table of contents
- buster 241-7~deb10u7
- buster-backports 247.3-6~bpo10+1
- testing 247.3-6
- unstable 247.3-6
- experimental 249.3-3
JOURNALCTL(1) | journalctl | JOURNALCTL(1) |
NAME¶
journalctl - Query the systemd journalSYNOPSIS¶
journalctl [OPTIONS...] [MATCHES...]
DESCRIPTION¶
journalctl may be used to query the contents of the systemd(1) journal as written by systemd-journald.service(8).If called without parameters, it will show the full contents of the journal, starting with the oldest entry collected.
If one or more match arguments are passed, the output is filtered accordingly. A match is in the format "FIELD=VALUE", e.g. "_SYSTEMD_UNIT=httpd.service", referring to the components of a structured journal entry. See systemd.journal-fields(7) for a list of well-known fields. If multiple matches are specified matching different fields, the log entries are filtered by both, i.e. the resulting output will show only entries matching all the specified matches of this kind. If two matches apply to the same field, then they are automatically matched as alternatives, i.e. the resulting output will show entries matching any of the specified matches for the same field. Finally, the character "+" may appear as a separate word between other terms on the command line. This causes all matches before and after to be combined in a disjunction (i.e. logical OR).
It is also possible to filter the entries by specifying an absolute file path as an argument. The file path may be a file or a symbolic link and the file must exist at the time of the query. If a file path refers to an executable binary, an "_EXE=" match for the canonicalized binary path is added to the query. If a file path refers to an executable script, a "_COMM=" match for the script name is added to the query. If a file path refers to a device node, "_KERNEL_DEVICE=" matches for the kernel name of the device and for each of its ancestor devices is added to the query. Symbolic links are dereferenced, kernel names are synthesized, and parent devices are identified from the environment at the time of the query. In general, a device node is the best proxy for an actual device, as log entries do not usually contain fields that identify an actual device. For the resulting log entries to be correct for the actual device, the relevant parts of the environment at the time the entry was logged, in particular the actual device corresponding to the device node, must have been the same as those at the time of the query. Because device nodes generally change their corresponding devices across reboots, specifying a device node path causes the resulting entries to be restricted to those from the current boot.
Additional constraints may be added using options --boot, --unit=, etc., to further limit what entries will be shown (logical AND).
Output is interleaved from all accessible journal files, whether they are rotated or currently being written, and regardless of whether they belong to the system itself or are accessible user journals.
The set of journal files which will be used can be modified using the --user, --system, --directory, and --file options, see below.
All users are granted access to their private per-user journals. However, by default, only root and users who are members of a few special groups are granted access to the system journal and the journals of other users. Members of the groups "systemd-journal", "adm", and "wheel" can read all journal files. Note that the two latter groups traditionally have additional privileges specified by the distribution. Members of the "wheel" group can often perform administrative tasks.
The output is paged through less by default, and long lines are "truncated" to screen width. The hidden part can be viewed by using the left-arrow and right-arrow keys. Paging can be disabled; see the --no-pager option and the "Environment" section below.
When outputting to a tty, lines are colored according to priority: lines of level ERROR and higher are colored red; lines of level NOTICE and higher are highlighted; lines of level DEBUG are colored lighter grey; other lines are displayed normally.
OPTIONS¶
The following options are understood:--no-full, --full, -l
The old options -l/--full are not useful anymore, except to undo --no-full.
-a, --all
-f, --follow
-e, --pager-end
-n, --lines=
--no-tail
-r, --reverse
-o, --output=
short
short-full
short-iso
short-iso-precise
short-precise
short-monotonic
short-unix
verbose
export
json
Note that this encoding is reversible (with the exception of the size limit).
json-pretty
json-sse
json-seq
cat
with-unit
--output-fields=
--utc
--no-hostname
Note: this option does not remove occurrences of the hostname from log entries themselves, so it does not prevent the hostname from being visible in the logs.
-x, --catalog
Note: when attaching journalctl output to bug reports, please do not use -x.
-q, --quiet
-m, --merge
-b [[ID][±offset]|all], --boot[=[ID][±offset]|all]
The argument may be empty, in which case logs for the current boot will be shown.
If the boot ID is omitted, a positive offset will look up the boots starting from the beginning of the journal, and an equal-or-less-than zero offset will look up boots starting from the end of the journal. Thus, 1 means the first boot found in the journal in chronological order, 2 the second and so on; while -0 is the last boot, -1 the boot before last, and so on. An empty offset is equivalent to specifying -0, except when the current boot is not the last boot (e.g. because --directory was specified to look at logs from a different machine).
If the 32-character ID is specified, it may optionally be followed by offset which identifies the boot relative to the one given by boot ID. Negative values mean earlier boots and positive values mean later boots. If offset is not specified, a value of zero is assumed, and the logs for the boot given by ID are shown.
The special argument all can be used to negate the effect of an earlier use of -b.
--list-boots
-k, --dmesg
-t, --identifier=SYSLOG_IDENTIFIER
This parameter can be specified multiple times.
-u, --unit=UNIT|PATTERN
This parameter can be specified multiple times.
--user-unit=
This parameter can be specified multiple times.
-p, --priority=
--facility=
-g, --grep=
If the pattern is all lowercase, matching is case insensitive. Otherwise, matching is case sensitive. This can be overridden with the --case-sensitive option, see below.
--case-sensitive[=BOOLEAN]
-c, --cursor=
--cursor-file=FILE
--after-cursor=
--show-cursor
-- cursor: s=0639...
The format of the cursor is private and subject to change.
-S, --since=, -U, --until=
-F, --field=
-N, --fields
--system, --user
-M, --machine=
-D DIR, --directory=DIR
--file=GLOB
--root=ROOT
--image=IMAGE
--namespace=NAMESPACE
--header
--disk-usage
--vacuum-size=, --vacuum-time=, --vacuum-files=
--vacuum-size=, --vacuum-time= and --vacuum-files= may be combined in a single invocation to enforce any combination of a size, a time and a number of files limit on the archived journal files. Specifying any of these three parameters as zero is equivalent to not enforcing the specific limit, and is thus redundant.
These three switches may also be combined with --rotate into one command. If so, all active files are rotated first, and the requested vacuuming operation is executed right after. The rotation has the effect that all currently active files are archived (and potentially new, empty journal files opened as replacement), and hence the vacuuming operation has the greatest effect as it can take all log data written so far into account.
--list-catalog [128-bit-ID...]
If any 128-bit-IDs are specified, only those entries are shown.
--dump-catalog [128-bit-ID...]
If any 128-bit-IDs are specified, only those entries are shown.
--update-catalog
--setup-keys
--force
--interval=
--verify
--verify-key=
--sync
--flush
--relinquish-var
--smart-relinquish-var
--rotate
-h, --help
--version
--no-pager
EXIT STATUS¶
On success, 0 is returned; otherwise, a non-zero failure code is returned.ENVIRONMENT¶
$SYSTEMD_PAGER$SYSTEMD_LESS
Users might want to change two options in particular:
K
If the value of $SYSTEMD_LESS does not include "K", and the pager that is invoked is less, Ctrl+C will be ignored by the executable, and needs to be handled by the pager.
X
See less(1) for more discussion.
$SYSTEMD_LESSCHARSET
$SYSTEMD_PAGERSECURE
Note: when commands are invoked with elevated privileges, for example under sudo(8) or pkexec(1), care must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the pager may be enabled automatically as describe above. Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note that if the $SYSTEMD_PAGER or $PAGER variables are to be honoured, $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to completely disable the pager using --no-pager instead.
$SYSTEMD_COLORS
$SYSTEMD_URLIFY
EXAMPLES¶
Without arguments, all collected logs are shown unfiltered:journalctl
With one match specified, all entries with a field matching the expression are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scope
If two different fields are matched, only entries matching both expressions at the same time are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097
If two matches refer to the same field, all entries matching either expression are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service
If the separator "+" is used, two expressions may be combined in a logical OR. The following will show all messages from the Avahi service process with the PID 28097 plus all messages from the D-Bus service (from any of its processes):
journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
To show all fields emitted by a unit and about the unit, option -u/--unit= should be used. journalctl -u name expands to a complex filter similar to
_SYSTEMD_UNIT=name.service + UNIT=name.service _PID=1 + OBJECT_SYSTEMD_UNIT=name.service _UID=0 + COREDUMP_UNIT=name.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1
(see systemd.journal-fields(7) for an explanation of those patterns).
Show all logs generated by the D-Bus executable:
journalctl /usr/bin/dbus-daemon
Show all kernel logs from previous boot:
journalctl -k -b -1
Show a live log display from a system service apache.service:
journalctl -f -u apache
SEE ALSO¶
systemd(1), systemd-journald.service(8), systemctl(1), coredumpctl(1), systemd.journal-fields(7), journald.conf(5), systemd.time(7), systemd-journal-remote.service(8), systemd-journal-upload.service(8)NOTES¶
- 1.
- Journal Export Format
- 2.
- Journal JSON Format
- 3.
- Server-Sent Events
- 4.
- JavaScript Object Notation (JSON) Text Sequences
- 5.
- Message Catalog Developer Documentation
- 6.
- Discoverable Partitions Specification
systemd 247 |