journalctl — Query the systemd journal
journalctl [OPTIONS...] [MATCHES...]
journalctl may be used to query the contents of the systemd(1) journal as written by systemd-journald.service(8).
If called without parameter will show the full contents of the journal, starting with the oldest entry collected.
If one or more match arguments are passed the
output is filtered accordingly. A match is in the
format FIELD=VALUE
,
e.g. _SYSTEMD_UNIT=httpd.service
,
referring to the components of a structured journal
entry. See
systemd.journal-fields(7)
for a list of well-known fields. If multiple matches
are specified matching different fields the log
entries are filtered by both, i.e. the resulting output
will show only entries matching all the specified
matches of this kind. If two matches apply to the same
field, then they are automatically matched as
alternatives, i.e. the resulting output will show
entries matching any of the specified matches for the
same field. Finally, if the character
"+
" appears as separate word on the
command line all matches before and after are combined
in a disjunction (i.e. logical OR).
Output is interleaved from all accessible journal files, whether they are rotated or currently being written, and regardless whether they belong to the system itself or are accessible user journals.
All users are granted access to their private
per-user journals. However, by default only root and
users who are members of the adm
group get access to the system journal and the
journals of other users.
The following options are understood:
--help
, -h
Prints a short help text and exits.
--version
Prints a short version string and exits.
--no-pager
Do not pipe output into a pager.
--all
, -a
Show all fields in full, even if they include unprintable characters or are very long.
--follow
, -f
Show only most recent journal entries, and continuously print new entries as they are appended to the journal.
--lines=
, -n
Controls the number of journal lines to show, counting from the most recent ones. Takes a positive integer argument. In follow mode defaults to 10, otherwise is unset thus not limiting how many lines are shown.
--no-tail
Show all stored output
lines, even in follow mode. Undoes the
effect of
--lines=
.
--output=
, -o
Controls the
formatting of the journal entries that
are shown. Takes one of
short
,
short-monotonic
,
verbose
,
export
,
json
,
cat
. short
is the default and generates an output
that is mostly identical to the
formatting of classic syslog log
files, showing one line per journal
entry. short-monotonic
is very similar but shows monotonic
timestamps instead of wallclock
timestamps. verbose
shows the full structured entry items
with all
fields. export
serializes the journal into a binary
(but mostly text-based) stream
suitable for backups and network
transfer (see Journal
Export Format for more
information). json
formats entries as JSON data
structures. cat
generates a very terse output only
showing the actual message of each
journal entry with no meta data, not
even a timestamp.
--quiet
, -q
Suppresses any warning message regarding inaccessible system journals when run as normal user.
--local
, -l
Show only locally generated messages.
--this-boot
, -b
Show data only from current boot.
--directory=
, -D
Takes an absolute directory path as argument. If specified will operate on the specified journal directory instead of the default runtime and system journal paths.
--new-id128
Instead of showing journal contents generate a new 128 bit ID suitable for identifying messages. This is intended for usage by developers who need a new identifier for a new message they introduce and want to make recognizable. Will print the new ID in three different formats which can be copied into source code or similar.
--header
Instead of showing journal contents show internal header information of the journal fiels accessed.
-p
, --priority=
Filter output by
message priorities or priority
ranges. Takes either a single numeric
or textual log level (i.e. between
0/emerg
and
7/debug
), or a
range of numeric/text log levels in
the form FROM..TO. The log levels are
the usual syslog log levels as
documented in
syslog(3),
i.e. emerg
(0),
alert
(1),
crit
(2),
err
(3),
warning
(4),
notice
(5),
info
(6),
debug
(7). If a
single log level is specified all
messages with this log levels or a
lower (hence more important) log level
are shown. If a range is specified all
messages within the range are shown,
including both the start and the end
value of the range.
$SYSTEMD_PAGER
Pager to use when
--no-pager
is not given;
overrides $PAGER
. Setting
this to an empty string or the value
cat
is equivalent to passing
--no-pager
.
Without arguments all collected logs are shown unfiltered:
journalctl
With one match specified all entries with a field matching the expression are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service
If two different fields are matched only entries matching both expressions at the same time are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097
If two matches refer to the same field all entries matching either expression are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service
If the separator "+
" is used
two expression may be combined in a logical OR. The
following will show all messages from the Avahi
service process with the PID 28097 plus all messages
from the D-Bus service (from any of its
processes):
journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service