment journalctl is a flexible and advanced tool with which you can access the information that interests you in various ways.

You can use just about any snippet of information that you have on the log messages you need.




Source link