{"id":15810,"date":"2023-08-24T11:36:01","date_gmt":"2023-08-24T06:06:01","guid":{"rendered":"https:\/\/www.binarytides.com\/?p=15810"},"modified":"2023-08-24T11:36:01","modified_gmt":"2023-08-24T06:06:01","slug":"journalctl-command-examples-in-linux","status":"publish","type":"post","link":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/","title":{"rendered":"Journalctl Command examples in Linux &#8211; A Comprehensive Guide"},"content":{"rendered":"<p>Maintaining a healthy and productive Linux environment requires effective system log management. The journalctl command has evolved into an essential resource for accessing and analyzing system logs with the introduction of systemd, the system and service manager for recent Linux distributions. <\/p>\t\t<div class=\"display-ad-unit mobile-wide bsa\" style=\"background:#fff3f3; height:315px;\">\n\n<!-- BinaryTides_S2S_InContent_ROS_Pos1 -->\n<style>\n\t@media only screen and (min-width: 0px) and (min-height: 0px) {\n\t\tdiv[id^=\"bsa-zone_1611170977806-3_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n\t@media only screen and (min-width: 640px) and (min-height: 480px) {\n\t\tdiv[id^=\"bsa-zone_1611170977806-3_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n<\/style>\n<div id=\"bsa-zone_1611170977806-3_123456\"><\/div>\n\n\n<\/div>\n<!-- Time: 0.013199090957642, Pos: 303, Key: ad_unit_1 -->\n\n\n<p>The journalctl command's adaptability and utility on Linux-based systems will be examined thoroughly in this article through a variety of instances.<\/p>\n<h3>Introduction to journalctl<\/h3>\n<p>'journalctl' is a command-line tool that provides access to the systemd journal, an integrated logging system built into Linux distributions that use the systemd logging mechanism. <\/p>\n<p>It gathers logs into a single, binary format rather than traditional log files, which frequently split across several files and directories. Consequently, log management becomes easier and efficiency increases. <\/p>\n<p>This combination makes better system monitoring possible, which also allows you to get logs from a variety of sources, such as kernel messages, services, applications, and more.<\/p>\n<h3>Basic Usage<\/h3>\n<p>Use the journalctl command to see the logs that the journald daemon has collected.<\/p>\n<p>When used alone, every journal entry that is in the system will be displayed within a pager (usually less) for you to browse. The oldest entries will be at the top.<\/p>\n<pre class=\"terminal\" >journalctl<\/pre>\n<p><b>Sample output<\/b><\/p>\n<pre class=\"terminal\" >Jun 14 12:22:29 groot kernel: Linux version 5.15.0-73-generic (buildd@bos03-amd64-060) (gcc \r\nJun 14 12:22:29 groot kernel: Command line: BOOT_IMAGE=\/vmlinuz-5.15.0-73-generic root=\/dev\/mapper\/&gt;\r\nJun 14 12:22:29 groot kernel: KERNEL supported cpus:\r\nJun 14 12:22:29 groot kernel:   Intel GenuineIntel                                                 \r\nJun 14 12:22:29 groot kernel:   AMD AuthenticAMD                                                    \r\nJun 14 12:22:29 groot kernel:   Hygon HygonGenuine                                                  \r\nJun 14 12:22:29 groot kernel:   Centaur CentaurHauls                                                \r\nJun 14 12:22:29 groot kernel:   zhaoxin   Shanghai                                                  \r\nJun 14 12:22:29 groot kernel: [Firmware Bug]: TSC doesn&#039;t count with P0 frequency!                  \r\nJun 14 12:22:29 groot kernel: x86\/fpu: x87 FPU will use FXSAVE                                      \r\nJun 14 12:22:29 groot kernel: signal: max sigframe size: 1440                                       =\r\nJun 14 12:22:29 groot kernel: BIOS-provided physical RAM map:                                       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable         \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000dffeffff] usable         \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000dfff0000-0x00000000dfffffff] ACPI data      \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x0000000100000000-0x00000002145fffff] usable         \r\nJun 14 12:22:29 groot kernel: NX (Execute Disable) protection: active                               \r\nJun 14 12:22:29 groot kernel: SMBIOS 2.5 present.                                                   \r\nJun 14 12:22:29 groot kernel: DMI: innotek GmbH VirtualBox\/VirtualBox, BIOS VirtualBox 12\/01\/2006   \r\nJun 14 12:22:29 groot kernel: Hypervisor detected: KVM                                              \r\nJun 14 12:22:29 groot kernel: kvm-clock: Using msrs 4b564d01 and 4b564d00                           \r\nJun 14 12:22:29 groot kernel: kvm-clock: cpu 0, msr 1d7401001, primary cpu clock                    \r\nJun 14 12:22:29 groot kernel: kvm-clock: using sched offset of 924714554074 cycles                  \r\nJun 14 12:22:29 groot kernel: clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e&gt;\r\nJun 14 12:22:29 groot kernel: tsc: Detected 3293.726 MHz processor                                  \r\nJun 14 12:22:29 groot kernel: e820: update [mem 0x00000000-0x00000fff] usable ==&gt; reserved          \r\nJun 14 12:22:29 groot kernel: e820: remove [mem 0x000a0000-0x000fffff] usable                       \r\nJun 14 12:22:29 groot kernel: last_pfn = 0x214600 max_arch_pfn = 0x400000000                        \r\nJun 14 12:22:29 groot kernel: Disabled                                                              \r\nJun 14 12:22:29 groot kernel: x86\/PAT: MTRRs disabled, skipping PAT initialization too.<\/pre>\t\t<div class=\"display-ad-unit mobile-wide bsa\" style=\"background:#fff3f3; height:315px;\">\n\n\n<!-- BinaryTides_S2S_InContent_ROS_Pos2 -->\n<style>\n\t@media only screen and (min-width: 0px) and (min-height: 0px) {\n\t\tdiv[id^=\"bsa-zone_1611334361252-4_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n\t@media only screen and (min-width: 640px) and (min-height: 480px) {\n\t\tdiv[id^=\"bsa-zone_1611334361252-4_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n<\/style>\n<div id=\"bsa-zone_1611334361252-4_123456\"><\/div>\n\n\n<\/div>\n<!-- Time: 0.013324022293091, Pos: 5580, Key: ad_unit_2 -->\n\n\n<p>You will likely have pages and pages of data to scroll through, which can be tens or hundreds of thousands of lines long if systemd has been on your system for a long while. This demonstrates how much data is available in the journal database.<\/p>\n<p>The format will be familiar to those used for standard syslog logging. However, this actually collects data from more sources than traditional syslog implementations are capable of. It includes logs from the early boot process, the kernel, the initrd, and application standard error and out. These are all available in the journal.<\/p>\n<p>You may notice that all of the timestamps being displayed are local time. This is available for every log entry now that we have our local time set correctly on our system. All of the logs are displayed using this new information.<\/p>\n<p>If you want the timestamps to display in UTC, you can use the <strong>'--utc'<\/strong> flag:<\/p>\n<pre class=\"terminal\" >journalctl &ndash;utc<\/pre>\n<h3>Printing in reverse order<\/h3>\n<p>To print the log entries in reverse order, or the most recent entry first, use the -r option. Here is an example that prints the sshd service logs in reverse order and prints only 10 entries.<\/p>\n<pre class=\"terminal\" >journalctl -u sshd.service -r -n 10<\/pre>\n<h3>Live Console Output<\/h3>\n<p>If you want to view the journal entries in realtime in console as they are being created, use the follow switch \"-f\".<\/p>\n<pre class=\"terminal\" >journalctl -f<\/pre>\n<p>The output would then print the log entries in realtime.<\/p>\n<pre class=\"terminal\" >$ journalctl -f\r\nAug 24 11:02:48 enlightened NetworkManager[1250]: &lt;warn&gt;  [1692855168.5237] platform-linux: do-add-ip6-address[2: fe80::16ed:72a8:1882:57a3]: failure 95 (Operation not supported)\r\nAug 24 11:02:50 enlightened NetworkManager[1250]: &lt;warn&gt;  [1692855170.5245] platform-linux: do-add-ip6-address[2: fe80::43d8:e74c:c1c3:467]: failure 95 (Operation not supported)\r\nAug 24 11:02:52 enlightened NetworkManager[1250]: &lt;warn&gt;  [1692855172.5248] ipv6ll[ccef0847d9ed30c9,ifindex=2]: changed: no IPv6 link local address to retry after Duplicate Address Detection failures (back off)\r\nAug 24 11:03:02 enlightened NetworkManager[1250]: &lt;warn&gt;  [1692855182.5254] platform-linux: do-add-ip6-address[2: fe80::de70:176b:722b:ec56]: failure 95 (Operation not supported)\r\nAug 24 11:03:03 enlightened kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=01:00:5e:00:00:01:80:26:89:c3:6a:ca:08:00 SRC=192.168.1.7 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=37338 DF PROTO=2 \r\nAug 24 11:03:04 enlightened NetworkManager[1250]: &lt;warn&gt;  [1692855184.5264] platform-linux: do-add-ip6-address[2: fe80::963a:8c7b:4b91:4b82]: failure 95 (Operation not supported)\r\nAug 24 11:03:06 enlightened NetworkManager[1250]: &lt;warn&gt;  [1692855186.5268] platform-linux: do-add-ip6-address[2: fe80::3128:3058:2ba5:ab9]: failure 95 (Operation not supported)<\/pre>\t\t<div class=\"display-ad-unit mobile-wide bsa\" style=\"background:#fff3f3; height:315px;\">\n<!-- BinaryTides_S2S_InContent_ROS_Pos3 -->\n<style>\n\t@media only screen and (min-width: 0px) and (min-height: 0px) {\n\t\tdiv[id^=\"bsa-zone_1672330111515-1_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n\t@media only screen and (min-width: 640px) and (min-height: 480px) {\n\t\tdiv[id^=\"bsa-zone_1672330111515-1_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n<\/style>\n<div id=\"bsa-zone_1672330111515-1_123456\"><\/div>\n<\/div>\n<!-- Time: 0.013679981231689, Pos: 9103, Key: ad_unit_3 -->\n\n\n<h3>Journal Filtering<\/h3>\n<p>While having access to such a large collection of data is definitely useful, it can be difficult or impossible to inspect and process manually. Because of this, one of the most important features of journalctl is its filtering options.<\/p>\n<h4>Getting Logs from the Current Boot<\/h4>\n<p>The most basic of these, which you might use daily, is the <strong>'-b'<\/strong> flag. This will show you all of the journal entries that have been collected since the most recent reboot.<\/p>\n<pre class=\"terminal\" >journalctl -b<\/pre>\n<p>In cases where you aren't using this feature and are displaying more than one day of boots, you will see that journalctl has inserted a line that looks like this whenever the system was down. <\/p>\n<pre class=\"terminal\" >Output\r\n. . .\r\n\r\n-- Reboot --\r\n\r\n. . .<\/pre>\n<p>This can be used to help you logically separate the information into boot sessions.<\/p>\n<h4>Previous Boots<\/h4>\n<p>In the above example, we have gone through the detailed logs of current boot. Now, let us go through the logs of previous boots. There are certainly times when past boots would be helpful as well. The journal can save information from many previous boots; journalctl can be used to display information easily.<\/p>\n<p>Some distributions enable saving previous boot information by default, while others do not. To enable persistent boot information, you can create the directory to store the journal by typing:<\/p>\n<pre class=\"terminal\" >sudo mkdir -p \/var\/log\/journal<\/pre>\n<p>Or, you can edit the journal configuration file.<\/p>\n<pre class=\"terminal\" >sudo nano \/etc\/systemd\/journald.conf<\/pre>\n<p>Under the [Journal] section, set the <strong>Storage= option to 'persistent'<\/strong> to enable persistent logging.<\/p>\n<pre class=\"terminal\" >[journal]\r\nStorage = persistent<\/pre>\n<p>When saving previous boots is enabled on your server, journalctl provides some commands to help you work with boots as a unit of division. To see the boots that journald knows about, use the <strong>'--list-boots'<\/strong> option with journalctl.<\/p>\n<pre class=\"terminal\" >journalctl --list-boots<\/pre>\n<p><b>Sample output<\/b><\/p>\n<pre class=\"terminal\" >-5 75dd1dfd1c12443181d0c77c428d6557 Wed 2023-06-14 12:22:29 UTC&mdash;Wed 2023-06-14 12:37:21 UTC         \r\n-4 a8ce1690897a42ddbf88dd9e95f0a38b Wed 2023-06-14 12:38:10 UTC&mdash;Wed 2023-06-14 13:01:54 UTC         \r\n-3 9fe10a2b03bc4d1d930bcbe2feb24970 Wed 2023-06-14 13:02:13 UTC&mdash;Wed 2023-06-14 13:14:24 UTC         \r\n-2 ef89772662e84596a89466adc7d5ce8b Wed 2023-06-14 13:14:43 UTC&mdash;Wed 2023-06-14 13:16:10 UTC         \r\n-1 780a22258bf64c8e989579e3b879ceb0 Tue 2023-08-15 02:48:22 UTC&mdash;Tue 2023-08-15 02:50:06 UTC         \r\n 0 ab466baee590498cb90a027753db9984 Tue 2023-08-15 03:49:31 UTC&mdash;Tue 2023-08-15 04:04:35 UTC<\/pre>\n<p>This will display a line for each boot. The first column is the offset for the boot that can be used to easily reference the boot with journalctl. <\/p>\t\t<div class=\"display-ad-unit mobile-wide bsa\" style=\"background:#fff3f3; height:315px;\">\n\n<!-- BinaryTides_S2S_InContent_ROS_Pos4 -->\n<style>\n\t@media only screen and (min-width: 0px) and (min-height: 0px) {\n\t\tdiv[id^=\"bsa-zone_1672740659643-7_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n\t@media only screen and (min-width: 640px) and (min-height: 480px) {\n\t\tdiv[id^=\"bsa-zone_1672740659643-7_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n<\/style>\n<div id=\"bsa-zone_1672740659643-7_123456\"><\/div>\n\n<\/div>\n<!-- Time: 0.014765024185181, Pos: 12673, Key: ad_unit_4 -->\n\n\n<p>If you need an absolute reference, the boot ID is in the second column. You can tell the time that the boot session refers to with the two time specifications listed towards the end.<\/p>\n<p>To display information from these boots, you can use data from either the first or second column.<\/p>\n<p>For instance, to see the journal from the previous boot, use the <strong>'-1' relative pointer<\/strong> with the <strong>'-b' flag<\/strong>.<\/p>\n<pre class=\"terminal\" >journalctl -b -1<\/pre>\n<p>You can also use the boot ID to call back the data from a boot.<\/p>\n<pre class=\"terminal\" >journalctl -b caf0524a1d394ce0bdbcff75b94444fe<\/pre>\n<h4>Timed Logs<\/h4>\n<p>We have seen log entries by boot are more useful. But, often, we may want to view timed logs. This may be especially true when dealing with long-running servers having significant uptime.<\/p>\n<p>You can filter time limits by using the <strong>'- - since'<\/strong>  and <strong>'- - until'<\/strong> options, which help to display entries before and after the given time, respectively.<\/p>\n<p>The time values can come in a variety of formats. For absolute time values, you should use the following format:<\/p>\n<pre class=\"terminal\" >YYYY-MM-DD HH:MM:SS<\/pre>\n<p>For instance, we can see all of the entries since June 14th to August 15th:<\/p>\n<pre class=\"terminal\" >journalctl --since &quot;2023-06-14&quot; --until &quot;2023-08-15&quot;<\/pre>\n<p><b>Sample output<\/b><\/p>\n<pre class=\"terminal\" >Jun 14 12:22:29 groot kernel: Linux version 5.15.0-73-generic (buildd@bos03-amd64-060) (gcc (Ubuntu&gt;\r\nJun 14 12:22:29 groot kernel: Command line: BOOT_IMAGE=\/vmlinuz-5.15.0-73-generic root=\/dev\/mapper\/&gt;\r\nJun 14 12:22:29 groot kernel: KERNEL supported cpus:                                                \r\nJun 14 12:22:29 groot kernel:   Intel GenuineIntel                                                  \r\nJun 14 12:22:29 groot kernel:   AMD AuthenticAMD                                                    \r\nJun 14 12:22:29 groot kernel:   Hygon HygonGenuine                                                  \r\nJun 14 12:22:29 groot kernel:   Centaur CentaurHauls                                                \r\nJun 14 12:22:29 groot kernel:   zhaoxin   Shanghai                                                  \r\nJun 14 12:22:29 groot kernel: [Firmware Bug]: TSC doesn&#039;t count with P0 frequency!                  \r\nJun 14 12:22:29 groot kernel: x86\/fpu: x87 FPU will use FXSAVE                                      \r\nJun 14 12:22:29 groot kernel: signal: max sigframe size: 1440                                       \r\nJun 14 12:22:29 groot kernel: BIOS-provided physical RAM map:                                       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable         \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000dffeffff] usable         \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000dfff0000-0x00000000dfffffff] ACPI data      \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved       \r\nJun 14 12:22:29 groot kernel: BIOS-e820: [mem 0x0000000100000000-0x00000002145fffff] usable         \r\nJun 14 12:22:29 groot kernel: NX (Execute Disable) protection: active                               \r\nJun 14 12:22:29 groot kernel: SMBIOS 2.5 present.                                                   \r\nJun 14 12:22:29 groot kernel: DMI: innotek GmbH VirtualBox\/VirtualBox, BIOS VirtualBox 12\/01\/2006   \r\nJun 14 12:22:29 groot kernel: Hypervisor detected: KVM                                              \r\nJun 14 12:22:29 groot kernel: kvm-clock: Using msrs 4b564d01 and 4b564d00                           \r\nJun 14 12:22:29 groot kernel: kvm-clock: cpu 0, msr 1d7401001, primary cpu clock                    \r\nJun 14 12:22:29 groot kernel: kvm-clock: using sched offset of 924714554074 cycles                  \r\nJun 14 12:22:29 groot kernel: clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e&gt;\r\nJun 14 12:22:29 groot kernel: tsc: Detected 3293.726 MHz processor                                  \r\nJun 14 12:22:29 groot kernel: e820: update [mem 0x00000000-0x00000fff] usable ==&gt; reserved          \r\nJun 14 12:22:29 groot kernel: e820: remove [mem 0x000a0000-0x000fffff] usable                       \r\nJun 14 12:22:29 groot kernel: last_pfn = 0x214600 max_arch_pfn = 0x400000000                        \r\nJun 14 12:22:29 groot kernel: Disabled                                                              \r\nJun 14 12:22:29 groot kernel: x86\/PAT: MTRRs disabled, skipping PAT initialization too.<\/pre>\n<p>To get the data from yesterday, you could type:<\/p>\n<pre class=\"terminal\" >journalctl --since yesterday<\/pre>\n<p>If you received reports of a service interruption starting at 9:00 AM and continuing until an hour ago, you could type:<\/p>\n<pre class=\"terminal\" >journalctl --since 09:00 --until &quot;1 hour ago&quot;<\/pre>\n<p>As you can see, it is very easy to define flexible time to filter the entries you wish to see.<\/p>\n<h3>Filter By service or component<\/h3>\n<p>Previously, we have learned some ways to filter the journal data using time constraints. In this section, we'll discuss how to filter based on what service or component you are interested in. The systemd journal provides different ways to do this.<\/p>\n<p>The most useful way of filtering is by the unit you are interested in. We can use the <strong>'-u'<\/strong> option in this way.<\/p>\n<p>For instance, to see all of the logs from an Nginx unit on our system, run the following command.<\/p>\n<pre class=\"terminal\" >journalctl -u nginx.service<\/pre>\n<p>Furthermore, we can filter the logs of nginx or any other service according to the time.<\/p>\n<pre class=\"terminal\" >journalctl -u nginx.service --since today<\/pre>\n<pre class=\"terminal\" >journalctl -u nginx.service -u php-fpm.service --since today<\/pre>\n<p>To monitor or follow the mysql logs we can use the following command<\/p>\n<pre class=\"terminal\" >journalctl -u mysql.service -f<\/pre>\n<pre class=\"terminal\" >$ journalctl -u mysql.service -f\r\nAug 19 07:48:26 enlightened systemd[1]: Starting mysql.service - MySQL Community Server...\r\nAug 19 07:48:29 enlightened systemd[1]: Started mysql.service - MySQL Community Server.<\/pre>\n<h3>Filter by process, user, or group id<\/h3>\n<p>In the above example, we have gone through the filtering of logs according to the service or component. Now, let us dig into filtering logs by proves, user, or group id. <\/p>\n<p>To do this, we can filter by specifying the <strong>'_PID'<\/strong> field. If the PID we're interested in is 8088, we could type:<\/p>\n<pre class=\"terminal\" >journalctl _PID=8088<\/pre>\n<p>Sometimes, you may wish to show all of the entries logged from a specific user or group. This can be done with the <code>'_UID'<\/code> or <code>'_GID'<\/code> filters. <\/p>\n<p>If your web server runs under the www-data user, you can find the user ID by typing:<\/p>\n<pre class=\"terminal\" >id -u www-data<\/pre>\n<p><strong>Sample output<\/strong><\/p>\n<pre class=\"terminal\" >32<\/pre>\n<p>Afterwards, you can use the ID that was returned to filter the journal results.<\/p>\n<pre class=\"terminal\" >journalctl _UID=33 --since today<\/pre>\n<p>The systemd journal has many fields that can be used for filtering. Some of those are passed from the process being logged, and some are applied by journald using information it gathers from the system at the time of the log.<\/p>\n<p>To see which group IDs the systemd journal has entries for, you can enter:<\/p>\n<pre class=\"terminal\" >journalctl -F _GID<\/pre>\n<p><b>Sample output<\/b><\/p>\n<pre class=\"terminal\" >119                                                                                                 \r\n124                                                                                                 \r\n104                                                                                                 \r\n113                                                                                                 \r\n127                                                                                                 \r\n103                                                                                                 \r\n105                                                                                                 \r\n102                                                                                                 \r\n4                                                                                                   \r\n0                                                                                                   \r\n133                                                                                                 \r\n131                                                                                                 \r\n1                                                                                                   \r\n1000<\/pre>\n<p>This will show you all of the values that the journal has stored for the group ID field. It can help you construct your filters.<\/p>\n<h3>Kernel Messages<\/h3>\n<p>Kernel messages, those usually found in dmesg output, can be retrieved from the journal as well.<\/p>\n<p>To display only these messages, we can add the <strong>'-k'<\/strong> or <strong>'--dmesg'<\/strong> flags to our command.<\/p>\n<pre class=\"terminal\" >journalctl -k<\/pre>\n<p>By default, this will display the kernel messages from the current boot. You can specify an alternative boot using the normal boot selection flags discussed previously. For instance, to get the messages from five boots ago, you could type:<\/p>\n<pre class=\"terminal\" >journalctl -k -b -5<\/pre>\n<h3>Active Process Monitoring<\/h3>\n<p>To display a set amount of records, you can use the <strong>'-n'<\/strong> option, which works exactly as tail -n.<\/p>\n<p>By default, it will display the most recent 10 entries.<\/p>\n<pre class=\"terminal\" >journalctl -n<\/pre>\n<p>You can specify the number of entries you'd like to see with a number after the -n.<\/p>\n<pre class=\"terminal\" >Journalctl -n 12<\/pre>\n<h3>Maintenance and Cleanup<\/h3>\n<p>Apart from retrieving logs, 'journalctl' also offers the functionality for log management and cleanup.<\/p>\n<h4>Rotate Logs<\/h4>\n<p>To rotate archived logs and start anew, use the <strong>'--rotate'<\/strong> flag, followed by the <strong>'--vacuum-time'<\/strong> flag to set the retention period.<\/p>\n<pre class=\"terminal\" >sudo journalctl --rotate\r\nsudo journalctl --vacuum-time=1d<\/pre>\n<h4>Current Disk Usage<\/h4>\n<p>We can find current disk usage by using <strong>'- -disk -usage'<\/strong> flag.<\/p>\n<pre class=\"terminal\" >journalctl --disk-usage<\/pre>\n<p><b>Sample output<\/b><\/p>\n<pre class=\"terminal\" >Archived and active journals take up 72.0M in the file system.<\/pre>\n<h4>Deleting Old Logs<\/h4>\n<p>If you wish to shrink your journal, you can do that in two different ways (available with systemd version 218 and later).<\/p>\n<p>Use the <strong>'--vacuum-size'<\/strong> option to shrink your journal by indicating a size. This will remove old entries until the total journal space taken up on the disk is at the requested size.<\/p>\n<pre class=\"terminal\" >sudo journalctl --vacuum-size=1G<\/pre>\n<p>Another way that you can shrink the journal is providing a cutoff time with the <strong>'--vacuum-time'<\/strong> option. Any entries beyond that time are deleted. This allows you to keep the entries that have been created after a specific time.<\/p>\n<p>To keep entries from the last year, run the following command:<\/p>\n<pre class=\"terminal\" >sudo journalctl --vacuum-time=1years<\/pre>\n<h3>Journald configuration file<\/h3>\n<p>On a typical ubuntu system, the journald configuration file is located at \"\/etc\/systemd\/journald.conf\".<\/p>\n<pre class=\"terminal\" >$ cat \/etc\/systemd\/journald.conf \r\n#  This file is part of systemd.\r\n#\r\n#  systemd is free software; you can redistribute it and\/or modify it under the\r\n#  terms of the GNU Lesser General Public License as published by the Free\r\n#  Software Foundation; either version 2.1 of the License, or (at your option)\r\n#  any later version.\r\n#\r\n# Entries in this file show the compile time defaults. Local configuration\r\n# should be created by either modifying this file, or by creating &quot;drop-ins&quot; in\r\n# the journald.conf.d\/ subdirectory. The latter is generally recommended.\r\n# Defaults can be restored by simply deleting this file and all drop-ins.\r\n#\r\n# Use &#039;systemd-analyze cat-config systemd\/journald.conf&#039; to display the full config.\r\n#\r\n# See journald.conf(5) for details.\r\n\r\n[Journal]\r\n#Storage=auto\r\n#Compress=yes\r\n#Seal=yes\r\n#SplitMode=uid\r\n#SyncIntervalSec=5m\r\n#RateLimitIntervalSec=30s\r\n#RateLimitBurst=10000\r\n#SystemMaxUse=\r\n#SystemKeepFree=\r\n#SystemMaxFileSize=\r\n#SystemMaxFiles=100\r\n#RuntimeMaxUse=\r\n#RuntimeKeepFree=\r\n#RuntimeMaxFileSize=\r\n#RuntimeMaxFiles=100\r\n#MaxRetentionSec=\r\n#MaxFileSec=1month\r\n#ForwardToSyslog=yes\r\n#ForwardToKMsg=no\r\n#ForwardToConsole=no\r\n#ForwardToWall=yes\r\n#TTYPath=\/dev\/console\r\n#MaxLevelStore=debug\r\n#MaxLevelSyslog=debug\r\n#MaxLevelKMsg=notice\r\n#MaxLevelConsole=info\r\n#MaxLevelWall=emerg\r\n#LineMax=48K\r\n#ReadKMsg=yes\r\n#Audit=no\r\n$<\/pre>\n<p>To learn more about each configuration parameter in the above file, simply read the man pages for journald.conf with the following command:<\/p>\n<pre class=\"terminal\" >man journald.conf<\/pre>\n<h3>Conclusion<\/h3>\n<p>Effective log management is crucial for Linux system administration since it helps with problem diagnosis, performance monitoring, and infrastructure maintenance. A powerful tool that makes log analysis and administration simpler is called \"journalctl.\" <\/p>\n<p>It provides an array of choices for filtering, searching, and extracting data from the systemd journal. <\/p>\n<p>'journalctl' shows how it is a useful tool for both experienced administrators and newbies to the Linux environment because of its user-friendly interface and adaptability. 'journalctl' enables you to dig thoroughly into your system's logs and gain useful information, whether you're debugging an error, monitoring system health, or analyzing service performance.<\/p>\n\t\t<div class=\"display-ad-unit mobile-wide bsa\" style=\"background:#fff3f3; height:315px;\">\n\n<!-- BinaryTides_S2S_InContent_ROS_Pos5 -->\n<style>\n\t@media only screen and (min-width: 0px) and (min-height: 0px) {\n\t\tdiv[id^=\"bsa-zone_1672740746864-5_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n\t@media only screen and (min-width: 640px) and (min-height: 480px) {\n\t\tdiv[id^=\"bsa-zone_1672740746864-5_123456\"] {\n\t\t\tmin-width: 300px;\n\t\t\tmin-height: 250px;\n\t\t}\n\t}\n<\/style>\n<div id=\"bsa-zone_1672740746864-5_123456\"><\/div>\n\n<\/div>\n<!-- Time: 0.0012829303741455, Pos: 27828, Key: ad_unit_5 -->\n\n","protected":false},"excerpt":{"rendered":"<p>Maintaining a healthy and productive Linux environment requires effective system log management. The journalctl command has evolved into an essential resource for accessing and analyzing system logs with the introduction of systemd, the system and service manager for recent Linux distributions. The journalctl command&#8217;s adaptability and utility on Linux-based systems will be examined thoroughly in&#8230; <span class=\"read-more\"><a href=\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":15958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[855,853],"tags":[],"class_list":["post-15810","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-commands","category-server-2"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Journalctl Command examples in Linux - A Comprehensive Guide - BinaryTides<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Silver Moon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/\",\"url\":\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/\",\"name\":\"Journalctl Command examples in Linux - A Comprehensive Guide - BinaryTides\",\"isPartOf\":{\"@id\":\"https:\/\/www.binarytides.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.binarytides.com\/blog\/wp-content\/uploads\/2023\/09\/no-thumbnail.jpg\",\"datePublished\":\"2023-08-24T06:06:01+00:00\",\"author\":{\"@id\":\"https:\/\/www.binarytides.com\/#\/schema\/person\/ce24c6ddfa0368f9a08bcf46505884dd\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#primaryimage\",\"url\":\"https:\/\/www.binarytides.com\/blog\/wp-content\/uploads\/2023\/09\/no-thumbnail.jpg\",\"contentUrl\":\"https:\/\/www.binarytides.com\/blog\/wp-content\/uploads\/2023\/09\/no-thumbnail.jpg\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.binarytides.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Journalctl Command examples in Linux &#8211; A Comprehensive Guide\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.binarytides.com\/#website\",\"url\":\"https:\/\/www.binarytides.com\/\",\"name\":\"BinaryTides\",\"description\":\"News, Technology, Entertainment and more\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.binarytides.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.binarytides.com\/#\/schema\/person\/ce24c6ddfa0368f9a08bcf46505884dd\",\"name\":\"Silver Moon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.binarytides.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/67ac3d58b656585dc0201e900a67f4197eb0c3ef2d1f83dd8f95a0b497cd97da?s=96&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/67ac3d58b656585dc0201e900a67f4197eb0c3ef2d1f83dd8f95a0b497cd97da?s=96&r=g\",\"caption\":\"Silver Moon\"},\"description\":\"A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at binarytides@gmail.com.\",\"url\":\"https:\/\/www.binarytides.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Journalctl Command examples in Linux - A Comprehensive Guide - BinaryTides","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/","twitter_misc":{"Written by":"Silver Moon","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/","url":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/","name":"Journalctl Command examples in Linux - A Comprehensive Guide - BinaryTides","isPartOf":{"@id":"https:\/\/www.binarytides.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#primaryimage"},"image":{"@id":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#primaryimage"},"thumbnailUrl":"https:\/\/www.binarytides.com\/blog\/wp-content\/uploads\/2023\/09\/no-thumbnail.jpg","datePublished":"2023-08-24T06:06:01+00:00","author":{"@id":"https:\/\/www.binarytides.com\/#\/schema\/person\/ce24c6ddfa0368f9a08bcf46505884dd"},"breadcrumb":{"@id":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#primaryimage","url":"https:\/\/www.binarytides.com\/blog\/wp-content\/uploads\/2023\/09\/no-thumbnail.jpg","contentUrl":"https:\/\/www.binarytides.com\/blog\/wp-content\/uploads\/2023\/09\/no-thumbnail.jpg","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/www.binarytides.com\/journalctl-command-examples-in-linux\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.binarytides.com\/"},{"@type":"ListItem","position":2,"name":"Journalctl Command examples in Linux &#8211; A Comprehensive Guide"}]},{"@type":"WebSite","@id":"https:\/\/www.binarytides.com\/#website","url":"https:\/\/www.binarytides.com\/","name":"BinaryTides","description":"News, Technology, Entertainment and more","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.binarytides.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.binarytides.com\/#\/schema\/person\/ce24c6ddfa0368f9a08bcf46505884dd","name":"Silver Moon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.binarytides.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/67ac3d58b656585dc0201e900a67f4197eb0c3ef2d1f83dd8f95a0b497cd97da?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/67ac3d58b656585dc0201e900a67f4197eb0c3ef2d1f83dd8f95a0b497cd97da?s=96&r=g","caption":"Silver Moon"},"description":"A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at binarytides@gmail.com.","url":"https:\/\/www.binarytides.com\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/posts\/15810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/comments?post=15810"}],"version-history":[{"count":10,"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/posts\/15810\/revisions"}],"predecessor-version":[{"id":15822,"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/posts\/15810\/revisions\/15822"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/media\/15958"}],"wp:attachment":[{"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/media?parent=15810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/categories?post=15810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.binarytides.com\/wp-json\/wp\/v2\/tags?post=15810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}