How to Check Logs Using journalctl in Linux

Logs are a crucial component of any Linux system, as they provide a record of system activity, including system events, user actions, and system processes. Log checking, or log monitoring, is the process of regularly reviewing log files to identify any unusual or suspicious activity, such as failed login attempts, system crashes, or security breaches. Log checking is important for maintaining the security and stability of a Linux system, as it allows administrators to quickly identify and troubleshoot problems, and detect and respond to potential security threats.

Basic journalctl Commands

journalctl is a command line utility for viewing and managing logs on a Linux system that uses the systemd initialization system. The journalctl command can be used to view and filter system logs, including logs for all system services, the kernel, and specific services or users. The command can be used to display the entire journal, view logs from a specific boot, or filter logs by date, time, user, process, and more.

Here are a few examples of using journalctl to view specific types of logs on a Linux system −

To view all logs for the nginx service −

journalctl -u nginx

To view logs for all failed login attempts −

journalctl -p authpriv.warning

To view all logs from the last reboot −

journalctl -b

To view all logs from the last week −

journalctl --since "1 week ago"

To view logs for specific time range −

journalctl --since "2022-10-01 00:00:00" --until "2022-10-15 23:59:59"

To search logs containing the string 'Error'

journalctl -S Error

Filtering by Date or Time

journalctl allows you to filter logs by date or time using the --since and --until options.

--since= or --after=: Show logs since a certain time. The time can be specified in various formats like "YYYY-MM-DD HH:MM:SS", "YYYY-MM-DDTHH:MM:SS" or even a natural language format like "1 hour ago"

journalctl --since "2022-11-01 00:00:00"
journalctl --after "1 hour ago"

--until= or --before=: Show logs until a certain time. Same as above the time format can be in multiple formats.

journalctl --until "2022-11-01 00:00:00"
journalctl --before "1 hour ago"

You can use both options together to filter logs within a specific date/time range.

journalctl --since "2022-11-01 00:00:00" --until "2022-11-30 23:59:59"

It's important to note that, when using the --since and --until options, the time specified is inclusive.

Users and Processes

journalctl allows you to filter logs by user and process as well.

To filter logs by user, you can use the _UID field and give the user ID as the value.

journalctl _UID=1000

To filter logs by process, you can use the _PID field and give the process ID as the value.

journalctl _PID=1234

To filter logs by command, you can use the _COMM field and give the command name as the value.

journalctl _COMM=mycommand

To filter logs by executable, you can use the _EXE field and give the executable path as the value.

journalctl _EXE=/usr/bin/mycommand

You can also chain multiple fields and values to filter logs more specifically.

journalctl _UID=1000 _COMM=mycommand
journalctl _UID=1000 _PID=1234 _COMM=mycommand

It's important to note that, when filtering by user or process, journalctl returns logs where the specified user or process is the initiator of the log message.

You can also use _SYSTEMD_UNIT to filter logs by systemd unit, it will show logs related to the unit.

journalctl _SYSTEMD_UNIT=my.service

Tailing and Following Logs

journalctl allows you to tail and follow logs in real-time using the -f or --follow option. When you use this option, journalctl will display new log entries as they are added to the journal.

journalctl -f

This command will stream new logs as they appear and allows you to keep an eye on your logs without needing to manually refresh the logs.

You can use other options along with -f as well to filter the logs that you want to follow in real-time. For example, to follow the logs of a specific service in real-time, you can use the command −

journalctl -f -u myservice

This will stream new logs of myservice as they appear.

You can use ctrl + c to exit the follow mode and return to the normal shell prompt.

Additionally, you can use -n option with -f to output a specific number of new entries and then exit.

journalctl -f -n 10

This command will show 10 new entries and then exit

Disabling the Pager to Get Direct Output

By default, journalctl uses a pager program like less or more to display log entries. This allows you to scroll through the logs one page at a time. However, if you prefer to see the logs in their entirety, you can disable the pager and get the direct output of the command using the --no-pager option.

journalctl --no-pager

This command will display all the logs on the screen.

You can also use this option along with other options like, tailing logs or filtering by date or time.

journalctl --no-pager -f
journalctl --no-pager --since "1 hour ago"

When you use --no-pager option with other options it will show logs as soon as they appear on the screen and also allows for easy outputting to a file or another command using a pipe, like this −

journalctl --no-pager > /path/to/logfile.txt
journalctl --no-pager | grep -i error

Output 

journalctl allows you to specify the format of its output using the --output option. By default, journalctl outputs logs in a human-readable format that is easy to read and understand.

There are several formats that you can choose from −

json − Output the logs in JSON format. This format is machine-readable and can be easily parsed by scripts.

journalctl --output json

verbose − Output logs in a more detailed format that includes additional fields and metadata.

journalctl --output verbose

short − Output logs in a shorter format that includes only the most important fields.

journalctl --output short

cat − Output logs in the same format as they are stored in the journal, which is binary and not meant to be human-readable.

journalctl --output cat

It's important to note that, when specifying the output format, journalctl will output only the fields that are relevant to the chosen format.

You can use this option along with other options to make the output specific to your needs.

journalctl --output json --since "1 hour ago" --until "now"

This can be useful when you want to analyze the logs using a script or external tool, or when you want to output the logs in a format that is more easily consumed by another application or service.

Conclusion

journalctl is a powerful tool for viewing and analyzing logs on a Linux system that uses the systemd initialization system. With journalctl, you can view logs for all system services and the kernel, as well as for specific services or users.

You can filter logs by different criteria such as date and time, user, process and more. You can also output the logs in different formats, like json or verbose, and you can also disable the pager to get the direct output of the command, or follow the logs in real-time using the -f option.