1JOURNALCTL(1) journalctl JOURNALCTL(1)
2
6 journalctl - Query the systemd journal
7
9 journalctl [OPTIONS...] [MATCHES...]
10
12 journalctl may be used to query the contents of the systemd(1) journal
13 as written by systemd-journald.service(8).
14 If called without parameters, it will show the full contents of the
16 journal, starting with the oldest entry collected.
17 If one or more match arguments are passed, the output is filtered
19 accordingly. A match is in the format "FIELD=VALUE", e.g.
20 "_SYSTEMD_UNIT=httpd.service", referring to the components of a
21 structured journal entry. See systemd.journal-fields(7) for a list of
22 well-known fields. If multiple matches are specified matching different
23 fields, the log entries are filtered by both, i.e. the resulting output
24 will show only entries matching all the specified matches of this kind.
25 If two matches apply to the same field, then they are automatically
26 matched as alternatives, i.e. the resulting output will show entries
27 matching any of the specified matches for the same field. Finally, the
28 character "+" may appears as a separate word between other terms on the
29 command line. This causes all matches before and after to be combined
30 in a disjunction (i.e. logical OR).
31 As shortcuts for a few types of field/value matches, file paths may be
33 specified. If a file path refers to an executable file, this is
34 equivalent to an "_EXE=" match for the canonicalized binary path.
35 Similarly, if a path refers to a device node then match is added for
36 the kernel name of the device ("_KERNEL_DEVICE="). Also, matches for
37 the kernel names of all the parent devices are added automatically.
38 Device node paths are not stable across reboots, therefore match for
39 the current boot id ("_BOOT_ID=") is always added as well. Note that
40 only the log entries for the existing device nodes maybe queried by
41 providing path to the device node.
42 Additional constraints may be added using options --boot, --unit=, etc,
44 to further limit what entries will be shown (logical AND).
45 Output is interleaved from all accessible journal files, whether they
47 are rotated or currently being written, and regardless of whether they
48 belong to the system itself or are accessible user journals.
49 The set of journal files which will be used can be modified using the
51 --user, --system, --directory, and --file options, see below.
52 All users are granted access to their private per-user journals.
54 However, by default, only root and users who are members of a few
55 special groups are granted access to the system journal and the
56 journals of other users. Members of the the "systemd-journal", "adm",
57 and "wheel" groups can read all journal files. Note that the two latter
58 groups traditionally have additional privileges specified by the
59 distribution. Members of the "wheel" group can often perform
60 administrative tasks.
61 The output is paged through less by default, and long lines are
63 "truncated" to screen width. The hidden part can be viewed by using the
64 left-arrow and right-arrow keys. Paging can be disabled; see the
65 --no-pager option and the "Environment" section below.
66 When outputting to a tty, lines are colored according to priority:
68 lines of level ERROR and higher are colored red; lines of level NOTICE
69 and higher are highlighted; other lines are displayed normally.
70
72 The following options are understood:
73 --no-full, --full, -l
75 Ellipsize fields when they do not fit in available columns. The
76 default is to show full fields, allowing them to wrap or be
77 truncated by the pager, if one is used.
78 The old options -l/--full are not useful anymore, except to undo
80 --no-full.
81 -a, --all
83 Show all fields in full, even if they include unprintable
84 characters or are very long.
85 -f, --follow
87 Show only the most recent journal entries, and continuously print
88 new entries as they are appended to the journal.
89 -e, --pager-end
91 Immediately jump to the end of the journal inside the implied pager
92 tool. This implies -n1000 to guarantee that the pager will not
93 buffer logs of unbounded size. This may be overridden with an
94 explicit -n with some other numeric value while -nall will disable
95 this cap. Note that this option is only supported for the less(1)
96 pager.
97 -n, --lines=
99 Show the most recent journal events and limit the number of events
100 shown. If --follow is used, this option is implied. The argument is
101 a positive integer or "all" to disable line limiting. The default
102 value is 10 if no argument is given.
103 --no-tail
105 Show all stored output lines, even in follow mode. Undoes the
106 effect of --lines=.
107 -r, --reverse
109 Reverse output so that the newest entries are displayed first.
110 -o, --output=
112 Controls the formatting of the journal entries that are shown.
113 Takes one of the following options:
114 short
116 is the default and generates an output that is mostly identical
117 to the formatting of classic syslog files, showing one line per
118 journal entry.
119 short-iso
121 is very similar, but shows ISO 8601 wallclock timestamps.
122 short-precise
124 is very similar, but shows timestamps with full microsecond
125 precision.
126 short-monotonic
128 is very similar, but shows monotonic timestamps instead of
129 wallclock timestamps.
130 verbose
132 shows the full-structured entry items with all fields.
133 export
135 serializes the journal into a binary (but mostly text-based)
136 stream suitable for backups and network transfer (see Journal
137 Export Format[1] for more information).
138 json
140 formats entries as JSON data structures, one per line (see
141 Journal JSON Format[2] for more information).
142 json-pretty
144 formats entries as JSON data structures, but formats them in
145 multiple lines in order to make them more readable by humans.
146 json-sse
148 formats entries as JSON data structures, but wraps them in a
149 format suitable for Server-Sent Events[3].
150 cat
152 generates a very terse output, only showing the actual message
153 of each journal entry with no metadata, not even a timestamp.
154 --utc
156 Express time in Coordinated Universal Time (UTC).
157 -x, --catalog
159 Augment log lines with explanation texts from the message catalog.
160 This will add explanatory help texts to log messages in the output
161 where this is available. These short help texts will explain the
162 context of an error or log event, possible solutions, as well as
163 pointers to support forums, developer documentation, and any other
164 relevant manuals. Note that help texts are not available for all
165 messages, but only for selected ones. For more information on the
166 message catalog, please refer to the Message Catalog Developer
167 Documentation[4].
168 Note: when attaching journalctl output to bug reports, please do
170 not use -x.
171 -q, --quiet
173 Suppresses any warning messages regarding inaccessible system
174 journals when run as a normal user.
175 -m, --merge
177 Show entries interleaved from all available journals, including
178 remote ones.
179 -b [ID][±offset], --boot=[ID][±offset]
181 Show messages from a specific boot. This will add a match for
182 "_BOOT_ID=".
183 The argument may be empty, in which case logs for the current boot
185 will be shown.
186 If the boot ID is omitted, a positive offset will look up the boots
188 starting from the beginning of the journal, and a
189 equal-or-less-than zero offset will look up boots starting from the
190 end of the journal. Thus, 1 means the first boot found in the
191 journal in chronological order, 2 the second and so on; while -0 is
192 the last boot, -1 the boot before last, and so on. An empty offset
193 is equivalent to specifying -0, except when the current boot is not
194 the last boot (e.g. because --directory was specified to look at
195 logs from a different machine).
196 If the 32-character ID is specified, it may optionally be followed
198 by offset which identifies the boot relative to the one given by
199 boot ID. Negative values mean earlier boots and a positive values
200 mean later boots. If offset is not specified, a value of zero is
201 assumed, and the logs for the boot given by ID are shown.
202 --list-boots
204 Show a tabular list of boot numbers (relative to the current boot),
205 their IDs, and the timestamps of the first and last message
206 pertaining to the boot.
207 -k, --dmesg
209 Show only kernel messages. This implies -b and adds the match
210 "_TRANSPORT=kernel".
211 -t, --identifier=SYSLOG_IDENTIFIER|PATTERN
213 Show messages for the specified syslog identifier
214 SYSLOG_IDENTIFIER, or for any of the messages with a
215 "SYSLOG_IDENTIFIER" matched by PATTERN.
216 This parameter can be specified multiple times.
218 -u, --unit=UNIT|PATTERN
220 Show messages for the specified systemd unit UNIT (such as a
221 service unit), or for any of the units matched by PATTERN. If a
222 pattern is specified, a list of unit names found in the journal is
223 compared with the specified pattern and all that match are used.
224 For each unit name, a match is added for messages from the unit
225 ("_SYSTEMD_UNIT=UNIT"), along with additional matches for messages
226 from systemd and messages about coredumps for the specified unit.
227 This parameter can be specified multiple times.
229 -p, --priority=
231 Filter output by message priorities or priority ranges. Takes
232 either a single numeric or textual log level (i.e. between
233 0/"emerg" and 7/"debug"), or a range of numeric/text log levels in
234 the form FROM..TO. The log levels are the usual syslog log levels
235 as documented in syslog(3), i.e. "emerg" (0), "alert" (1),
236 "crit" (2), "err" (3), "warning" (4), "notice" (5), "info" (6),
237 "debug" (7). If a single log level is specified, all messages with
238 this log level or a lower (hence more important) log level are
239 shown. If a range is specified, all messages within the range are
240 shown, including both the start and the end value of the range.
241 This will add "PRIORITY=" matches for the specified priorities.
242 -c, --cursor=
244 Start showing entries from the location in the journal specified by
245 the passed cursor.
246 --after-cursor=
248 Start showing entries from the location in the journal after the
249 location specified by the this cursor. The cursor is shown when the
250 --show-cursor option is used.
251 --show-cursor
253 The cursor is shown after the last entry after two dashes:
254 -- cursor: s=0639...
256 The format of the cursor is private and subject to change.
258 -S, --since=, -U, --until=
260 Start showing entries on or newer than the specified date, or on or
261 older than the specified date, respectively. Date specifications
262 should be of the format "2012-10-30 18:17:16". If the time part is
263 omitted, "00:00:00" is assumed. If only the seconds component is
264 omitted, ":00" is assumed. If the date component is omitted, the
265 current day is assumed. Alternatively the strings "yesterday",
266 "today", "tomorrow" are understood, which refer to 00:00:00 of the
267 day before the current day, the current day, or the day after the
268 current day, respectively. "now" refers to the current time.
269 Finally, relative times may be specified, prefixed with "-" or "+",
270 referring to times before or after the current time, respectively.
271 -F, --field=
273 Print all possible data values the specified field can take in all
274 entries of the journal.
275 --system, --user
277 Show messages from system services and the kernel (with --system).
278 Show messages from service of current user (with --user). If
279 neither is specified, show all messages that the user can see.
280 -M, --machine=
282 Show messages from a running, local container. Specify a container
283 name to connect to.
284 -D DIR, --directory=DIR
286 Takes a directory path as argument. If specified, journalctl will
287 operate on the specified journal directory DIR instead of the
288 default runtime and system journal paths.
289 --file=GLOB
291 Takes a file glob as an argument. If specified, journalctl will
292 operate on the specified journal files matching GLOB instead of the
293 default runtime and system journal paths. May be specified multiple
294 times, in which case files will be suitably interleaved.
295 --root=ROOT
297 Takes a directory path as an argument. If specified, journalctl
298 will operate on catalog file hierarchy underneath the specified
299 directory instead of the root directory (e.g. --update-catalog
300 will create ROOT/var/lib/systemd/catalog/database).
301 --new-id128
303 Instead of showing journal contents, generate a new 128-bit ID
304 suitable for identifying messages. This is intended for usage by
305 developers who need a new identifier for a new message they
306 introduce and want to make recognizable. This will print the new ID
307 in three different formats which can be copied into source code or
308 similar.
309 --header
311 Instead of showing journal contents, show internal header
312 information of the journal fields accessed.
313 --disk-usage
315 Shows the current disk usage of all journal files. This shows the
316 sum of the disk usage of all archived and active journal files.
317 --vacuum-size=, --vacuum-time=
319 Removes archived journal files until the disk space they use falls
320 below the specified size (specified with the usual "K", "M", "G",
321 "T" suffixes), or all journal files contain no data older than the
322 specified timespan (specified with the usual "s", "min", "h",
323 "days", "months", "weeks", "years" suffixes). Note that running
324 --vacuum-size= has only indirect effect on the output shown by
325 --disk-usage as the latter includes active journal files, while the
326 former only operates on archived journal files. --vacuum-size= and
327 --vacuum-time= may be combined in a single invocation to enforce
328 both a size and time limit on the archived journal files.
329 --list-catalog [128-bit-ID...]
331 List the contents of the message catalog as a table of message IDs,
332 plus their short description strings.
333 If any 128-bit-IDs are specified, only those entries are shown.
335 --dump-catalog [128-bit-ID...]
337 Show the contents of the message catalog, with entries separated by
338 a line consisting of two dashes and the ID (the format is the same
339 as .catalog files).
340 If any 128-bit-IDs are specified, only those entries are shown.
342 --update-catalog
344 Update the message catalog index. This command needs to be executed
345 each time new catalog files are installed, removed, or updated to
346 rebuild the binary catalog index.
347 --setup-keys
349 Instead of showing journal contents, generate a new key pair for
350 Forward Secure Sealing (FSS). This will generate a sealing key and
351 a verification key. The sealing key is stored in the journal data
352 directory and shall remain on the host. The verification key should
353 be stored externally. Refer to the Seal= option in journald.conf(5)
354 for information on Forward Secure Sealing and for a link to a
355 refereed scholarly paper detailing the cryptographic theory it is
356 based on.
357 --force
359 When --setup-keys is passed and Forward Secure Sealing (FSS) has
360 already been configured, recreate FSS keys.
361 --interval=
363 Specifies the change interval for the sealing key when generating
364 an FSS key pair with --setup-keys. Shorter intervals increase CPU
365 consumption but shorten the time range of undetectable journal
366 alterations. Defaults to 15min.
367 --verify
369 Check the journal file for internal consistency. If the file has
370 been generated with FSS enabled and the FSS verification key has
371 been specified with --verify-key=, authenticity of the journal file
372 is verified.
373 --verify-key=
375 Specifies the FSS verification key to use for the --verify
376 operation.
377 --flush
379 Asks the Journal daemon to flush any log data stored in
380 /run/log/journal into /var/log/journal, if persistent storage is
381 enabled. This call does not return until the operation is complete.
382 -h, --help
384 Print a short help text and exit.
385 --version
387 Print a short version string and exit.
388 --no-pager
390 Do not pipe output into a pager.
391
393 On success, 0 is returned; otherwise, a non-zero failure code is
394 returned.
395
397 $SYSTEMD_PAGER
398 Pager to use when --no-pager is not given; overrides $PAGER.
399 Setting this to an empty string or the value "cat" is equivalent to
400 passing --no-pager.
401 $SYSTEMD_LESS
403 Override the default options passed to less ("FRSXMK").
404
406 Without arguments, all collected logs are shown unfiltered:
407 journalctl
409 With one match specified, all entries with a field matching the
411 expression are shown:
412 journalctl _SYSTEMD_UNIT=avahi-daemon.service
414 If two different fields are matched, only entries matching both
416 expressions at the same time are shown:
417 journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097
419 If two matches refer to the same field, all entries matching either
421 expression are shown:
422 journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service
424 If the separator "+" is used, two expressions may be combined in a
426 logical OR. The following will show all messages from the Avahi service
427 process with the PID 28097 plus all messages from the D-Bus service
428 (from any of its processes):
429 journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
431 Show all logs generated by the D-Bus executable:
433 journalctl /usr/bin/dbus-daemon
435 Show all kernel logs from previous boot:
437 journalctl -k -b -1
439 Show a live log display from a system service apache.service:
441 journalctl -f -u apache
443
445 systemd(1), systemd-journald.service(8), systemctl(1), coredumpctl(1),
446 systemd.journal-fields(7), journald.conf(5)
447
449 1. Journal Export Format
450 http://www.freedesktop.org/wiki/Software/systemd/export
451 2. Journal JSON Format
453 http://www.freedesktop.org/wiki/Software/systemd/json
454 3. Server-Sent Events
456 https://developer.mozilla.org/en-US/docs/Server-sent_events/Using_server-sent_events
457 4. Message Catalog Developer Documentation
459 http://www.freedesktop.org/wiki/Software/systemd/catalog
460systemd 219 JOURNALCTL(1)