Cheatsheet & Examples: journalctl

I need a cheatsheet for the journalctl command.
journalctl is a command-line utility for querying and displaying logs collected by systemd-journald. It provides access to the system and service journals, allowing users to filter, tail, and analyze logs efficiently.

View All Logs

Example Usage:
journalctl

What it does:
Displays all logs from the system journal, including kernel, system, and service logs.

Command-line Arguments Explained:

• -: No arguments are required. The command defaults to showing all logs.

View Recent Logs

Example Usage:
journalctl -n 100

What it does:
Shows the most recent 100 log entries.

Command-line Arguments Explained:

• -n: Specifies the number of log lines to display. -n 100 limits output to 100 entries.

Filter Logs by a Service Unit

Example Usage:
journalctl -u sshd.service

What it does:
Displays logs specifically related to the sshd.service unit.

Command-line Arguments Explained:

• -u: Filters logs by the unit name (e.g., sshd.service).

View Logs from a Specific Time Range

Example Usage:
journalctl --since "2 hours ago" --until "1 hour ago"

What it does:
Limits logs to those recorded between two specified times (here, the last 2 hours to the last 1 hour).

Command-line Arguments Explained:

• --since: Starts from the specified time (e.g., "2 hours ago").
• --until: Ends at the specified time (e.g., "1 hour ago").

View Logs from the Current Boot

Example Usage:
journalctl -b

What it does:
Displays logs from the current system boot.

Command-line Arguments Explained:

• -b: Filters logs to the current boot session.

View Logs from the Previous Boot

Example Usage:
journalctl -b -1

What it does:
Shows logs from the last boot (used to troubleshoot issues from a previous session).

Command-line Arguments Explained:

• -b: Filters logs by boot session.
• -1: Refers to the previous boot (use -1 for the last, -2 for the one before that, etc.).

Monitor Logs in Real Time

Example Usage:
journalctl -f

What it does:
Continuously displays new log entries as they are added to the journal.

Command-line Arguments Explained:

• -f: Follows new log entries in real time (similar to tail -f).

Search Logs for a Specific Keyword

Example Usage:
journalctl --grep "error"

What it does:
Filters logs to show only entries containing the specified keyword ("error" in this case).

Command-line Arguments Explained:

• --grep: Searches for log entries matching a given string.

View Logs for a Specific User

Example Usage:
journalctl --user

What it does:
Displays logs from the user-specific journal (for user sessions and applications).

Command-line Arguments Explained:

• --user: Switches to the user's journal instead of the system's.

View Kernel Ring Buffer Logs

Example Usage:
journalctl -k

What it does:
Shows kernel-related logs (from the dmesg buffer) in the journal.

Command-line Arguments Explained:

• -k: Displays kernel ring buffer messages alongside other logs.

Display Logs in JSON Format

Example Usage:
journalctl --output=json

What it does:
Outputs logs in structured JSON format for easier parsing or integration with tools.

Command-line Arguments Explained:

• --output: Sets the output format (e.g., json, json-pretty, cat, short, etc.).

Export Logs to a File

Example Usage:
journalctl --output=cat > /var/log/journal.txt

What it does:
Exports log data to a file (here, as plain text).

Command-line Arguments Explained:

• --output=cat: Outputs logs in a human-readable format (carbon-copy style).
• > /var/log/journal.txt: Redirects the output to a file.

View Logs for a Specific Executable

Example Usage:
journalctl --executable=/usr/bin/myapp

What it does:
Filters logs to show only entries generated by the specified executable.

Command-line Arguments Explained:

• --executable: Restricts logs to those from the given binary path.

List All Boot Sessions

Example Usage:
journalctl --list-boots

What it does:
Shows a list of all boot sessions with their corresponding boot IDs and timestamps.

Command-line Arguments Explained:

• --list-boots: Displays log entries grouped by boot session.

Filter Logs by Priority Level

Example Usage:
journalctl --priority=err

What it does:
Shows only log entries with priority err or higher (e.g., error, critical, emergency).

Command-line Arguments Explained:

• --priority: Filters logs by severity level (options include emerg, alert, crit, err, warning, notice, info, debug).

View Logs for a Specific Unit (with Time Range)

Example Usage:
journalctl -u nginx.service --since "2023-10-01 10:00:00" --until "2023-10-01 12:00:00"

What it does:
Displays logs from the nginx.service unit within a specific time window.

Command-line Arguments Explained:

• -u: Filters logs by the unit name (nginx.service).
• --since: Sets the starting time for the log filter.
• --until: Sets the ending time for the log filter.

Filter Logs by Process ID

Example Usage:
journalctl -p 1234

What it does:
Shows logs associated with process ID 1234.

Command-line Arguments Explained:

• -p: Filters logs by process ID (e.g., -p 1234).

View Logs for a Specific User Session

Example Usage:
journalctl --user-session=1

What it does:
Displays logs for the specified user session (e.g., session 1).

Command-line Arguments Explained:

• --user-session: Filters logs by the user session ID.

Filter Logs by Message Content

Example Usage:
journalctl --all --output=cat | grep "Failed to start"

What it does:
Searches through all logs and filters lines containing "Failed to start".

Command-line Arguments Explained:

• --all: Includes logs from all boot sessions.
• --output=cat: Displays logs in a human-readable format.
• grep: External command used to filter output (not part of journalctl).