Journalctl: How to Read and Edit Systemd Logs
This guide shows how to read, control, and maintain systemd logs using journalctl through examples.
What Is Systemd?
Systemd is a Linux service and system manager. While users do not invoke systemd directly, the manager contains many tools and daemons to run individually for various system processes.
One of the most powerful systemd functionalities is the logging features. Systemd provides a centralized solution for logging all kernel and user processes through logs known as journals.
The journald daemon collects all the messages the system outputs and then creates journals, regardless of the program or process. The daemon gathers data from all available system resources and stores them in a binary format.
journalctl command queries and manipulates the journal data collected by the journald daemon. The tool is vital for system administrators and complements other Linux logging tools and Syslog server software solutions.
The command syntax is:
Without any parameters, the
journalctl command outputs the entire journal contents starting from the oldest entry. The
<match> is one or more space-separated arguments for filtering the output fields. The format is
The table below summarizes common
journalctl manual page using the man command for a full list of options.
How to Read systemd
The following section outlines how to read systemd logs and use the various display options for the
journalctl command. The output is different for every machine since records for every system are unique.
Display All Journal Entries
To show all journal entries, use the
journalctl command without any options:
The first line from the output shows the time range of the log data. The columns contain the following data in order from left to right:
The journal data contains many entries. Use the arrow keys (similar to the less command) to navigate.
Exit the journal by pressing q.
Show Most Recent Entries
journalctl command shows the oldest entries by default. To jump to the pager end and display the most recent entries, use the
The output shows the final 1000 entries to save space.
To control how many lines display in the output, use the
-n option followed by the number of lines. For example, to show the five most recent journal entries, use:
-e option is unnecessary and implied by the
-n option. Omitting the number shows the ten most recent entries by default.
Limit the Logs to the Specific Boot
To limit the logs to the current boot, use the
-b tag without any parameters:
Without any parameters, the command shows current boot logs.
Jump to a specific boot by adding an offset parameter. For example, show the previous boot logs with:
Alternatively, show the oldest available boot log with:
An alternative way to see a specific boot is to use a boot ID. Fetch the boot IDs using
The first column displays the negative offset number, while the second column fetches the boot ID. Copy the ID and add it as a parameter to the command, for example:
The output limits the log display to the provided ID instance.
Display Logs Within a Specific Time Window
Filter the journal by specifying a time limit. The two options for limiting since or until a specified time are:
Use the options individually or combine them to create a time window.
The command expects one of the following date and time formats:
Below is an example
journalctl command with a specific time window:
The command creates a time window from April 2nd, 2022, to April 22nd, 2022. The output shows journals that fall into that timeframe.
Alternatively, use a string pattern such as:
The output shows logs from the stated time up until the current time.
Display Logs By Specific systemd Unit
Filter the logs by the specific systemd unit using the
-u tag and providing the unit name. For example, to filter only the Jenkins service unit records, run:
The output shows the journal entries related to the specific systemd unit (in this case, Jenkins).
Display Kernel Messages
To display only the kernel journal log messages, use the
The output shows the kernel messages only from the current boot, applying the
-b tag. To find kernel logs from a different boot session, add the
-b tag and search for a specific boot.
--follow tag to print the most recent logs continuously:
The output prints the logs as they generate in real-time. The option allows monitoring the logs with
journalctl as they append.
To exit the viewer, press CTRL+C.
Filter Log Messages Based on Priority
Filter the log messages by priority using the following command:
The following priorities exist:
A lower number indicates the highest priority messages. Specifying a single-level priority also shows all lower priority number (more critical) logs.
For example, to display alerts, use:
The output displays only messages at the alert level and more important ones (if any).
Filter Log Messages Based on a Specific User
To see logs for a user, fetch the user ID (UID) with:
To fetch the ID for the current user, omit the
<user>. The output shows the UID value for the given user. Use the UID journal field to filter log messages based on the specific user:
The output filters the journal log based on the specified user ID.
How to Edit systemd Log Output
An essential aspect of working with logs as a system administrator is formatting the log outputs. Systemd offers many methods to manipulate the visual result and fetch the data in the desired format.
Below are some standard output editing options and examples.
Output to Standard Out
journalctl command displays the output using a pager. Disable the pager with:
The resulting output is in standard output (stdout). Use this option when parsing the log data with text editing tools or Bash scripts.
Truncate or Expand Output
journalctl pager shows expanded journal events in the output. Pressing the right and left arrow keys helps navigate the text that doesn't fit the screen size.
To limit truncate the
journalctl output, use the
The output limits the lines to the screen size, adding ellipsis (
...) to indicate a truncated display.
journalctl command offers various options for output formats. The syntax for output format is:
Some of the available formats include:
For example, to display using the
json-pretty format, use:
Different formats allow using the log data in databases, script files, or parsing it through monitoring software.
Storing log data comes at a cost and takes up space. Below are some tips and tricks to discover the disk usage, maintain log data files, and free up space used by old log files.
Display Disk Usage
To check the journal disk usage, run the following command:
The output shows the disk's total occupied space by archived and active journals.
Delete Old Logs
Delete old log archives by setting the desired size limit. The command requires sudo to delete the files /var/log/journal.
For example, set the size to 1M with:
Enter the sudo password and press Enter. The output prints the file names and sizes, and the last line shows the amount of freed memory.
Alternatively, delete archived logs based on time. Any files older than the set time delete and free up memory. For example, to delete files older than two months, run:
The time suffixes are
Limit the Journal
The journal configuration file allows setting limits and controlling how much journald data takes up on disk. To edit the file, run:
The file contains example configuration fields. The following parameters deal with the journal size and memory limits:
File size controls target archived files to reach the limits. Uncomment the lines and set the limits to gain better control over the machine storage and consumption resources.
This guide showed how to view, control, and manage systemd journal logs through examples. The
journalctl command is a valuable tool that helps troubleshoot Linux services and discover system errors.