Using journalctl on RHEL7/CentOS7/SL7

Same as systemctl, journalctl is also a systemd utility. It’s used for querying and displaying messages from the systemd journal. Journalctl is the standard way to read messages from one or more binary journal binary files.

In the following examples, I will show you how itl can be used with some of its parameters. Each parameter can be used on its own or combined with other parameters to further narrow the scope of search. To get a full listing of journalctl options, you can visit the journalctl man page.

 

No parameters, default running

When run without any parameters,  it will show all journal entries:

# journalctl
-- Logs begin at Thu 2016-09-08 14:20:08 PDT, end at Tue 2016-09-13 22:45:01 PDT. --
Sep 08 14:20:08 fibrevillage.com systemd-journal[181]: Runtime journal is using 8.0M (max allowed 1.5G, trying
Sep 08 14:20:08 fibrevillage.com systemd-journal[181]: Runtime journal is using 8.0M (max allowed 1.5G, trying
Sep 08 14:20:08 fibrevillage.com kernel: Initializing cgroup subsys cpuset
Sep 08 14:20:08 fibrevillage.com kernel: Initializing cgroup subsys cpu
Sep 08 14:20:08 fibrevillage.com kernel: Initializing cgroup subsys cpuacct
Sep 08 14:20:08 fibrevillage.com kernel: Linux version 3.10.0-327.28.3.el7.x86_64

Journalctl will stop after displaying each screenful of messages, and you can press PgDn or spacebar to see the next screenful. To quit any time, press q. This works like the standard less command on Linux. Long entries are printed to the width of the screen and truncated off at the end if they don’t fit. The cut-off portion can be viewed using the left and right arrow keys.

Boot Messages

To see boot-related messages from the current boot, use the -b option:

# journalctl -b
-- Logs begin at Thu 2016-09-08 14:20:08 PDT, end at Tue 2016-09-13 22:50:01 PDT. --
Sep 08 14:20:08 fibrevillage.com systemd-journal[181]: Runtime journal is using 8.0M (max allowed 1.5G, trying
...

To see messages from the last boot, use the -1 modifier

journalctl -b -1

to see boot messages from two boots ago,use -2:

journalctl -b -2

and so on. default is to see the message from the last boot:

To list the boots of the system, use --list-boots

# journalctl --list-boots
 0 807586ea4cba41a98cf6ec822d4aa1a2 Thu 2016-09-08 14:20:08 PDT<E2><80><94>Tue 2016-09-13 22:50:01 PDT

The first field is the boot number (0 being the latest boot, -1 being the boot before that, and so on), followed by a Boot ID (a long hexadecimal number), followed by the time stamps of the first and the last messages related to that boot.

Kernel message

To see kernel message from current boot:

# journalctl -k
-- Logs begin at Wed 2016-08-24 14:14:55 PDT, end at Wed 2016-09-14 15:50:01 PDT. --
Aug 24 14:14:55 fibrevillage.com kernel: CPU0 microcode updated early to revision 0xd2, date = 2010-10-01
Aug 24 14:14:55 fibrevillage.com kernel: Initializing cgroup subsys cpuset
Aug 24 14:14:55 fibrevillage.com kernel: Initializing cgroup subsys cpu

Time Ranges

To see messages logged within a specific time window, we can use the –since and –until options.

since option

The following command shows journal messages logged within the last hour:

# journalctl --since "1 hour ago"
-- Logs begin at Thu 2016-09-08 14:20:08 PDT, end at Tue 2016-09-13 23:30:01 PDT. --
Sep 13 22:40:01 fibrevillage.com systemd[1]: Started Session 1494 of user root.
Sep 13 22:40:01 fibrevillage.com systemd[1]: Starting Session 1494 of user root.
...

Or message in past 7 days

# journalctl --since "7 days ago"

until option

The command below will show messages between two dates and times. All messages  logged on or after the since parameter and logged on or before the until parameter will be shown:

journalctl --since "2016-09-13 23:30:00" --until "2016-09-13 23:45:00"

Note that the date and time needs to be specified as “YYYY-MM-DD HH:MM:SS”

By Unit

To see messages logged by any systemd unit, use the -u switch.

# journalctl -u ntpd.service
-- Logs begin at Thu 2016-09-08 14:20:08 PDT, end at Tue 2016-09-13 23:40:01 PDT. --
Sep 08 14:21:23 fibrevillage.com systemd[1]: Starting Network Time Service...
Sep 08 14:21:23 fibrevillage.com systemd[1]: Started Network Time Service.

The command above will show all messages logged by the ntpd servicer. You can use the since and until switches here to pinpoint errors occurring within a time window:

journalctl -u ntpd.service --since "starttime" --until "endtime"

Also, the -u switch can be used multiple times to specify more than one unit source.

# journalctl -u mariadb.service -u ntpd.service
-- Logs begin at Thu 2016-09-08 14:20:08 PDT, end at Tue 2016-09-13 23:50:01 PDT. --
Sep 08 14:21:23 fibrevillage.com systemd[1]: Starting Network Time Service...
Sep 08 14:21:23 fibrevillage.com systemd[1]: Started Network Time Service.
Sep 08 14:21:28 fibrevillage.com systemd[1]: Starting MariaDB database server...
Sep 08 14:21:29 fibrevillage.com mysqld_safe[7314]: 160908 14:21:29 mysqld_safe Logging to '/var/log/mariadb/ma
Sep 08 14:21:29 fibrevillage.com mysqld_safe[7314]: 160908 14:21:29 mysqld_safe Starting mysqld daemon with dat
Sep 08 14:21:31 fibrevillage.com systemd[1]: Started MariaDB database server.

Follow or Tail

To run journalctl like the Linux tail command so it continuously prints log messages as they are added, use the -f switch:

journalctl -f

Combine with other options, this command follows mariadb's log

journalctl -u mariadb.ervice -f

To stop following and return to the prompt, press Ctrl+C.

Like the tail command, the -n switch will print the specified number of most recent journal entries. In the command below, we are printing the last 50 messages logged within the last hour:

journalctl -n 50 --since "1 hour ago"

The -r parameter shows journal entries in reverse chronological order so the latest messages are printed. The command below shows the last 10 messages from the sshd daemon, listed in reverse order:

journalctl -u ntpd.service -r -n 1

Output Formats

The -o parameter enables us to format the output of journalctl query. -o (or –output if we are using the long form parameter name) can take a few values:

json will show each journal entry in json format in one long line.

json-pretty will show each log entry in easy-to-read json format.

verbose will show very detailed information for each journal record with all fields listed.

cat shows messages in very short form, without any date/time or source server names.

short is the default output format: It shows messages in syslog style.

short-monotonic is similar to short, but the time stamp second value is shown with precision. This can be useful when you are looking at error messages generated from more than one source which apparently are throwing error messages at the same time and you want to go to the granular level.The following command shows last output in json-pretty format:journalctl -u sshd.service -r -n 10 -o json-pretty. One of the journal entries can look like this:

 

By Priority

Use the -p switch to filter out messages based on a priority level. To see what priority levels are available, see the section on systemd-journald configuration parameters and the possible MaxLevelStore parameter values. If a single priority level is specified, all messages with that priority level and below are returned. To use a range of priority levels, use the FROM…TO clause.As an example, the command below will output all messages with priority between emergency and critical from last boot:

# journalctl -b -p "crit"
-- Logs begin at Thu 2016-09-08 14:20:08 PDT, end at Tue 2016-09-13 23:50:01 PDT. --
Sep 08 14:21:32 fibrevillage.com kernel: ch 6:0:0:0: [ch0] ID/LUN unknown
Sep 08 14:21:32 fibrevillage.com kernel: ch 6:0:0:0: [ch0] ID/LUN unknown
Sep 08 14:21:33 fibrevillage.com kernel: ch 6:0:3:0: [ch1] ID/LUN unknown
Sep 08 14:21:33 fibrevillage.com kernel: ch 6:0:3:0: [ch1] ID/LUN unknown

By User

To find all messages related to a particular user, use the UID for that user. In the following example, we are finding the UID of the user mysql:

# id mysql
uid=27(mysql) gid=27(mysql) groups=27(mysql)
# journalctl _UID=27
-- Logs begin at Thu 2016-09-08 14:20:08 PDT, end at Wed 2016-09-14 00:00:01 PDT. --
Sep 08 14:21:29 fibrevillage.com mysqld_safe[7314]: 160908 14:21:29 mysqld_safe Logging to '/var/log/mariadb/ma
Sep 08 14:21:29 fibrevillage.com mysqld_safe[7314]: 160908 14:21:29 mysqld_safe Starting mysqld daemon with dat

Journal disk usage

See disk usage of the journal:

# journalctl --disk-usage
Archived and active journals take up 32.0M on disk.

Reduce disk usage by size

Reduce journal disk usage to below specified size, with the usual "K", "M", "G", "T" suffixes

#journalctl --vacuum-size=1M

Reduce disk usage by date

Remove journal files older than specified date, timespan usually are "s", "min", "h", "days", "months", "weeks", "years" suffixes

# journalctl --vacuum-time="1 days"

Verify journal file consistency

 To verify journal file consistency, run

# journalctl --verify      
PASS: /run/log/journal/68909c3249b2439eafb47250340318db/system.journal