Essential System Tools: journalctl – query and display messages from the journal

This is the eighth in our series of articles highlighting essential system tools. These are small utilities, useful for system administrators as well as regular users of Linux based systems. The series examines both graphical and text based open source utilities. For this article, we’ll examine journalctl. For details of all tools in this series, please check the table in the summary section.

Systemd (stylized as systemd) is a suite of software that provides fundamental building blocks for Linux. It’s a Linux-specific system and service manager, offering an init system used to bootstrap the user space and to manage system processes after booting. The software provides  a standard process for controlling what programs run when a Linux system boots up. Systemd, was created by Red Hat’s Lennart Poettering and Kay Sievers. It provides more than running core programs. It also starts a journal of system activity, the network stack, a cron-style job scheduler, user logins, and many other jobs.

systemd has courted a lot of controversy with some legitimate concerns about its design details (for example, the decision to use binary logs), and debate about whether it extends its reach too far. Nevertheless, this system and service manager has been adopted by many popular Linux distributions such as Fedora, Ubuntu, Debian, openSUSE, and Arch. Why? Essentially, because it offers a fast boot-up, parallelizing the boot process, as well as being designed with security in mind with most daemons running at minimal privileges. It also unifies system objects, and offers a simple configuration file language.

journalctl is a systemd utility. If your system doesn’t use systemd, you’ll have little interest in this utility. But given most popular Linux distros have adopted systemd, it’s likely you’ll need journalctl at one stage or another. It’s common sense to understand the system you’re running, and this utility will help you in this process.

journalctl is used for querying and displaying messages from the journal. Since the journal comprises of one or more binary files, journalctl is the standard way to read messages from it.

Installation

If your Linux distribution uses systemd, journalctl will already be present on your system. It’s a command-line tool, so you won’t find it listed in a desktop environment system’s menu. But it’s available from the console, terminal emulator, or anywhere you can access a shell. Many applications give you shell access too e.g. RStudio.

In operation

Logging data is collected, stored, and processed by the Journal’s journald service. Depending on your distribution, Journal stores log files in memory, in a small ring-buffer in the /run/log/journal directory. It’s also possible for log data to be saved permanently if persistent storage is enabled. BleachBit offers the option to clean the log files. But journalctl offers functions for immediately removing archived journals on disk.

If you run the journalctl command without any flags, you’ll see all the logs in your journal.

journalctl

You’ll probably make more sense of the output by making use of the command’s various flags, which are displayed below.

journalctl
Click image to show all available options

journalctl displays logs in a format similar to the traditional syslog format. Each line starts with the date, followed by the server’s hostname, the process name, and the message for the log. Logs are displayed from oldest to newest, but the order can be reversed using the -r flag.

If you want to view a live log of new entries, use the -f flag. This lets you supervise the log messages in real time as new entries are continuously printed as they appear.

One of the most useful attributes of journalctl is to filter the log messages before they are displayed. You can output kernel messages only, filter output by message priorities, and/or messages that match a unit or pattern. Filters of different types can also be combined together to further narrow the output. And you can show logs within a time range.

Another flag that’s useful is -b, which shows messages from the last boot of your machine. It can also show messages from a specific boot. To list all journal log errors since the latest boot, type:

journalctl -p err -b

Another useful commands is:

journalctl -p2 -b -0

We’ll leave what that does as an exercise for the reader. Post in the comments box!

Summary

journalctl is a command that’s used to identify many errors and for troubleshooting purposes. It’s an essential way of solving any issues with your Linux system.

Website: freedesktop.org/wiki/Software/systemd
Support: Journal Export Format, Journal JSON Format, Cheat Sheet
Developer: Part of systemd
License: GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version


All the essential tools in this series:

Essential System Tools
ps_memAccurate reporting of software's memory consumption
gtopSystem monitoring dashboard
petSimple command-line snippet manager
AlacrittyInnovative, hardware-accelerated terminal emulator
inxiCommand-line system information tool that's a time-saver for everyone
BleachBitSystem cleaning software. Quick and easy way to service your computer
catfishVersatile file searching software
journalctlQuery and display messages from the journal
NmapNetwork security tool that builds a "map" of the network
ddrescueData recovery tool, retrieving data from failing drives as safely as possible
NeofetchSystem information tool written in Bash
TimeshiftSimilar to Windows' System Restore functionality, Time Machine Tool in Mac OS
GPartedResize, copy, and move partitions without data
ClonezillaPartition and disk cloning software
fdupesFind or delete duplicate files
KrusaderAdvanced, twin-panel (commander-style) file manager
nmonSystems administrator, tuner, and benchmark tool
f3Detect and fix counterfeit flash storage
QJournalctlGraphical User Interface for systemd’s journalctl
QDirStatQt-based directory statistics
FirejailRestrict the running environment of untrusted applications
VeraCryptStrong disk encryption software
UnisonConsole and graphical file synchronization software
hyperfineCommand-line benchmarking tool
TLPMust-have tool for anyone running Linux on a notebook
nnnPortable terminal file manager that's amazingly frugal
GlancesCross-platform system monitoring tool written in Python
CPU-XSystem profiler with both a GUI and text-based
VentoyCreate bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files
Share this article

Share your Thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.