Journalclt¶

Command list fieldname journalctl fieldname=

journalctl <Tab><Tab>
_AUDIT_LOGINUID=             _HOSTNAME=                   SYSLOG_PID=
_AUDIT_SESSION=              _KERNEL_DEVICE=              _SYSTEMD_CGROUP=
_BOOT_ID=                    _KERNEL_SUBSYSTEM=           _SYSTEMD_OWNER_UID=
_CAP_EFFECTIVE=              _MACHINE_ID=                 _SYSTEMD_SESSION=
_CMDLINE=                    MESSAGE=                     _SYSTEMD_SLICE=
CODE_FILE=                   MESSAGE_ID=                  _SYSTEMD_UNIT=
CODE_FUNC=                   __MONOTONIC_TIMESTAMP=       _SYSTEMD_USER_UNIT=
CODE_LINE=                   _PID=                        _TRANSPORT=
_COMM=                       PRIORITY=                    _UDEV_DEVLINK=
COREDUMP_EXE=                __REALTIME_TIMESTAMP=        _UDEV_DEVNODE=
__CURSOR=                    _SELINUX_CONTEXT=            _UDEV_SYSNAME=
ERRNO=                       _SOURCE_REALTIME_TIMESTAMP=  _UID=
_EXE=                        SYSLOG_FACILITY=
_GID=                        SYSLOG_IDENTIFIER=

journalctl _UID=1000 _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=crond.service

Display logs by date¶

date
Tue Jul 12 08:15:32 ICT 2016

journalctl --since "2016-7-12 8:00:00"
-- Logs begin at Sat 2016-06-25 22:42:25 ICT, end at Tue 2016-07-12 08:15:52 ICT. --
Jul 12 08:01:01 localhost.localdomain CROND[26348]: (root) CMD (run-parts /etc/cron.hourly)
Jul 12 08:01:01 localhost.localdomain run-parts[26351]: (/etc/cron.hourly) starting 0anacron
Jul 12 08:01:01 localhost.localdomain run-parts[26357]: (/etc/cron.hourly) finished 0anacron


journalctl --since yesterday
journalctl --since "2016-7-12" --until "1 hours ago"

Displaying Logs by Unit or Service¶

journalctl -u sshd.service
journalctl -u sshd.service  --since "2016-7-12 7:00:00"  --untill "2016-7-12 8:00:00"

Displaying Logs by User or Group¶

id admin
uid=1000(admin) gid=1000(admin) groups=1000(admin),10(wheel),982(libvirt)
journalctl _UID=1000

Displaying Logs by Process ID¶

ps -ef | grep http
apache    1210  1101  0 Jul11 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
journalctl _PID=1210

Displaying Kernel Logs¶

journalctl -k
-- Logs begin at Sat 2016-06-25 22:42:25 ICT, end at Tue 2016-07-12 08:33:19 ICT. --
Jul 11 18:40:22 localhost.localdomain kernel: microcode: microcode updated early to revision 0x8a,
Jul 11 18:40:22 localhost.localdomain kernel: Linux version 4.6.3-300.fc24.x86_64 (mockbuild@bkerne

Displaying Logs Since Last Boot¶

journalctl -b

Displaying Logs by Priority¶

0: emerg 1: alert 2: critical 3: error 4: warning 5: notice 6: info 7: debug

journalctl -p 4
journalctl -p 3 -b
journalctl -p warning --since "2016-7-12 7:00:00"

Tailing or Following the Log¶

journalctl -f
journalctl -n        (10line default)
journalctl -n 50 -f