Journalctl

Updated: September 28, 2024

Journalctl is used to query the systemd journal.

Unlike syslog, which logs messages to plain text files, the systemd journal stores messages in a binary format for easier and faster search.

JOURNALCTL

journalctl
    -f, --follow        # continuously print, (tail -f)
    -n, --lines=        # show and limit recent events, default 10, implied on -f
    -x, --catalog       # helpful hints to context of errors or log event.
    -m, --merge         # merge all entries from all journals, including remote ones
    -k, --dmesg         # show only kernel messages
    -u, --unit=         # show logs for a specific service
    --user              # show logs for a specific user

EXAMPLES

journalctl -u ssh               # see logs for ssh service
journalctl -f --user megacron   # follow user megacron persistently
journalctl --disk-usage         # size of journal on disk
journalctl --list-boots         # list of system boots, most recent boot is always 0
journalctl -b 0 -u ssh          # see ssh logs for a certain boot session
journalctl --since=yesterday --until= now   # all messages for a range of time
journalctl -n 100 /usr/sbin/sshd    # see most 100 recent entries for ssh

SOURCES

Journal collects from several sources: /dev/log # software that operates according to syslog /dev/kmsg # messages from linux kernel /run/systemd/journal/stdout # log messages sent to STDOUT /run/systemd/journal/socket # software the messages using systemd journal API and finally messages from the kernels own auditd daemon

CONFIGURATION

FILE: /etc/systemd/journald.conf # not meant to be edited EDIT: /etc/systemd/journald.conf.d