journalctl

Retrieving systemd logs is a tool only available in CentOS 7.

grammar

journalctl [OPTIONS...] [MATCHES...]

Options

Flags:
  --system # Display system logs
  --user # Display the user log of the current user
-M --machine=CONTAINER # Operate on local container
-S --since=DATE # Display entries no older than the specified date
-U --until=DATE # Display entries no later than the specified date
-c --cursor=CURSOR # Display entries starting from the specified cursor
   --after-cursor=CURSOR # Display items after the specified cursor
   --show-cursor # Print cursor after all entries
-b --boot[=ID] # Display the current startup or the specified startup
   --list-boots # Display concise information about recorded boots
-k --dmesg # Display the currently started kernel message log
-u --unit=UNIT # Display the log of the specified unit
-t --identifier=STRING # Display entries with the specified syslog identifier
-p --priority=RANGE # Display entries with specified priority
-e --pager-end # Jump immediately to the end in pager
-f --follow # Follow journals
-n --lines[=INTEGER] # Number of log entries to display
   --no-tail # Display all lines, even in follow mode
-r --reverse # Show latest entries first
-o --output=STRING # Change log output mode (short, short-iso,
                                    short-precise, short-monotonic, verbose,
                                    export, json, json-pretty, json-sse, cat)
--utc # Time in Coordinated Universal Time (UTC)
-x --catalog # Add message descriptions where available
    --no-full # Ellipsize field
-a --all # Display all fields, including long and non-printable ones
-q --quiet # Do not display privilege warnings
    --no-pager # Do not pipe output to pager
-m --merge # Display entries for all available journals
-D --directory=PATH # Display log files in the directory
    --file=PATH # Display log file
    --root=ROOT # Operate directory files in the root directory
    --interval=TIME # Change the time interval for FSS sealing keys
    --verify-key=KEY #Specify FSS verification key
    --force # Use --setup-keys to override FSS key pairs

Commands:
-h --help # Display this help text
    --version # Display package version
-F --field=FIELD # List all values of the specified field
    --new-id128 # Generate a new 128-bit ID
    --disk-usage # Display total disk usage of all log files
    --vacuum-size=BYTES # Reduce disk usage below the specified size
    --vacuum-time=TIME # Delete log files older than the specified date
    --flush # Flush all log data from /run to /var
    --header # Display journal header information
    --list-catalog # Display all message IDs in the catalog
    --dump-catalog # Display entries in the message catalog
    --update-catalog #Update message catalog database
    --setup-keys # Generate new FSS key pair
    --verify # Verify the consistency of the log file

Example

Filtered output

journalctl can filter the output based on specific fields. If there are many filtered fields, it will take a long time to be displayed.

Example:

Display all logs after this startup:

journalctl -b

However, generally what everyone is more concerned about is not the log after this startup, but the log from the last startup (for example, the system just crashed). You can use the -b parameter:

Only display errors, conflicts and important warning information

journalctl -p err..alert

You can also use numbers, journalctl -p 3..1. If using a single number/keyword, journalctl -p 3 - also includes all higher priorities.

Display messages starting from a certain date (or time):

journalctl --since="2012-10-30 18:17:16"

Display messages from a certain time (e.g. 20 minutes ago):

journalctl --since "20 min ago"

Show latest information

journalctl -f

Show all messages for a specific program:

journalctl /usr/lib/systemd/systemd

Display all messages for a specific process:

journalctl_PID=1

Display all messages for a specified unit:

journalctl -u man-db.service

Display kernel ring cache messages:

journalctl -k

Manually clear logs

/var/log/journal stores the logs, rm should work. Or use journalctl,

For example:

Clean the logs so that the total size is less than 100M:

journalctl --vacuum-size=100M

Clean up logs from the earliest two weeks ago.

journalctl --vacuum-time=2weeks