1JOURNALCTL(1) journalctl JOURNALCTL(1)
2
6 journalctl - Query the systemd journal
7
9 journalctl [OPTIONS...] [MATCHES...]
10
12 journalctl may be used to query the contents of the systemd(1) journal
13 as written by systemd-journald.service(8).
14 If called without parameters, it will show the full contents of the
16 journal, starting with the oldest entry collected.
17 If one or more match arguments are passed, the output is filtered
19 accordingly. A match is in the format "FIELD=VALUE", e.g.
20 "_SYSTEMD_UNIT=httpd.service", referring to the components of a
21 structured journal entry. See systemd.journal-fields(7) for a list of
22 well-known fields. If multiple matches are specified matching different
23 fields, the log entries are filtered by both, i.e. the resulting output
24 will show only entries matching all the specified matches of this kind.
25 If two matches apply to the same field, then they are automatically
26 matched as alternatives, i.e. the resulting output will show entries
27 matching any of the specified matches for the same field. Finally, the
28 character "+" may appear as a separate word between other terms on the
29 command line. This causes all matches before and after to be combined
30 in a disjunction (i.e. logical OR).
31 It is also possible to filter the entries by specifying an absolute
33 file path as an argument. The file path may be a file or a symbolic
34 link and the file must exist at the time of the query. If a file path
35 refers to an executable binary, an "_EXE=" match for the canonicalized
36 binary path is added to the query. If a file path refers to an
37 executable script, a "_COMM=" match for the script name is added to the
38 query. If a file path refers to a device node, "_KERNEL_DEVICE="
39 matches for the kernel name of the device and for each of its ancestor
40 devices is added to the query. Symbolic links are dereferenced, kernel
41 names are synthesized, and parent devices are identified from the
42 environment at the time of the query. In general, a device node is the
43 best proxy for an actual device, as log entries do not usually contain
44 fields that identify an actual device. For the resulting log entries to
45 be correct for the actual device, the relevant parts of the environment
46 at the time the entry was logged, in particular the actual device
47 corresponding to the device node, must have been the same as those at
48 the time of the query. Because device nodes generally change their
49 corresponding devices across reboots, specifying a device node path
50 causes the resulting entries to be restricted to those from the current
51 boot.
52 Additional constraints may be added using options --boot, --unit=,
54 etc., to further limit what entries will be shown (logical AND).
55 Output is interleaved from all accessible journal files, whether they
57 are rotated or currently being written, and regardless of whether they
58 belong to the system itself or are accessible user journals.
59 The set of journal files which will be used can be modified using the
61 --user, --system, --directory, and --file options, see below.
62 All users are granted access to their private per-user journals.
64 However, by default, only root and users who are members of a few
65 special groups are granted access to the system journal and the
66 journals of other users. Members of the groups "systemd-journal",
67 "adm", and "wheel" can read all journal files. Note that the two latter
68 groups traditionally have additional privileges specified by the
69 distribution. Members of the "wheel" group can often perform
70 administrative tasks.
71 The output is paged through less by default, and long lines are
73 "truncated" to screen width. The hidden part can be viewed by using the
74 left-arrow and right-arrow keys. Paging can be disabled; see the
75 --no-pager option and the "Environment" section below.
76 When outputting to a tty, lines are colored according to priority:
78 lines of level ERROR and higher are colored red; lines of level NOTICE
79 and higher are highlighted; lines of level DEBUG are colored lighter
80 grey; other lines are displayed normally.
81
83 The following options are understood:
84 --no-full, --full, -l
86 Ellipsize fields when they do not fit in available columns. The
87 default is to show full fields, allowing them to wrap or be
88 truncated by the pager, if one is used.
89 The old options -l/--full are not useful anymore, except to undo
91 --no-full.
92 -a, --all
94 Show all fields in full, even if they include unprintable
95 characters or are very long. By default, fields with unprintable
96 characters are abbreviated as "blob data". (Note that the pager may
97 escape unprintable characters again.)
98 -f, --follow
100 Show only the most recent journal entries, and continuously print
101 new entries as they are appended to the journal.
102 -e, --pager-end
104 Immediately jump to the end of the journal inside the implied pager
105 tool. This implies -n1000 to guarantee that the pager will not
106 buffer logs of unbounded size. This may be overridden with an
107 explicit -n with some other numeric value, while -nall will disable
108 this cap. Note that this option is only supported for the less(1)
109 pager.
110 -n, --lines=
112 Show the most recent journal events and limit the number of events
113 shown. If --follow is used, this option is implied. The argument is
114 a positive integer or "all" to disable line limiting. The default
115 value is 10 if no argument is given.
116 --no-tail
118 Show all stored output lines, even in follow mode. Undoes the
119 effect of --lines=.
120 -r, --reverse
122 Reverse output so that the newest entries are displayed first.
123 -o, --output=
125 Controls the formatting of the journal entries that are shown.
126 Takes one of the following options:
127 short
129 is the default and generates an output that is mostly identical
130 to the formatting of classic syslog files, showing one line per
131 journal entry.
132 short-full
134 is very similar, but shows timestamps in the format the
135 --since= and --until= options accept. Unlike the timestamp
136 information shown in short output mode this mode includes
137 weekday, year and timezone information in the output, and is
138 locale-independent.
139 short-iso
141 is very similar, but shows ISO 8601 wallclock timestamps.
142 short-iso-precise
144 as for short-iso but includes full microsecond precision.
145 short-precise
147 is very similar, but shows classic syslog timestamps with full
148 microsecond precision.
149 short-monotonic
151 is very similar, but shows monotonic timestamps instead of
152 wallclock timestamps.
153 short-unix
155 is very similar, but shows seconds passed since January 1st
156 1970 UTC instead of wallclock timestamps ("UNIX time"). The
157 time is shown with microsecond accuracy.
158 verbose
160 shows the full-structured entry items with all fields.
161 export
163 serializes the journal into a binary (but mostly text-based)
164 stream suitable for backups and network transfer (see Journal
165 Export Format[1] for more information). To import the binary
166 stream back into native journald format use systemd-journal-
167 remote(8).
168 json
170 formats entries as JSON objects, separated by newline
171 characters (see Journal JSON Format[2] for more information).
172 Field values are generally encoded as JSON strings, with three
173 exceptions:
174 1. Fields larger than 4096 bytes are encoded as null values.
176 (This may be turned off by passing --all, but be aware that
177 this may allocate overly long JSON objects.)
178 2. Journal entries permit non-unique fields within the same
180 log entry. JSON does not allow non-unique fields within
181 objects. Due to this, if a non-unique field is encountered
182 a JSON array is used as field value, listing all field
183 values as elements.
184 3. Fields containing non-printable or non-UTF8 bytes are
186 encoded as arrays containing the raw bytes individually
187 formatted as unsigned numbers.
188 Note that this encoding is reversible (with the exception of
190 the size limit).
191 json-pretty
193 formats entries as JSON data structures, but formats them in
194 multiple lines in order to make them more readable by humans.
195 json-sse
197 formats entries as JSON data structures, but wraps them in a
198 format suitable for Server-Sent Events[3].
199 json-seq
201 formats entries as JSON data structures, but prefixes them with
202 an ASCII Record Separator character (0x1E) and suffixes them
203 with an ASCII Line Feed character (0x0A), in accordance with
204 JavaScript Object Notation (JSON) Text Sequences[4]
205 ("application/json-seq").
206 cat
208 generates a very terse output, only showing the actual message
209 of each journal entry with no metadata, not even a timestamp.
210 with-unit
212 similar to short-full, but prefixes the unit and user unit
213 names instead of the traditional syslog identifier. Useful when
214 using templated instances, as it will include the arguments in
215 the unit names.
216 --output-fields=
218 A comma separated list of the fields which should be included in
219 the output. This only has an effect for the output modes which
220 would normally show all fields (verbose, export, json, json-pretty,
221 json-sse and json-seq). The "__CURSOR", "__REALTIME_TIMESTAMP",
222 "__MONOTONIC_TIMESTAMP", and "_BOOT_ID" fields are always printed.
223 --utc
225 Express time in Coordinated Universal Time (UTC).
226 --no-hostname
228 Don't show the hostname field of log messages originating from the
229 local host. This switch only has an effect on the short family of
230 output modes (see above).
231 -x, --catalog
233 Augment log lines with explanation texts from the message catalog.
234 This will add explanatory help texts to log messages in the output
235 where this is available. These short help texts will explain the
236 context of an error or log event, possible solutions, as well as
237 pointers to support forums, developer documentation, and any other
238 relevant manuals. Note that help texts are not available for all
239 messages, but only for selected ones. For more information on the
240 message catalog, please refer to the Message Catalog Developer
241 Documentation[5].
242 Note: when attaching journalctl output to bug reports, please do
244 not use -x.
245 -q, --quiet
247 Suppresses all informational messages (i.e. "-- Logs begin at ...",
248 "-- Reboot --"), any warning messages regarding inaccessible system
249 journals when run as a normal user.
250 -m, --merge
252 Show entries interleaved from all available journals, including
253 remote ones.
254 -b [ID][±offset], --boot=[ID][±offset]
256 Show messages from a specific boot. This will add a match for
257 "_BOOT_ID=".
258 The argument may be empty, in which case logs for the current boot
260 will be shown.
261 If the boot ID is omitted, a positive offset will look up the boots
263 starting from the beginning of the journal, and an
264 equal-or-less-than zero offset will look up boots starting from the
265 end of the journal. Thus, 1 means the first boot found in the
266 journal in chronological order, 2 the second and so on; while -0 is
267 the last boot, -1 the boot before last, and so on. An empty offset
268 is equivalent to specifying -0, except when the current boot is not
269 the last boot (e.g. because --directory was specified to look at
270 logs from a different machine).
271 If the 32-character ID is specified, it may optionally be followed
273 by offset which identifies the boot relative to the one given by
274 boot ID. Negative values mean earlier boots and positive values
275 mean later boots. If offset is not specified, a value of zero is
276 assumed, and the logs for the boot given by ID are shown.
277 --list-boots
279 Show a tabular list of boot numbers (relative to the current boot),
280 their IDs, and the timestamps of the first and last message
281 pertaining to the boot.
282 -k, --dmesg
284 Show only kernel messages. This implies -b and adds the match
285 "_TRANSPORT=kernel".
286 -t, --identifier=SYSLOG_IDENTIFIER
288 Show messages for the specified syslog identifier
289 SYSLOG_IDENTIFIER.
290 This parameter can be specified multiple times.
292 -u, --unit=UNIT|PATTERN
294 Show messages for the specified systemd unit UNIT (such as a
295 service unit), or for any of the units matched by PATTERN. If a
296 pattern is specified, a list of unit names found in the journal is
297 compared with the specified pattern and all that match are used.
298 For each unit name, a match is added for messages from the unit
299 ("_SYSTEMD_UNIT=UNIT"), along with additional matches for messages
300 from systemd and messages about coredumps for the specified unit.
301 This parameter can be specified multiple times.
303 --user-unit=
305 Show messages for the specified user session unit. This will add a
306 match for messages from the unit ("_SYSTEMD_USER_UNIT=" and
307 "_UID=") and additional matches for messages from session systemd
308 and messages about coredumps for the specified unit.
309 This parameter can be specified multiple times.
311 -p, --priority=
313 Filter output by message priorities or priority ranges. Takes
314 either a single numeric or textual log level (i.e. between
315 0/"emerg" and 7/"debug"), or a range of numeric/text log levels in
316 the form FROM..TO. The log levels are the usual syslog log levels
317 as documented in syslog(3), i.e. "emerg" (0), "alert" (1),
318 "crit" (2), "err" (3), "warning" (4), "notice" (5), "info" (6),
319 "debug" (7). If a single log level is specified, all messages with
320 this log level or a lower (hence more important) log level are
321 shown. If a range is specified, all messages within the range are
322 shown, including both the start and the end value of the range.
323 This will add "PRIORITY=" matches for the specified priorities.
324 -g, --grep=
326 Filter output to entries where the MESSAGE= field matches the
327 specified regular expression. PERL-compatible regular expressions
328 are used, see pcre2pattern(3) for a detailed description of the
329 syntax.
330 If the pattern is all lowercase, matching is case insensitive.
332 Otherwise, matching is case sensitive. This can be overridden with
333 the --case-sensitive option, see below.
334 --case-sensitive[=BOOLEAN]
336 Make pattern matching case sensitive or case insenstive.
337 -c, --cursor=
339 Start showing entries from the location in the journal specified by
340 the passed cursor.
341 --after-cursor=
343 Start showing entries from the location in the journal after the
344 location specified by the passed cursor. The cursor is shown when
345 the --show-cursor option is used.
346 --show-cursor
348 The cursor is shown after the last entry after two dashes:
349 -- cursor: s=0639...
351 The format of the cursor is private and subject to change.
353 -S, --since=, -U, --until=
355 Start showing entries on or newer than the specified date, or on or
356 older than the specified date, respectively. Date specifications
357 should be of the format "2012-10-30 18:17:16". If the time part is
358 omitted, "00:00:00" is assumed. If only the seconds component is
359 omitted, ":00" is assumed. If the date component is omitted, the
360 current day is assumed. Alternatively the strings "yesterday",
361 "today", "tomorrow" are understood, which refer to 00:00:00 of the
362 day before the current day, the current day, or the day after the
363 current day, respectively. "now" refers to the current time.
364 Finally, relative times may be specified, prefixed with "-" or "+",
365 referring to times before or after the current time, respectively.
366 For complete time and date specification, see systemd.time(7). Note
367 that --output=short-full prints timestamps that follow precisely
368 this format.
369 -F, --field=
371 Print all possible data values the specified field can take in all
372 entries of the journal.
373 -N, --fields
375 Print all field names currently used in all entries of the journal.
376 --system, --user
378 Show messages from system services and the kernel (with --system).
379 Show messages from service of current user (with --user). If
380 neither is specified, show all messages that the user can see.
381 -M, --machine=
383 Show messages from a running, local container. Specify a container
384 name to connect to.
385 -D DIR, --directory=DIR
387 Takes a directory path as argument. If specified, journalctl will
388 operate on the specified journal directory DIR instead of the
389 default runtime and system journal paths.
390 --file=GLOB
392 Takes a file glob as an argument. If specified, journalctl will
393 operate on the specified journal files matching GLOB instead of the
394 default runtime and system journal paths. May be specified multiple
395 times, in which case files will be suitably interleaved.
396 --root=ROOT
398 Takes a directory path as an argument. If specified, journalctl
399 will operate on journal directories and catalog file hierarchy
400 underneath the specified directory instead of the root directory
401 (e.g. --update-catalog will create
402 ROOT/var/lib/systemd/catalog/database, and journal files under
403 ROOT/run/journal or ROOT/var/log/journal will be displayed).
404 --header
406 Instead of showing journal contents, show internal header
407 information of the journal fields accessed.
408 --disk-usage
410 Shows the current disk usage of all journal files. This shows the
411 sum of the disk usage of all archived and active journal files.
412 --vacuum-size=, --vacuum-time=, --vacuum-files=
414 Removes the oldest archived journal files until the disk space they
415 use falls below the specified size (specified with the usual "K",
416 "M", "G" and "T" suffixes), or all archived journal files contain
417 no data older than the specified timespan (specified with the usual
418 "s", "m", "h", "days", "months", "weeks" and "years" suffixes), or
419 no more than the specified number of separate journal files remain.
420 Note that running --vacuum-size= has only an indirect effect on the
421 output shown by --disk-usage, as the latter includes active journal
422 files, while the vacuuming operation only operates on archived
423 journal files. Similarly, --vacuum-files= might not actually reduce
424 the number of journal files to below the specified number, as it
425 will not remove active journal files.
426 --vacuum-size=, --vacuum-time= and --vacuum-files= may be combined
428 in a single invocation to enforce any combination of a size, a time
429 and a number of files limit on the archived journal files.
430 Specifying any of these three parameters as zero is equivalent to
431 not enforcing the specific limit, and is thus redundant.
432 These three switches may also be combined with --rotate into one
434 command. If so, all active files are rotated first, and the
435 requested vacuuming operation is executed right after. The rotation
436 has the effect that all currently active files are archived (and
437 potentially new, empty journal files opened as replacement), and
438 hence the vacuuming operation has the greatest effect as it can
439 take all log data written so far into account.
440 --list-catalog [128-bit-ID...]
442 List the contents of the message catalog as a table of message IDs,
443 plus their short description strings.
444 If any 128-bit-IDs are specified, only those entries are shown.
446 --dump-catalog [128-bit-ID...]
448 Show the contents of the message catalog, with entries separated by
449 a line consisting of two dashes and the ID (the format is the same
450 as .catalog files).
451 If any 128-bit-IDs are specified, only those entries are shown.
453 --update-catalog
455 Update the message catalog index. This command needs to be executed
456 each time new catalog files are installed, removed, or updated to
457 rebuild the binary catalog index.
458 --setup-keys
460 Instead of showing journal contents, generate a new key pair for
461 Forward Secure Sealing (FSS). This will generate a sealing key and
462 a verification key. The sealing key is stored in the journal data
463 directory and shall remain on the host. The verification key should
464 be stored externally. Refer to the Seal= option in journald.conf(5)
465 for information on Forward Secure Sealing and for a link to a
466 refereed scholarly paper detailing the cryptographic theory it is
467 based on.
468 --force
470 When --setup-keys is passed and Forward Secure Sealing (FSS) has
471 already been configured, recreate FSS keys.
472 --interval=
474 Specifies the change interval for the sealing key when generating
475 an FSS key pair with --setup-keys. Shorter intervals increase CPU
476 consumption but shorten the time range of undetectable journal
477 alterations. Defaults to 15min.
478 --verify
480 Check the journal file for internal consistency. If the file has
481 been generated with FSS enabled and the FSS verification key has
482 been specified with --verify-key=, authenticity of the journal file
483 is verified.
484 --verify-key=
486 Specifies the FSS verification key to use for the --verify
487 operation.
488 --sync
490 Asks the journal daemon to write all yet unwritten journal data to
491 the backing file system and synchronize all journals. This call
492 does not return until the synchronization operation is complete.
493 This command guarantees that any log messages written before its
494 invocation are safely stored on disk at the time it returns.
495 --flush
497 Asks the journal daemon to flush any log data stored in
498 /run/log/journal into /var/log/journal, if persistent storage is
499 enabled. This call does not return until the operation is complete.
500 Note that this call is idempotent: the data is only flushed from
501 /run/log/journal into /var/log/journal once during system runtime,
502 and this command exits cleanly without executing any operation if
503 this has already happened. This command effectively guarantees that
504 all data is flushed to /var/log/journal at the time it returns.
505 --rotate
507 Asks the journal daemon to rotate journal files. This call does not
508 return until the rotation operation is complete. Journal file
509 rotation has the effect that all currently active journal files are
510 marked as archived and renamed, so that they are never written to
511 in future. New (empty) journal files are then created in their
512 place. This operation may be combined with --vacuum-size=,
513 --vacuum-time= and --vacuum-file= into a single command, see above.
514 -h, --help
516 Print a short help text and exit.
517 --version
519 Print a short version string and exit.
520 --no-pager
522 Do not pipe output into a pager.
523
525 On success, 0 is returned; otherwise, a non-zero failure code is
526 returned.
527
529 $SYSTEMD_PAGER
530 Pager to use when --no-pager is not given; overrides $PAGER. If
531 neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
532 pager implementations are tried in turn, including less(1) and
533 more(1), until one is found. If no pager implementation is
534 discovered no pager is invoked. Setting this environment variable
535 to an empty string or the value "cat" is equivalent to passing
536 --no-pager.
537 $SYSTEMD_LESS
539 Override the options passed to less (by default "FRSXMK").
540 If the value of $SYSTEMD_LESS does not include "K", and the pager
542 that is invoked is less, Ctrl+C will be ignored by the executable.
543 This allows less to handle Ctrl+C itself.
544 $SYSTEMD_LESSCHARSET
546 Override the charset passed to less (by default "utf-8", if the
547 invoking terminal is determined to be UTF-8 compatible).
548
550 Without arguments, all collected logs are shown unfiltered:
551 journalctl
553 With one match specified, all entries with a field matching the
555 expression are shown:
556 journalctl _SYSTEMD_UNIT=avahi-daemon.service
558 journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scope
559 If two different fields are matched, only entries matching both
561 expressions at the same time are shown:
562 journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097
564 If two matches refer to the same field, all entries matching either
566 expression are shown:
567 journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service
569 If the separator "+" is used, two expressions may be combined in a
571 logical OR. The following will show all messages from the Avahi service
572 process with the PID 28097 plus all messages from the D-Bus service
573 (from any of its processes):
574 journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
576 To show all fields emitted by a unit and about the unit, option
578 -u/--unit= should be used. journalctl -u name expands to a complex
579 filter similar to
580 _SYSTEMD_UNIT=name.service
582 + UNIT=name.service _PID=1
583 + OBJECT_SYSTEMD_UNIT=name.service _UID=0
584 + COREDUMP_UNIT=name.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1
585 (see systemd.journal-fields(5) for an explanation of those patterns).
588 Show all logs generated by the D-Bus executable:
590 journalctl /usr/bin/dbus-daemon
592 Show all kernel logs from previous boot:
594 journalctl -k -b -1
596 Show a live log display from a system service apache.service:
598 journalctl -f -u apache
600
602 systemd(1), systemd-journald.service(8), systemctl(1), coredumpctl(1),
603 systemd.journal-fields(7), journald.conf(5), systemd.time(7), systemd-
604 journal-remote.service(8), systemd-journal-upload.service(8)
605
607 1. Journal Export Format
608 https://www.freedesktop.org/wiki/Software/systemd/export
609 2. Journal JSON Format
611 https://www.freedesktop.org/wiki/Software/systemd/json
612 3. Server-Sent Events
614 https://developer.mozilla.org/en-US/docs/Server-sent_events/Using_server-sent_events
615 4. JavaScript Object Notation (JSON) Text Sequences
617 https://tools.ietf.org/html/rfc7464
618 5. Message Catalog Developer Documentation
620 https://www.freedesktop.org/wiki/Software/systemd/catalog
621systemd 241 JOURNALCTL(1)