In Linux, a bunch of services run in the background such as systemd logs, these logs can be viewed by the “journalctl” command. It facilitates the user to look for particular information such as view logs according to the time-specific, most recent logs, run-time logs, service-specific information, etc.
This article will signify the various uses of the journalctl to view and manipulate the systemd logs:
- journalctl to View systemd Logs
- All Journalctl Logs
- Journalctl Logs For Particular Unit/Service/Daemons
- Recent Journalctl Logs
- Run-time Journalctl Logs
- Disk Usage Journalctl Logs
- Journalctl Logs For Particular Time
- Journalctl Logs For System Boot
- Kernel-Related Journalctl Logs
- Change Journalctl Logs Output in Formats
- Delete the Journalctl Logs
journalctl to View systemd Logs
First, let’s explore the working of the “journalctl” command following its syntax:
Syntax:
$ journalctl [Options] [Service]
Use the “journalctl” keyword, “options” along with the journalctl, and give the service name.
Example 1: View All Journalctl Logs
To retrieve all systemd logs using journalctl, type the “journalctl” in the terminal with “a” flag:
$ journalctl -a
All systemd logs will be printed.
Example 2: View Journalctl Logs For Particular Unit/Service/Daemons
To display “journalctl” logs for the particular unit or service, utilize the “u” flag with the service name, as we are using “mysql.service”:
$ journalctl -u mysql.service
The logs for the service “mysql” service have been listed.
Example 3: View Recent Journalctl Logs
To display the most recent logs (newly created) of the system, use the “n” option with “journalctl”:
$ journalctl -n
The most recent log will be listed.
Example 4: View Run-time Journalctl Logs
To display the real/run-time logs of the system, use the “f” flag which means follow:
$ journalctl -f
After running the above command the log will be printed as the system receives it.
Example 5: View Disk Usage Journalctl Logs
To display the logs related to the disk usage, use the following command in the terminal:
$ journalctl --disk-usage
The logs related to the disk usage will be listed.
Example 6: View Journalctl Logs For Particular Time
You can also display the logs according to the time-specific such as yesterday, using the following command:
$ journalctl --since yesterday
All the logs created yesterday will be listed.
The user can use the time accruing to the choice in minutes, hours, and days,
Example 7: View Journalctl Logs For System Boots
To display the boot time logs of the system, use the “b” flag in the command:
$ journalctl -b
The boot time logs have been printed.
You can also list down when your system booted in the previous times. To do so, the following command will be used:
$ journalctl --list-boots
The above image shows the last boot of the systems
Example 8: View Kernel-Related Journalctl Logs
To view the Kernel-related logs of the system, utilize the “k” flag in the command:
$ journalctl -k
The logs related to the Kernel have been listed.
Example 9: Change Journalctl Logs Output in Formats
The user can display any of the above outputs in various formats such as JSON. To do so, modify the command with the “o” flag and specify the format name:
$ journalctl -k -o json
The logs will be printed in the “JSON” format.
You can view it in the “json-pretty” (human-readable) format for easy understanding:
$ journalctl -k -o json-pretty
The logs have been listed in the human-readable format now.
How to Manipulate the systemd Logs Using journalctl?
Manipulation refers to altering the logs as per the requirement of the system/administrator. Some of the examples of manipulation are listed below:
Example 1: Limit and Delete the Journalcrl logs
To delete the journalctl logs, limit the size of the journalctl such as 10M. You can use the “vacuum-size” flag for limiting the size. Limiting the size of journalctl logs to 10M will stop more using the space but will not delete the existing files:
$ sudo journalctl --vacuum-size=10M
The log size has been reduced to “10M”.
Now, delete the old journalctl logs using the “vacuum-time” flag and specify the time in days, months, or years. As we are deleting the old of 1 month:
$ sudo journalctl --vacuum-time=1month
The old logs will be deleted.
Conclusion
The journalctl is the built-in utility to retrieve systemd logs with respect to time, service, boot-time, Kernel-related tasks, etc. Users can delete the logs by limiting the journal log size and deleting the old logs.
This write-up has illustrated the use of the journalctl to view and manipulate systemd logs.
