Boot Messages
# Show all messages from this [b]oot:
$ journalctl -b
# Show all messages from last [b]oot:
$ journalctl -b -1
# Show all messages from previous_boot's_offset [b]oot:
# e.g., the previous boot has an offset of -1, the boot before that is -2, and so on
$ journalctl -b -<offset>
# To list the boots of the system, use the following command.
$ journalctl --list-boots
-2 12792aa4791f4087a27f93a2bf4e191f Sun 2021-07-04 23:34:07 +08—Sun 2021-07-04 23:34:29 +08
-1 8e10828970ac4e7ebec55f268f6e945d Mon 2021-07-05 07:36:05 +08—Sun 2021-07-04 23:37:17 +08
0 f027aa1e23c44e2c88d8203fc7f93575 Mon 2021-07-05 07:37:28 +08—Wed 2021-07-14 22:12:20 +08
Time Ranges
To see messages logged within a specific time window, we can use the --since and --until options. The following command shows journal messages logged within the last hour.
$ journalctl --since "1 hour ago"
To see messages logged in the last two days, the following command can be used.
$ journalctl --since "2 days ago"
The command below will show messages between two dates and times. All messages logged on or after the since parameter and logged on or before the until parameter will be shown.
$ journalctl --since "2015-06-26 23:15:00" --until "2015-06-26 23:20:00"
For greater accuracy, format the date and time as “YYYY-MM-DD HH:MM:SS”. You can also use any format that follows the systemd.time specification.
# Filter messages within a time range (either timestamp or placeholders like "yesterday"):
$ journalctl --since now|today|yesterday|tomorrow --until YYYY-MM-DD HH:MM:SS
By Unit
To see messages logged by any systemd unit, use the -u switch. The command below will show all messages logged by the Nginx web server. You can use the --since and --until switches here to pinpoint web server errors occurring within a time window.
$ journalctl -u nginx.service
The -u switch can be used multiple times to specify more than one unit source. For example, if you want to see log entries for both nginx and mysql, the following command can be used.
$ journalctl -u nginx.service -u mysql.service
Follow or Tail
Journalctl can print log messages to the console as they are added, much like the Linux tail command. To do this, add the -f switch,
$ journalctl -f
For example, this command “follows” the mysql service log.
$ journalctl -u mysql.service -f
To stop following and return to the prompt, press Ctrl+C.
Like the tail command, the -n switch will print the specified number of most recent journal entries. In the command below, we are printing the last 50 messages logged within the last hour.
$ journalctl -n 50 --since "1 hour ago"
The -r parameter shows journal entries in reverse chronological order, so the latest messages are printed first. The command below shows the last 10 messages from the sshd daemon, listed in reverse order.
$ journalctl -u sshd.service -r -n 1
By Priority
Use the -p switch to filter out messages based on their priority level. To see what priority levels are available, see the Journald Configuration section of Linux Logging with Systemd and the MaxLevelStore parameter. If a single priority level is specified, all messages with that priority level and below are returned. To use a range of priority levels, provide the start and end levels in the form of FROM…TO. As an example, the command below will output all messages with priority between emergency and critical from last boot.
$ journalctl -b -1 -p "emerg".."crit"
# Show all messages with priority level 3 (errors) from this [b]oot:
$journalctl -b --priority=3
Reference
- https://man7.org/linux/man-pages/man1/journalctl.1.html
- https://www.loggly.com/ultimate-guide/using-journalctl/