1JOURNALCTL(1) journalctl JOURNALCTL(1)
2
3
4
6 journalctl - Query the systemd journal
7
9 journalctl [OPTIONS...] [MATCHES...]
10
12 journalctl may be used to query the contents of the systemd(1) journal
13 as written by systemd-journald.service(8).
14
15 If called without parameters, it will show the full contents of the
16 journal, starting with the oldest entry collected.
17
18 If one or more match arguments are passed, the output is filtered
19 accordingly. A match is in the format "FIELD=VALUE", e.g.
20 "_SYSTEMD_UNIT=httpd.service", referring to the components of a
21 structured journal entry. See systemd.journal-fields(7) for a list of
22 well-known fields. If multiple matches are specified matching different
23 fields, the log entries are filtered by both, i.e. the resulting output
24 will show only entries matching all the specified matches of this kind.
25 If two matches apply to the same field, then they are automatically
26 matched as alternatives, i.e. the resulting output will show entries
27 matching any of the specified matches for the same field. Finally, the
28 character "+" may appear as a separate word between other terms on the
29 command line. This causes all matches before and after to be combined
30 in a disjunction (i.e. logical OR).
31
32 It is also possible to filter the entries by specifying an absolute
33 file path as an argument. The file path may be a file or a symbolic
34 link and the file must exist at the time of the query. If a file path
35 refers to an executable binary, an "_EXE=" match for the canonicalized
36 binary path is added to the query. If a file path refers to an
37 executable script, a "_COMM=" match for the script name is added to the
38 query. If a file path refers to a device node, "_KERNEL_DEVICE="
39 matches for the kernel name of the device and for each of its ancestor
40 devices is added to the query. Symbolic links are dereferenced, kernel
41 names are synthesized, and parent devices are identified from the
42 environment at the time of the query. In general, a device node is the
43 best proxy for an actual device, as log entries do not usually contain
44 fields that identify an actual device. For the resulting log entries to
45 be correct for the actual device, the relevant parts of the environment
46 at the time the entry was logged, in particular the actual device
47 corresponding to the device node, must have been the same as those at
48 the time of the query. Because device nodes generally change their
49 corresponding devices across reboots, specifying a device node path
50 causes the resulting entries to be restricted to those from the current
51 boot.
52
53 Additional constraints may be added using options --boot, --unit=,
54 etc., to further limit what entries will be shown (logical AND).
55
56 Output is interleaved from all accessible journal files, whether they
57 are rotated or currently being written, and regardless of whether they
58 belong to the system itself or are accessible user journals.
59
60 The set of journal files which will be used can be modified using the
61 --user, --system, --directory, and --file options, see below.
62
63 All users are granted access to their private per-user journals.
64 However, by default, only root and users who are members of a few
65 special groups are granted access to the system journal and the
66 journals of other users. Members of the groups "systemd-journal",
67 "adm", and "wheel" can read all journal files. Note that the two latter
68 groups traditionally have additional privileges specified by the
69 distribution. Members of the "wheel" group can often perform
70 administrative tasks.
71
72 The output is paged through less by default, and long lines are
73 "truncated" to screen width. The hidden part can be viewed by using the
74 left-arrow and right-arrow keys. Paging can be disabled; see the
75 --no-pager option and the "Environment" section below.
76
77 When outputting to a tty, lines are colored according to priority:
78 lines of level ERROR and higher are colored red; lines of level NOTICE
79 and higher are highlighted; lines of level DEBUG are colored lighter
80 grey; other lines are displayed normally.
81
83 The following options are understood:
84
85 --no-full, --full, -l
86 Ellipsize fields when they do not fit in available columns. The
87 default is to show full fields, allowing them to wrap or be
88 truncated by the pager, if one is used.
89
90 The old options -l/--full are not useful anymore, except to undo
91 --no-full.
92
93 -a, --all
94 Show all fields in full, even if they include unprintable
95 characters or are very long. By default, fields with unprintable
96 characters are abbreviated as "blob data". (Note that the pager may
97 escape unprintable characters again.)
98
99 -f, --follow
100 Show only the most recent journal entries, and continuously print
101 new entries as they are appended to the journal.
102
103 -e, --pager-end
104 Immediately jump to the end of the journal inside the implied pager
105 tool. This implies -n1000 to guarantee that the pager will not
106 buffer logs of unbounded size. This may be overridden with an
107 explicit -n with some other numeric value, while -nall will disable
108 this cap. Note that this option is only supported for the less(1)
109 pager.
110
111 -n, --lines=
112 Show the most recent journal events and limit the number of events
113 shown. If --follow is used, this option is implied. The argument is
114 a positive integer or "all" to disable line limiting. The default
115 value is 10 if no argument is given.
116
117 --no-tail
118 Show all stored output lines, even in follow mode. Undoes the
119 effect of --lines=.
120
121 -r, --reverse
122 Reverse output so that the newest entries are displayed first.
123
124 -o, --output=
125 Controls the formatting of the journal entries that are shown.
126 Takes one of the following options:
127
128 short
129 is the default and generates an output that is mostly identical
130 to the formatting of classic syslog files, showing one line per
131 journal entry.
132
133 short-full
134 is very similar, but shows timestamps in the format the
135 --since= and --until= options accept. Unlike the timestamp
136 information shown in short output mode this mode includes
137 weekday, year and timezone information in the output, and is
138 locale-independent.
139
140 short-iso
141 is very similar, but shows ISO 8601 wallclock timestamps.
142
143 short-iso-precise
144 as for short-iso but includes full microsecond precision.
145
146 short-precise
147 is very similar, but shows classic syslog timestamps with full
148 microsecond precision.
149
150 short-monotonic
151 is very similar, but shows monotonic timestamps instead of
152 wallclock timestamps.
153
154 short-unix
155 is very similar, but shows seconds passed since January 1st
156 1970 UTC instead of wallclock timestamps ("UNIX time"). The
157 time is shown with microsecond accuracy.
158
159 verbose
160 shows the full-structured entry items with all fields.
161
162 export
163 serializes the journal into a binary (but mostly text-based)
164 stream suitable for backups and network transfer (see Journal
165 Export Format[1] for more information). To import the binary
166 stream back into native journald format use systemd-journal-
167 remote(8).
168
169 json
170 formats entries as JSON objects, separated by newline
171 characters (see Journal JSON Format[2] for more information).
172 Field values are generally encoded as JSON strings, with three
173 exceptions:
174
175 1. Fields larger than 4096 bytes are encoded as null values.
176 (This may be turned off by passing --all, but be aware that
177 this may allocate overly long JSON objects.)
178
179 2. Journal entries permit non-unique fields within the same
180 log entry. JSON does not allow non-unique fields within
181 objects. Due to this, if a non-unique field is encountered
182 a JSON array is used as field value, listing all field
183 values as elements.
184
185 3. Fields containing non-printable or non-UTF8 bytes are
186 encoded as arrays containing the raw bytes individually
187 formatted as unsigned numbers.
188
189 Note that this encoding is reversible (with the exception of
190 the size limit).
191
192 json-pretty
193 formats entries as JSON data structures, but formats them in
194 multiple lines in order to make them more readable by humans.
195
196 json-sse
197 formats entries as JSON data structures, but wraps them in a
198 format suitable for Server-Sent Events[3].
199
200 json-seq
201 formats entries as JSON data structures, but prefixes them with
202 an ASCII Record Separator character (0x1E) and suffixes them
203 with an ASCII Line Feed character (0x0A), in accordance with
204 JavaScript Object Notation (JSON) Text Sequences[4]
205 ("application/json-seq").
206
207 cat
208 generates a very terse output, only showing the actual message
209 of each journal entry with no metadata, not even a timestamp.
210 If combined with the --output-fields= option will output the
211 listed fields for each log record, instead of the message.
212
213 with-unit
214 similar to short-full, but prefixes the unit and user unit
215 names instead of the traditional syslog identifier. Useful when
216 using templated instances, as it will include the arguments in
217 the unit names.
218
219 --output-fields=
220 A comma separated list of the fields which should be included in
221 the output. This has an effect only for the output modes which
222 would normally show all fields (verbose, export, json, json-pretty,
223 json-sse and json-seq), as well as on cat. For the former, the
224 "__CURSOR", "__REALTIME_TIMESTAMP", "__MONOTONIC_TIMESTAMP", and
225 "_BOOT_ID" fields are always printed.
226
227 --utc
228 Express time in Coordinated Universal Time (UTC).
229
230 --no-hostname
231 Don't show the hostname field of log messages originating from the
232 local host. This switch has an effect only on the short family of
233 output modes (see above).
234
235 Note: this option does not remove occurrences of the hostname from
236 log entries themselves, so it does not prevent the hostname from
237 being visible in the logs.
238
239 -x, --catalog
240 Augment log lines with explanation texts from the message catalog.
241 This will add explanatory help texts to log messages in the output
242 where this is available. These short help texts will explain the
243 context of an error or log event, possible solutions, as well as
244 pointers to support forums, developer documentation, and any other
245 relevant manuals. Note that help texts are not available for all
246 messages, but only for selected ones. For more information on the
247 message catalog, please refer to the Message Catalog Developer
248 Documentation[5].
249
250 Note: when attaching journalctl output to bug reports, please do
251 not use -x.
252
253 -q, --quiet
254 Suppresses all informational messages (i.e. "-- Journal begins at
255 ...", "-- Reboot --"), any warning messages regarding inaccessible
256 system journals when run as a normal user.
257
258 -m, --merge
259 Show entries interleaved from all available journals, including
260 remote ones.
261
262 -b [[ID][±offset]|all], --boot[=[ID][±offset]|all]
263 Show messages from a specific boot. This will add a match for
264 "_BOOT_ID=".
265
266 The argument may be empty, in which case logs for the current boot
267 will be shown.
268
269 If the boot ID is omitted, a positive offset will look up the boots
270 starting from the beginning of the journal, and an
271 equal-or-less-than zero offset will look up boots starting from the
272 end of the journal. Thus, 1 means the first boot found in the
273 journal in chronological order, 2 the second and so on; while -0 is
274 the last boot, -1 the boot before last, and so on. An empty offset
275 is equivalent to specifying -0, except when the current boot is not
276 the last boot (e.g. because --directory was specified to look at
277 logs from a different machine).
278
279 If the 32-character ID is specified, it may optionally be followed
280 by offset which identifies the boot relative to the one given by
281 boot ID. Negative values mean earlier boots and positive values
282 mean later boots. If offset is not specified, a value of zero is
283 assumed, and the logs for the boot given by ID are shown.
284
285 The special argument all can be used to negate the effect of an
286 earlier use of -b.
287
288 --list-boots
289 Show a tabular list of boot numbers (relative to the current boot),
290 their IDs, and the timestamps of the first and last message
291 pertaining to the boot.
292
293 -k, --dmesg
294 Show only kernel messages. This implies -b and adds the match
295 "_TRANSPORT=kernel".
296
297 -t, --identifier=SYSLOG_IDENTIFIER
298 Show messages for the specified syslog identifier
299 SYSLOG_IDENTIFIER.
300
301 This parameter can be specified multiple times.
302
303 -u, --unit=UNIT|PATTERN
304 Show messages for the specified systemd unit UNIT (such as a
305 service unit), or for any of the units matched by PATTERN. If a
306 pattern is specified, a list of unit names found in the journal is
307 compared with the specified pattern and all that match are used.
308 For each unit name, a match is added for messages from the unit
309 ("_SYSTEMD_UNIT=UNIT"), along with additional matches for messages
310 from systemd and messages about coredumps for the specified unit. A
311 match is also added for "_SYSTEMD_SLICE=UNIT", such that if the
312 provided UNIT is a systemd.slice(5) unit, all logs of children of
313 the slice will be shown.
314
315 This parameter can be specified multiple times.
316
317 --user-unit=
318 Show messages for the specified user session unit. This will add a
319 match for messages from the unit ("_SYSTEMD_USER_UNIT=" and
320 "_UID=") and additional matches for messages from session systemd
321 and messages about coredumps for the specified unit. A match is
322 also added for "_SYSTEMD_USER_SLICE=UNIT", such that if the
323 provided UNIT is a systemd.slice(5) unit, all logs of children of
324 the unit will be shown.
325
326 This parameter can be specified multiple times.
327
328 -p, --priority=
329 Filter output by message priorities or priority ranges. Takes
330 either a single numeric or textual log level (i.e. between
331 0/"emerg" and 7/"debug"), or a range of numeric/text log levels in
332 the form FROM..TO. The log levels are the usual syslog log levels
333 as documented in syslog(3), i.e. "emerg" (0), "alert" (1),
334 "crit" (2), "err" (3), "warning" (4), "notice" (5), "info" (6),
335 "debug" (7). If a single log level is specified, all messages with
336 this log level or a lower (hence more important) log level are
337 shown. If a range is specified, all messages within the range are
338 shown, including both the start and the end value of the range.
339 This will add "PRIORITY=" matches for the specified priorities.
340
341 --facility=
342 Filter output by syslog facility. Takes a comma-separated list of
343 numbers or facility names. The names are the usual syslog
344 facilities as documented in syslog(3). --facility=help may be used
345 to display a list of known facility names and exit.
346
347 -g, --grep=
348 Filter output to entries where the MESSAGE= field matches the
349 specified regular expression. PERL-compatible regular expressions
350 are used, see pcre2pattern(3) for a detailed description of the
351 syntax.
352
353 If the pattern is all lowercase, matching is case insensitive.
354 Otherwise, matching is case sensitive. This can be overridden with
355 the --case-sensitive option, see below.
356
357 --case-sensitive[=BOOLEAN]
358 Make pattern matching case sensitive or case insensitive.
359
360 -c, --cursor=
361 Start showing entries from the location in the journal specified by
362 the passed cursor.
363
364 --cursor-file=FILE
365 If FILE exists and contains a cursor, start showing entries after
366 this location. Otherwise the show entries according the other given
367 options. At the end, write the cursor of the last entry to FILE.
368 Use this option to continually read the journal by sequentially
369 calling journalctl.
370
371 --after-cursor=
372 Start showing entries from the location in the journal after the
373 location specified by the passed cursor. The cursor is shown when
374 the --show-cursor option is used.
375
376 --show-cursor
377 The cursor is shown after the last entry after two dashes:
378
379 -- cursor: s=0639...
380
381 The format of the cursor is private and subject to change.
382
383 -S, --since=, -U, --until=
384 Start showing entries on or newer than the specified date, or on or
385 older than the specified date, respectively. Date specifications
386 should be of the format "2012-10-30 18:17:16". If the time part is
387 omitted, "00:00:00" is assumed. If only the seconds component is
388 omitted, ":00" is assumed. If the date component is omitted, the
389 current day is assumed. Alternatively the strings "yesterday",
390 "today", "tomorrow" are understood, which refer to 00:00:00 of the
391 day before the current day, the current day, or the day after the
392 current day, respectively. "now" refers to the current time.
393 Finally, relative times may be specified, prefixed with "-" or "+",
394 referring to times before or after the current time, respectively.
395 For complete time and date specification, see systemd.time(7). Note
396 that --output=short-full prints timestamps that follow precisely
397 this format.
398
399 -F, --field=
400 Print all possible data values the specified field can take in all
401 entries of the journal.
402
403 -N, --fields
404 Print all field names currently used in all entries of the journal.
405
406 --system, --user
407 Show messages from system services and the kernel (with --system).
408 Show messages from service of current user (with --user). If
409 neither is specified, show all messages that the user can see.
410
411 -M, --machine=
412 Show messages from a running, local container. Specify a container
413 name to connect to.
414
415 -D DIR, --directory=DIR
416 Takes a directory path as argument. If specified, journalctl will
417 operate on the specified journal directory DIR instead of the
418 default runtime and system journal paths.
419
420 --file=GLOB
421 Takes a file glob as an argument. If specified, journalctl will
422 operate on the specified journal files matching GLOB instead of the
423 default runtime and system journal paths. May be specified multiple
424 times, in which case files will be suitably interleaved.
425
426 --root=ROOT
427 Takes a directory path as an argument. If specified, journalctl
428 will operate on journal directories and catalog file hierarchy
429 underneath the specified directory instead of the root directory
430 (e.g. --update-catalog will create
431 ROOT/var/lib/systemd/catalog/database, and journal files under
432 ROOT/run/journal/ or ROOT/var/log/journal/ will be displayed).
433
434 --image=IMAGE
435 Takes a path to a disk image file or block device node. If
436 specified, journalctl will operate on the file system in the
437 indicated disk image. This is similar to --root= but operates on
438 file systems stored in disk images or block devices, thus providing
439 an easy way to extract log data from disk images. The disk image
440 should either contain just a file system or a set of file systems
441 within a GPT partition table, following the Discoverable Partitions
442 Specification[6]. For further information on supported disk images,
443 see systemd-nspawn(1)'s switch of the same name.
444
445 --namespace=NAMESPACE
446 Takes a journal namespace identifier string as argument. If not
447 specified the data collected by the default namespace is shown. If
448 specified shows the log data of the specified namespace instead. If
449 the namespace is specified as "*" data from all namespaces is
450 shown, interleaved. If the namespace identifier is prefixed with
451 "+" data from the specified namespace and the default namespace is
452 shown, interleaved, but no other. For details about journal
453 namespaces see systemd-journald.service(8).
454
455 --header
456 Instead of showing journal contents, show internal header
457 information of the journal fields accessed.
458
459 --disk-usage
460 Shows the current disk usage of all journal files. This shows the
461 sum of the disk usage of all archived and active journal files.
462
463 --vacuum-size=, --vacuum-time=, --vacuum-files=
464 Removes the oldest archived journal files until the disk space they
465 use falls below the specified size (specified with the usual "K",
466 "M", "G" and "T" suffixes), or all archived journal files contain
467 no data older than the specified timespan (specified with the usual
468 "s", "m", "h", "days", "months", "weeks" and "years" suffixes), or
469 no more than the specified number of separate journal files remain.
470 Note that running --vacuum-size= has only an indirect effect on the
471 output shown by --disk-usage, as the latter includes active journal
472 files, while the vacuuming operation only operates on archived
473 journal files. Similarly, --vacuum-files= might not actually reduce
474 the number of journal files to below the specified number, as it
475 will not remove active journal files.
476
477 --vacuum-size=, --vacuum-time= and --vacuum-files= may be combined
478 in a single invocation to enforce any combination of a size, a time
479 and a number of files limit on the archived journal files.
480 Specifying any of these three parameters as zero is equivalent to
481 not enforcing the specific limit, and is thus redundant.
482
483 These three switches may also be combined with --rotate into one
484 command. If so, all active files are rotated first, and the
485 requested vacuuming operation is executed right after. The rotation
486 has the effect that all currently active files are archived (and
487 potentially new, empty journal files opened as replacement), and
488 hence the vacuuming operation has the greatest effect as it can
489 take all log data written so far into account.
490
491 --list-catalog [128-bit-ID...]
492 List the contents of the message catalog as a table of message IDs,
493 plus their short description strings.
494
495 If any 128-bit-IDs are specified, only those entries are shown.
496
497 --dump-catalog [128-bit-ID...]
498 Show the contents of the message catalog, with entries separated by
499 a line consisting of two dashes and the ID (the format is the same
500 as .catalog files).
501
502 If any 128-bit-IDs are specified, only those entries are shown.
503
504 --update-catalog
505 Update the message catalog index. This command needs to be executed
506 each time new catalog files are installed, removed, or updated to
507 rebuild the binary catalog index.
508
509 --setup-keys
510 Instead of showing journal contents, generate a new key pair for
511 Forward Secure Sealing (FSS). This will generate a sealing key and
512 a verification key. The sealing key is stored in the journal data
513 directory and shall remain on the host. The verification key should
514 be stored externally. Refer to the Seal= option in journald.conf(5)
515 for information on Forward Secure Sealing and for a link to a
516 refereed scholarly paper detailing the cryptographic theory it is
517 based on.
518
519 --force
520 When --setup-keys is passed and Forward Secure Sealing (FSS) has
521 already been configured, recreate FSS keys.
522
523 --interval=
524 Specifies the change interval for the sealing key when generating
525 an FSS key pair with --setup-keys. Shorter intervals increase CPU
526 consumption but shorten the time range of undetectable journal
527 alterations. Defaults to 15min.
528
529 --verify
530 Check the journal file for internal consistency. If the file has
531 been generated with FSS enabled and the FSS verification key has
532 been specified with --verify-key=, authenticity of the journal file
533 is verified.
534
535 --verify-key=
536 Specifies the FSS verification key to use for the --verify
537 operation.
538
539 --sync
540 Asks the journal daemon to write all yet unwritten journal data to
541 the backing file system and synchronize all journals. This call
542 does not return until the synchronization operation is complete.
543 This command guarantees that any log messages written before its
544 invocation are safely stored on disk at the time it returns.
545
546 --flush
547 Asks the journal daemon to flush any log data stored in
548 /run/log/journal/ into /var/log/journal/, if persistent storage is
549 enabled. This call does not return until the operation is complete.
550 Note that this call is idempotent: the data is only flushed from
551 /run/log/journal/ into /var/log/journal/ once during system runtime
552 (but see --relinquish-var below), and this command exits cleanly
553 without executing any operation if this has already happened. This
554 command effectively guarantees that all data is flushed to
555 /var/log/journal/ at the time it returns.
556
557 --relinquish-var
558 Asks the journal daemon for the reverse operation to --flush: if
559 requested the daemon will write further log data to
560 /run/log/journal/ and stops writing to /var/log/journal/. A
561 subsequent call to --flush causes the log output to switch back to
562 /var/log/journal/, see above.
563
564 --smart-relinquish-var
565 Similar to --relinquish-var but executes no operation if the root
566 file system and /var/lib/journal/ reside on the same mount point.
567 This operation is used during system shutdown in order to make the
568 journal daemon stop writing data to /var/log/journal/ in case that
569 directory is located on a mount point that needs to be unmounted.
570
571 --rotate
572 Asks the journal daemon to rotate journal files. This call does not
573 return until the rotation operation is complete. Journal file
574 rotation has the effect that all currently active journal files are
575 marked as archived and renamed, so that they are never written to
576 in future. New (empty) journal files are then created in their
577 place. This operation may be combined with --vacuum-size=,
578 --vacuum-time= and --vacuum-file= into a single command, see above.
579
580 -h, --help
581 Print a short help text and exit.
582
583 --version
584 Print a short version string and exit.
585
586 --no-pager
587 Do not pipe output into a pager.
588
590 On success, 0 is returned; otherwise, a non-zero failure code is
591 returned.
592
594 $SYSTEMD_LOG_LEVEL
595 The maximum log level of emitted messages (messages with a higher
596 log level, i.e. less important ones, will be suppressed). Either
597 one of (in order of decreasing importance) emerg, alert, crit, err,
598 warning, notice, info, debug, or an integer in the range 0...7. See
599 syslog(3) for more information.
600
601 $SYSTEMD_LOG_COLOR
602 A boolean. If true, messages written to the tty will be colored
603 according to priority.
604
605 This setting is only useful when messages are written directly to
606 the terminal, because journalctl(1) and other tools that display
607 logs will color messages based on the log level on their own.
608
609 $SYSTEMD_LOG_TIME
610 A boolean. If true, log messages will be prefixed with a timestamp.
611
612 This setting is only useful when messages are written directly to
613 the terminal or a file, because journalctl(1) and other tools that
614 display logs will attach timestamps based on the entry metadata on
615 their own.
616
617 $SYSTEMD_LOG_LOCATION
618 A boolean. If true, messages will be prefixed with a filename and
619 line number in the source code where the message originates.
620
621 Note that the log location is often attached as metadata to journal
622 entries anyway. Including it directly in the message text can
623 nevertheless be convenient when debugging programs.
624
625 $SYSTEMD_LOG_TID
626 A boolean. If true, messages will be prefixed with the current
627 numerical thread ID (TID).
628
629 Note that the this information is attached as metadata to journal
630 entries anyway. Including it directly in the message text can
631 nevertheless be convenient when debugging programs.
632
633 $SYSTEMD_LOG_TARGET
634 The destination for log messages. One of console (log to the
635 attached tty), console-prefixed (log to the attached tty but with
636 prefixes encoding the log level and "facility", see syslog(3), kmsg
637 (log to the kernel circular log buffer), journal (log to the
638 journal), journal-or-kmsg (log to the journal if available, and to
639 kmsg otherwise), auto (determine the appropriate log target
640 automatically, the default), null (disable log output).
641
642 $SYSTEMD_PAGER
643 Pager to use when --no-pager is not given; overrides $PAGER. If
644 neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
645 pager implementations are tried in turn, including less(1) and
646 more(1), until one is found. If no pager implementation is
647 discovered no pager is invoked. Setting this environment variable
648 to an empty string or the value "cat" is equivalent to passing
649 --no-pager.
650
651 $SYSTEMD_LESS
652 Override the options passed to less (by default "FRSXMK").
653
654 Users might want to change two options in particular:
655
656 K
657 This option instructs the pager to exit immediately when Ctrl+C
658 is pressed. To allow less to handle Ctrl+C itself to switch
659 back to the pager command prompt, unset this option.
660
661 If the value of $SYSTEMD_LESS does not include "K", and the
662 pager that is invoked is less, Ctrl+C will be ignored by the
663 executable, and needs to be handled by the pager.
664
665 X
666 This option instructs the pager to not send termcap
667 initialization and deinitialization strings to the terminal. It
668 is set by default to allow command output to remain visible in
669 the terminal even after the pager exits. Nevertheless, this
670 prevents some pager functionality from working, in particular
671 paged output cannot be scrolled with the mouse.
672
673 See less(1) for more discussion.
674
675 $SYSTEMD_LESSCHARSET
676 Override the charset passed to less (by default "utf-8", if the
677 invoking terminal is determined to be UTF-8 compatible).
678
679 $SYSTEMD_PAGERSECURE
680 Takes a boolean argument. When true, the "secure" mode of the pager
681 is enabled; if false, disabled. If $SYSTEMD_PAGERSECURE is not set
682 at all, secure mode is enabled if the effective UID is not the same
683 as the owner of the login session, see geteuid(2) and
684 sd_pid_get_owner_uid(3). In secure mode, LESSSECURE=1 will be set
685 when invoking the pager, and the pager shall disable commands that
686 open or create new files or start new subprocesses. When
687 $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known
688 to implement secure mode will not be used. (Currently only less(1)
689 implements secure mode.)
690
691 Note: when commands are invoked with elevated privileges, for
692 example under sudo(8) or pkexec(1), care must be taken to ensure
693 that unintended interactive features are not enabled. "Secure" mode
694 for the pager may be enabled automatically as describe above.
695 Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited
696 environment allows the user to invoke arbitrary commands. Note that
697 if the $SYSTEMD_PAGER or $PAGER variables are to be honoured,
698 $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to
699 completely disable the pager using --no-pager instead.
700
701 $SYSTEMD_COLORS
702 Takes a boolean argument. When true, systemd and related utilities
703 will use colors in their output, otherwise the output will be
704 monochrome. Additionally, the variable can take one of the
705 following special values: "16", "256" to restrict the use of colors
706 to the base 16 or 256 ANSI colors, respectively. This can be
707 specified to override the automatic decision based on $TERM and
708 what the console is connected to.
709
710 $SYSTEMD_URLIFY
711 The value must be a boolean. Controls whether clickable links
712 should be generated in the output for terminal emulators supporting
713 this. This can be specified to override the decision that systemd
714 makes based on $TERM and other conditions.
715
717 Without arguments, all collected logs are shown unfiltered:
718
719 journalctl
720
721 With one match specified, all entries with a field matching the
722 expression are shown:
723
724 journalctl _SYSTEMD_UNIT=avahi-daemon.service
725 journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scope
726
727 If two different fields are matched, only entries matching both
728 expressions at the same time are shown:
729
730 journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097
731
732 If two matches refer to the same field, all entries matching either
733 expression are shown:
734
735 journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service
736
737 If the separator "+" is used, two expressions may be combined in a
738 logical OR. The following will show all messages from the Avahi service
739 process with the PID 28097 plus all messages from the D-Bus service
740 (from any of its processes):
741
742 journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
743
744 To show all fields emitted by a unit and about the unit, option
745 -u/--unit= should be used. journalctl -u name expands to a complex
746 filter similar to
747
748 _SYSTEMD_UNIT=name.service
749 + UNIT=name.service _PID=1
750 + OBJECT_SYSTEMD_UNIT=name.service _UID=0
751 + COREDUMP_UNIT=name.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1
752
753
754 (see systemd.journal-fields(7) for an explanation of those patterns).
755
756 Show all logs generated by the D-Bus executable:
757
758 journalctl /usr/bin/dbus-daemon
759
760 Show all kernel logs from previous boot:
761
762 journalctl -k -b -1
763
764 Show a live log display from a system service apache.service:
765
766 journalctl -f -u apache
767
769 systemd(1), systemd-journald.service(8), systemctl(1), coredumpctl(1),
770 systemd.journal-fields(7), journald.conf(5), systemd.time(7), systemd-
771 journal-remote.service(8), systemd-journal-upload.service(8)
772
774 1. Journal Export Format
775 https://www.freedesktop.org/wiki/Software/systemd/export
776
777 2. Journal JSON Format
778 https://www.freedesktop.org/wiki/Software/systemd/json
779
780 3. Server-Sent Events
781 https://developer.mozilla.org/en-US/docs/Server-sent_events/Using_server-sent_events
782
783 4. JavaScript Object Notation (JSON) Text Sequences
784 https://tools.ietf.org/html/rfc7464
785
786 5. Message Catalog Developer Documentation
787 https://www.freedesktop.org/wiki/Software/systemd/catalog
788
789 6. Discoverable Partitions Specification
790 https://systemd.io/DISCOVERABLE_PARTITIONS
791
792
793
794systemd 248 JOURNALCTL(1)