diff --git a/man/journalctl.xml b/man/journalctl.xml index e226663a51..97b781a4c7 100644 --- a/man/journalctl.xml +++ b/man/journalctl.xml @@ -3,723 +3,111 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> - - - - journalctl - systemd - - - - journalctl - 1 - - - - journalctl - Query the systemd journal - - - - - journalctl - OPTIONS - MATCHES - - - - - Description - - journalctl may be used to query the - contents of the - systemd1 - journal as written by - systemd-journald.service8. - - If called without parameters, it will show the full - contents of the journal, starting with the oldest entry - collected. - - If one or more match arguments are passed, the output is - filtered accordingly. A match is in the format - FIELD=VALUE, - e.g. _SYSTEMD_UNIT=httpd.service, referring - to the components of a structured journal entry. See - systemd.journal-fields7 - for a list of well-known fields. If multiple matches are - specified matching different fields, the log entries are - filtered by both, i.e. the resulting output will show only - entries matching all the specified matches of this kind. If two - matches apply to the same field, then they are automatically - matched as alternatives, i.e. the resulting output will show - entries matching any of the specified matches for the same - field. Finally, the character + may appear - as a separate word between other terms on the command line. This - causes all matches before and after to be combined in a - disjunction (i.e. logical OR). - - It is also possible to filter the entries by specifying an - absolute file path as an argument. The file path may be a file or - a symbolic link and the file must exist at the time of the query. If a - file path refers to an executable binary, an _EXE= - match for the canonicalized binary path is added to the query. If a - file path refers to an executable script, a _COMM= - match for the script name is added to the query. If a file path - refers to a device node, _KERNEL_DEVICE= matches for - the kernel name of the device and for each of its ancestor devices is - added to the query. Symbolic links are dereferenced, kernel names are - synthesized, and parent devices are identified from the environment at - the time of the query. In general, a device node is the best proxy for - an actual device, as log entries do not usually contain fields that - identify an actual device. For the resulting log entries to be correct - for the actual device, the relevant parts of the environment at the time - the entry was logged, in particular the actual device corresponding to - the device node, must have been the same as those at the time of the - query. Because device nodes generally change their corresponding devices - across reboots, specifying a device node path causes the resulting - entries to be restricted to those from the current boot. - - Additional constraints may be added using options - , , etc., to - further limit what entries will be shown (logical AND). - - Output is interleaved from all accessible journal files, whether they are rotated or currently - being written, and regardless of whether they belong to the system itself or are accessible user - journals. The option can be used to identify which files - are being shown. - - The set of journal files which will be used can be - modified using the , - , , and - options, see below. - - All users are granted access to their private per-user - journals. However, by default, only root and users who are - members of a few special groups are granted access to the system - journal and the journals of other users. Members of the groups - systemd-journal, adm, and - wheel can read all journal files. Note - that the two latter groups traditionally have additional - privileges specified by the distribution. Members of the - wheel group can often perform administrative - tasks. - - The output is paged through less by - default, and long lines are "truncated" to screen width. The - hidden part can be viewed by using the left-arrow and - right-arrow keys. Paging can be disabled; see the - option and the "Environment" section - below. - - When outputting to a tty, lines are colored according to - priority: lines of level ERROR and higher are colored red; lines - of level NOTICE and higher are highlighted; lines of level DEBUG - are colored lighter grey; other lines are displayed normally. - - - - Options - - The following options are understood: - - - - - - - - Ellipsize fields when they do not fit in - available columns. The default is to show full fields, - allowing them to wrap or be truncated by the pager, if one - is used. - - The old options - / are not useful - anymore, except to undo . - - - - - - - - Show all fields in full, even if they include unprintable characters or are very long. By - default, fields with unprintable characters are abbreviated as "blob data". (Note that the pager may escape - unprintable characters again.) - - - - - - - Show only the most recent journal entries, - and continuously print new entries as they are appended to - the journal. - - - - - - - Immediately jump to the end of the journal - inside the implied pager tool. This implies - to guarantee that the pager will not - buffer logs of unbounded size. This may be overridden with - an explicit with some other numeric - value, while will disable this cap. - Note that this option is only supported for the - less1 - pager. - - - - - - - Show the most recent journal events and - limit the number of events shown. If - is used, this option is - implied. The argument is a positive integer or - all to disable line limiting. The default - value is 10 if no argument is given. - - - - - - Show all stored output lines, even in follow - mode. Undoes the effect of . - - - - - - - - Reverse output so that the newest entries - are displayed first. - - - - - - - Controls the formatting of the journal - entries that are shown. Takes one of the following - options: - - - - - - - is the default and generates an output that is - mostly identical to the formatting of classic syslog - files, showing one line per journal entry. - - - - - - - - - is very similar, but shows timestamps in the format the and - options accept. Unlike the timestamp information shown in - output mode this mode includes weekday, year and timezone information in the - output, and is locale-independent. - - - - - - - - - is very similar, but shows ISO 8601 wallclock - timestamps. - - - - - - - - - as for but includes full - microsecond precision. - - - - - - - - - is very similar, but shows classic syslog timestamps - with full microsecond precision. - - - - - - - - - is very similar, but shows monotonic timestamps - instead of wallclock timestamps. - - - - - - - - - is very similar, but shows seconds passed since January 1st 1970 UTC instead of wallclock - timestamps ("UNIX time"). The time is shown with microsecond accuracy. - - - - - - - - - shows the full-structured entry items with all - fields. - - - - - - - - - serializes the journal into a binary (but mostly - text-based) stream suitable for backups and network - transfer (see - Journal Export Format - for more information). To import the binary stream back - into native journald format use - systemd-journal-remote8. - - - - - - - - - formats entries as JSON objects, separated by newline characters (see Journal JSON Format for more - information). Field values are generally encoded as JSON strings, with three exceptions: - - Fields larger than 4096 bytes are encoded as null values. (This - may be turned off by passing , but be aware that this may allocate overly long - JSON objects.) - - Journal entries permit non-unique fields within the same log entry. JSON does not allow - non-unique fields within objects. Due to this, if a non-unique field is encountered a JSON array is - used as field value, listing all field values as elements. - - Fields containing non-printable or non-UTF8 bytes are encoded as arrays containing - the raw bytes individually formatted as unsigned numbers. - - - Note that this encoding is reversible (with the exception of the size limit). - - - - - - - - - formats entries as JSON data structures, but - formats them in multiple lines in order to make them - more readable by humans. - - - - - - - - - formats entries as JSON data structures, but wraps - them in a format suitable for - Server-Sent Events. - - - - - - - - - - formats entries as JSON data structures, but prefixes them with an ASCII Record Separator - character (0x1E) and suffixes them with an ASCII Line Feed character (0x0A), in accordance with JavaScript Object Notation (JSON) Text Sequences - (application/json-seq). - - - - - - - - - - generates a very terse output, only showing the actual message of each journal entry - with no metadata, not even a timestamp. If combined with the - option will output the listed fields for each log record, - instead of the message. - - - - - - - - - similar to short-full, but prefixes the unit and - user unit names instead of the traditional syslog - identifier. Useful when using templated instances, as it - will include the arguments in the unit names. - - - - - - - - - - A comma separated list of the fields which should be included in the output. This has - an effect only for the output modes which would normally show all fields (, - , , , - and ), as well as on . For the - former, the __CURSOR, __REALTIME_TIMESTAMP, - __MONOTONIC_TIMESTAMP, and _BOOT_ID fields are always - printed. - - - - - - Express time in Coordinated Universal Time - (UTC). - - - - - - Don't show the hostname field of log messages originating from the local host. This - switch has an effect only on the family of output modes (see above). - - - Note: this option does not remove occurrences of the hostname from log entries themselves, so - it does not prevent the hostname from being visible in the logs. - - - - - - - - Augment log lines with explanation texts from - the message catalog. This will add explanatory help texts to - log messages in the output where this is available. These - short help texts will explain the context of an error or log - event, possible solutions, as well as pointers to support - forums, developer documentation, and any other relevant - manuals. Note that help texts are not available for all - messages, but only for selected ones. For more information on - the message catalog, please refer to the - Message Catalog Developer Documentation. - - Note: when attaching journalctl - output to bug reports, please do not use - . - - - - - - - - Suppresses all informational messages - (i.e. "-- Journal begins at …", "-- Reboot --"), - any warning messages regarding - inaccessible system journals when run as a normal - user. - - - - - - - Show entries interleaved from all available - journals, including remote ones. - - - - - - - Show messages from a specific boot. This will - add a match for _BOOT_ID=. - - The argument may be empty, in which case logs for the - current boot will be shown. - - If the boot ID is omitted, a positive - offset will look up the boots - starting from the beginning of the journal, and an - equal-or-less-than zero offset will - look up boots starting from the end of the journal. Thus, - 1 means the first boot found in the - journal in chronological order, 2 the - second and so on; while -0 is the last - boot, -1 the boot before last, and so - on. An empty offset is equivalent - to specifying -0, except when the current - boot is not the last boot (e.g. because - was specified to look at logs - from a different machine). - - If the 32-character ID is - specified, it may optionally be followed by - offset which identifies the boot - relative to the one given by boot - ID. Negative values mean earlier - boots and positive values mean later boots. If - offset is not specified, a value of - zero is assumed, and the logs for the boot given by - ID are shown. - - The special argument all can be - used to negate the effect of an earlier use of - . - - - - - - - Show a tabular list of boot numbers (relative to - the current boot), their IDs, and the timestamps of the first - and last message pertaining to the boot. - - - - - - - Show only kernel messages. This implies - and adds the match - _TRANSPORT=kernel. - - - - - - - Show messages for the specified syslog - identifier - SYSLOG_IDENTIFIER. - - This parameter can be specified multiple - times. - - - - - - - Show messages for the specified systemd unit - UNIT (such as a service unit), or - for any of the units matched by - PATTERN. If a pattern is - specified, a list of unit names found in the journal is - compared with the specified pattern and all that match are - used. For each unit name, a match is added for messages from - the unit - (_SYSTEMD_UNIT=UNIT), - along with additional matches for messages from systemd and - messages about coredumps for the specified unit. A match - is also added for _SYSTEMD_SLICE=UNIT, - such that if the provided UNIT is a - systemd.slice5 - unit, all logs of children of the slice will be shown. - - - This parameter can be specified multiple times. - - - - - - - Show messages for the specified user session - unit. This will add a match for messages from the unit - (_SYSTEMD_USER_UNIT= and - _UID=) and additional matches for messages - from session systemd and messages about coredumps for the - specified unit. A match - is also added for _SYSTEMD_USER_SLICE=UNIT, - such that if the provided UNIT is a - systemd.slice5 - unit, all logs of children of the unit will be shown. - - This parameter can be specified multiple times. - - - - - - - - Filter output by message priorities or - priority ranges. Takes either a single numeric or textual log - level (i.e. between 0/emerg and - 7/debug), or a range of numeric/text log - levels in the form FROM..TO. The log levels are the usual - syslog log levels as documented in - syslog3, - i.e. emerg (0), - alert (1), crit (2), - err (3), warning (4), - notice (5), info (6), - debug (7). If a single log level is - specified, all messages with this log level or a lower (hence - more important) log level are shown. If a range is specified, - all messages within the range are shown, including both the - start and the end value of the range. This will add - PRIORITY= matches for the specified - priorities. - - - - - - Filter output by syslog facility. Takes a comma-separated list of numbers or facility - names. The names are the usual syslog facilities as documented in - syslog3. - may be used to display a list of known facility names and exit. - - - - - - - - Filter output to entries where the MESSAGE= - field matches the specified regular expression. PERL-compatible regular expressions - are used, see - pcre2pattern3 - for a detailed description of the syntax. - - If the pattern is all lowercase, matching is case insensitive. - Otherwise, matching is case sensitive. This can be overridden with the - option, see below. - - - - - - - Make pattern matching case sensitive or case insensitive. - - - - - - - - Start showing entries from the location in the - journal specified by the passed cursor. - - - - - - If FILE exists and contains a - cursor, start showing entries after this location. - Otherwise show entries according to the other given options. At the end, - write the cursor of the last entry to FILE. Use - this option to continually read the journal by sequentially calling - journalctl. - - - - - - Start showing entries from the location in the - journal after the location specified by - the passed cursor. The cursor is shown when the - option is used. - - - - - - - The cursor is shown after the last entry after - two dashes: - -- cursor: s=0639… - The format of the cursor is private - and subject to change. - - - - - - - - - Start showing entries on or newer than the specified date, or on or older than the specified - date, respectively. Date specifications should be of the format 2012-10-30 18:17:16. If the - time part is omitted, 00:00:00 is assumed. If only the seconds component is omitted, - :00 is assumed. If the date component is omitted, the current day is assumed. Alternatively - the strings yesterday, today, tomorrow are understood, - which refer to 00:00:00 of the day before the current day, the current day, or the day after the current day, - respectively. now refers to the current time. Finally, relative times may be specified, - prefixed with - or +, referring to times before or after the current - time, respectively. For complete time and date specification, see - systemd.time7. Note that - prints timestamps that follow precisely this format. - - - - - - - - - Print all possible data values the specified - field can take in all entries of the journal. - - - - - - - Print all field names currently used in all entries of the journal. - - + + + + journalctl + systemd + + + + journalctl + 1 + + + + journalctl + Query the systemd journal + + + + + journalctl + OPTIONS + MATCHES + + + + + Description + + journalctl may be used to query the contents of the + systemd1 journal as + written by + systemd-journald.service8. + + If called without parameters, it will show the full contents of the journal, starting with the + oldest entry collected. + + If one or more match arguments are passed, the output is filtered accordingly. A match is in the + format FIELD=VALUE, e.g. _SYSTEMD_UNIT=httpd.service, referring to + the components of a structured journal entry. See + systemd.journal-fields7 + for a list of well-known fields. If multiple matches are specified matching different fields, the log + entries are filtered by both, i.e. the resulting output will show only entries matching all the specified + matches of this kind. If two matches apply to the same field, then they are automatically matched as + alternatives, i.e. the resulting output will show entries matching any of the specified matches for the + same field. Finally, the character + may appear as a separate word between other terms + on the command line. This causes all matches before and after to be combined in a disjunction + (i.e. logical OR). + + It is also possible to filter the entries by specifying an absolute file path as an argument. The + file path may be a file or a symbolic link and the file must exist at the time of the query. If a file + path refers to an executable binary, an _EXE= match for the canonicalized binary path + is added to the query. If a file path refers to an executable script, a _COMM= match + for the script name is added to the query. If a file path refers to a device node, + _KERNEL_DEVICE= matches for the kernel name of the device and for each of its ancestor + devices is added to the query. Symbolic links are dereferenced, kernel names are synthesized, and parent + devices are identified from the environment at the time of the query. In general, a device node is the + best proxy for an actual device, as log entries do not usually contain fields that identify an actual + device. For the resulting log entries to be correct for the actual device, the relevant parts of the + environment at the time the entry was logged, in particular the actual device corresponding to the device + node, must have been the same as those at the time of the query. Because device nodes generally change + their corresponding devices across reboots, specifying a device node path causes the resulting entries to + be restricted to those from the current boot. + + Additional constraints may be added using options , + , etc., to further limit what entries will be shown (logical AND). + + Output is interleaved from all accessible journal files, whether they are rotated or currently + being written, and regardless of whether they belong to the system itself or are accessible user + journals. The option can be used to identify which files + are being shown. + + The set of journal files which will be used can be modified using the , + , , and options, see + below. + + All users are granted access to their private per-user journals. However, by default, only root and + users who are members of a few special groups are granted access to the system journal and the journals + of other users. Members of the groups systemd-journal, adm, and + wheel can read all journal files. Note that the two latter groups traditionally have + additional privileges specified by the distribution. Members of the wheel group can + often perform administrative tasks. + + The output is paged through less by default, and long lines are "truncated" to + screen width. The hidden part can be viewed by using the left-arrow and right-arrow keys. Paging can be + disabled; see the option and the "Environment" section below. + + When outputting to a tty, lines are colored according to priority: lines of level ERROR and higher + are colored red; lines of level NOTICE and higher are highlighted; lines of level DEBUG are colored + lighter grey; other lines are displayed normally. + + + + Source Options + + The following options control where to read journal records from: + + - Show messages from system services and the - kernel (with ). Show messages from - service of current user (with ). If - neither is specified, show all messages that the user can see. + Show messages from system services and the kernel (with + ). Show messages from service of current user (with + ). If neither is specified, show all messages that the user can see. @@ -727,29 +115,33 @@ - Show messages from a running, local - container. Specify a container name to connect to. - + Show messages from a running, local container. Specify a container name to connect + to. + + + + + + + Show entries interleaved from all available journals, including remote + ones. - Takes a directory path as argument. If - specified, journalctl will operate on the specified journal - directory DIR instead of the - default runtime and system journal paths. + Takes a directory path as argument. If specified, journalctl will operate on the + specified journal directory DIR instead of the default runtime and system + journal paths. - Takes a file glob as an argument. If - specified, journalctl will operate on the specified journal - files matching GLOB instead of the - default runtime and system journal paths. May be specified - multiple times, in which case files will be suitably + Takes a file glob as an argument. If specified, journalctl will operate on the + specified journal files matching GLOB instead of the default runtime and + system journal paths. May be specified multiple times, in which case files will be suitably interleaved. @@ -790,23 +182,527 @@ journal namespaces see systemd-journald.service8. + + + + + Filtering Options + + The following options control how to filter journal records: + + + + + + + + + Start showing entries on or newer than the specified date, or on or older than the + specified date, respectively. Date specifications should be of the format 2012-10-30 + 18:17:16. If the time part is omitted, 00:00:00 is assumed. If only + the seconds component is omitted, :00 is assumed. If the date component is + omitted, the current day is assumed. Alternatively the strings yesterday, + today, tomorrow are understood, which refer to 00:00:00 of the + day before the current day, the current day, or the day after the current day, + respectively. now refers to the current time. Finally, relative times may be + specified, prefixed with - or +, referring to times before or + after the current time, respectively. For complete time and date specification, see + systemd.time7. Note + that prints timestamps that follow precisely this format. + + - + + - Instead of showing journal contents, show internal header information of the journal - fields accessed. + Start showing entries from the location in the journal specified by the passed + cursor. + - This option is particularly useful when trying to identify out-of-order journal entries, as - happens for example when the machine is booted with the wrong system time. + + + + Start showing entries from the location in the journal after + the location specified by the passed cursor. The cursor is shown when the + option is used. + + + + + + If FILE exists and contains a cursor, start showing + entries after this location. Otherwise show entries according to the other + given options. At the end, write the cursor of the last entry to + FILE. Use this option to continually read the journal by sequentially + calling journalctl. + + + + + + + Show messages from a specific boot. This will add a match for + _BOOT_ID=. + + The argument may be empty, in which case logs for the current boot will be shown. + + If the boot ID is omitted, a positive offset will look up the boots + starting from the beginning of the journal, and an equal-or-less-than zero + offset will look up boots starting from the end of the journal. Thus, + 1 means the first boot found in the journal in chronological order, + 2 the second and so on; while -0 is the last boot, + -1 the boot before last, and so on. An empty offset + is equivalent to specifying -0, except when the current boot is not the last + boot (e.g. because was specified to look at logs from a different + machine). + + If the 32-character ID is specified, it may optionally be followed + by offset which identifies the boot relative to the one given by boot + ID. Negative values mean earlier boots and positive values mean later + boots. If offset is not specified, a value of zero is assumed, and the + logs for the boot given by ID are shown. + + The special argument all can be used to negate the effect of an earlier + use of . + + + + + + + Show messages for the specified systemd unit UNIT (such as + a service unit), or for any of the units matched by PATTERN. If a pattern + is specified, a list of unit names found in the journal is compared with the specified pattern and + all that match are used. For each unit name, a match is added for messages from the unit + (_SYSTEMD_UNIT=UNIT), along with additional matches for + messages from systemd and messages about coredumps for the specified unit. A match is also added for + _SYSTEMD_SLICE=UNIT, such that if the provided + UNIT is a + systemd.slice5 + unit, all logs of children of the slice will be shown. + + This parameter can be specified multiple times. + + + + + + Show messages for the specified user session unit. This will add a match for messages + from the unit (_SYSTEMD_USER_UNIT= and _UID=) and additional + matches for messages from session systemd and messages about coredumps for the specified unit. A + match is also added for _SYSTEMD_USER_SLICE=UNIT, such + that if the provided UNIT is a + systemd.slice5 + unit, all logs of children of the unit will be shown. + + This parameter can be specified multiple times. + + + + + + + Show messages for the specified syslog identifier + SYSLOG_IDENTIFIER. + + This parameter can be specified multiple times. + + + + + + + Filter output by message priorities or priority ranges. Takes either a single numeric + or textual log level (i.e. between 0/emerg and 7/debug), or a + range of numeric/text log levels in the form FROM..TO. The log levels are the usual syslog log levels + as documented in syslog3, + i.e. emerg (0), alert (1), crit (2), + err (3), warning (4), notice (5), + info (6), debug (7). If a single log level is specified, all + messages with this log level or a lower (hence more important) log level are shown. If a range is + specified, all messages within the range are shown, including both the start and the end value of the + range. This will add PRIORITY= matches for the specified + priorities. + + + + + + Filter output by syslog facility. Takes a comma-separated list of numbers or + facility names. The names are the usual syslog facilities as documented in syslog3. + may be used to display a list of known facility names and exit. + + + + + + + + Filter output to entries where the MESSAGE= field matches the + specified regular expression. PERL-compatible regular expressions are used, see pcre2pattern3 + for a detailed description of the syntax. + + If the pattern is all lowercase, matching is case insensitive. Otherwise, matching is case + sensitive. This can be overridden with the option, see + below. + + + + + + Make pattern matching case sensitive or case insensitive. + + + + + + + Show only kernel messages. This implies and adds the match + _TRANSPORT=kernel. + + + + + + Output Options + + The following options control how journal records are printed: + + + + + + + Controls the formatting of the journal entries that are shown. Takes one of the + following options: + + + + + is the default and generates an output that is mostly identical to the + formatting of classic syslog files, showing one line per journal entry. + + + + + is very similar, but shows timestamps in the format the + and options accept. Unlike the timestamp + information shown in output mode this mode includes weekday, year and + timezone information in the output, and is locale-independent. + + + + + is very similar, but shows ISO 8601 wallclock timestamps. + + + + + as for but includes full microsecond + precision. + + + + + is very similar, but shows classic syslog timestamps with full microsecond + precision. + + + + + is very similar, but shows monotonic timestamps instead of wallclock + timestamps. + + + + + is very similar, but shows seconds passed since January 1st 1970 UTC instead of + wallclock timestamps ("UNIX time"). The time is shown with microsecond accuracy. + + + + + shows the full-structured entry items with all fields. + + + + + serializes the journal into a binary (but mostly text-based) stream suitable + for backups and network transfer (see Journal Export + Format for more information). To import the binary stream back into native journald + format use + systemd-journal-remote8. + + + + + formats entries as JSON objects, separated by newline characters (see Journal JSON Format + for more information). Field values are generally encoded as JSON strings, with three exceptions: + + Fields larger than 4096 bytes are encoded as null + values. (This may be turned off by passing , but be aware that this may + allocate overly long JSON objects.) + + Journal entries permit non-unique fields within the same log entry. JSON does + not allow non-unique fields within objects. Due to this, if a non-unique field is encountered a + JSON array is used as field value, listing all field values as elements. + + Fields containing non-printable or non-UTF8 bytes are encoded as arrays + containing the raw bytes individually formatted as unsigned numbers. + + + Note that this encoding is reversible (with the exception of the size limit). + + + + + formats entries as JSON data structures, but formats them in multiple lines in + order to make them more readable by humans. + + + + + formats entries as JSON data structures, but wraps them in a format suitable for + Server-Sent + Events. + + + + + formats entries as JSON data structures, but prefixes them with an ASCII Record + Separator character (0x1E) and suffixes them with an ASCII Line Feed character (0x0A), in + accordance with JavaScript Object Notation + (JSON) Text Sequences (application/json-seq). + + + + + generates a very terse output, only showing the actual message of each journal + entry with no metadata, not even a timestamp. If combined with the + option will output the listed fields for each log record, + instead of the message. + + + + + similar to short-full, but prefixes the unit and user unit names instead of the + traditional syslog identifier. Useful when using templated instances, as it will include the + arguments in the unit names. + + + + + + + + A comma separated list of the fields which should be included in the output. This + has an effect only for the output modes which would normally show all fields + (, , , + , and ), as well as + on . For the former, the __CURSOR, + __REALTIME_TIMESTAMP, __MONOTONIC_TIMESTAMP, and + _BOOT_ID fields are always printed. + + + + + + + Show the most recent journal events and limit the number of events shown. If + is used, this option is implied. The argument is a positive integer or + all to disable line limiting. The default value is 10 if no argument is + given. + + + + + + + Reverse output so that the newest entries are displayed first. + + + + + + The cursor is shown after the last entry after two dashes: + -- cursor: s=0639… + The format of the cursor is private and subject to change. + + + + + + Express time in Coordinated Universal Time (UTC). + + + + + + + Augment log lines with explanation texts from the message catalog. This will add + explanatory help texts to log messages in the output where this is available. These short help texts + will explain the context of an error or log event, possible solutions, as well as pointers to support + forums, developer documentation, and any other relevant manuals. Note that help texts are not + available for all messages, but only for selected ones. For more information on the message catalog, + please refer to the Message + Catalog Developer Documentation. + + Note: when attaching journalctl output to bug reports, please do + not use . + + + + + + Don't show the hostname field of log messages originating from the local host. This + switch has an effect only on the family of output modes (see above). + + Note: this option does not remove occurrences of the hostname from log entries themselves, so + it does not prevent the hostname from being visible in the logs. + + + + + + + + Ellipsize fields when they do not fit in available columns. The default is to show + full fields, allowing them to wrap or be truncated by the pager, if one is used. + + The old options / are not useful anymore, except to + undo . + + + + + + + Show all fields in full, even if they include unprintable characters or are very + long. By default, fields with unprintable characters are abbreviated as "blob data". (Note that the + pager may escape unprintable characters again.) + + + + + + + Show only the most recent journal entries, and continuously print new entries as + they are appended to the journal. + + + + + + Show all stored output lines, even in follow mode. Undoes the effect of + . + + + + + + + Suppresses all informational messages (i.e. "-- Journal begins at …", "-- Reboot + --"), any warning messages regarding inaccessible system journals when run as a normal + user. + + + + + + Pager Control Options + + The following options control page support: + + + + + + + + + + Immediately jump to the end of the journal inside the implied pager tool. This + implies to guarantee that the pager will not buffer logs of unbounded + size. This may be overridden with an explicit with some other numeric value, + while will disable this cap. Note that this option is only supported for + the less1 + pager. + + + + + + Forward Secure Sealing (FSS) Options + + The following options make be used together with the command, see below. + + + + + + Specifies the change interval for the sealing key when generating an FSS key pair + with . Shorter intervals increase CPU consumption but shorten the time + range of undetectable journal alterations. Defaults to 15min. + + + + + + Specifies the FSS verification key to use for the + operation. + + + + + + When is passed and Forward Secure Sealing (FSS) has + already been configured, recreate FSS keys. + + + + + + Commands + + The following commands are understood. If none is specified the default is to display journal records. + + + + + + + Print all field names currently used in all entries of the journal. + + + + + + + Print all possible data values the specified field can take in all entries of the + journal. + + + + + + Show a tabular list of boot numbers (relative to the current boot), their IDs, and + the timestamps of the first and last message pertaining to the boot. - Shows the current disk usage of all journal - files. This shows the sum of the disk usage of all archived - and active journal files. + Shows the current disk usage of all journal files. This shows the sum of the disk + usage of all archived and active journal files. @@ -814,129 +710,68 @@ - Removes the oldest archived journal files until the disk space they use falls below the - specified size (specified with the usual K, M, G and - T suffixes), or all archived journal files contain no data older than the specified timespan - (specified with the usual s, m, h, - days, months, weeks and years - suffixes), or no more than the specified number of separate journal files remain. Note that running - has only an indirect effect on the output shown by - , as the latter includes active journal files, while the vacuuming operation only - operates on archived journal files. Similarly, might not actually reduce the - number of journal files to below the specified number, as it will not remove active journal - files. + Removes the oldest archived journal files until the disk space they use falls below + the specified size (specified with the usual K, M, + G and T suffixes), or all archived journal files contain no + data older than the specified timespan (specified with the usual s, + m, h, days, months, + weeks and years suffixes), or no more than the specified + number of separate journal files remain. Note that running has only + an indirect effect on the output shown by , as the latter includes + active journal files, while the vacuuming operation only operates on archived journal + files. Similarly, might not actually reduce the number of journal + files to below the specified number, as it will not remove active journal files. - , and - may be combined in a single invocation to enforce any combination of a size, a time and a number of files limit - on the archived journal files. Specifying any of these three parameters as zero is equivalent to not enforcing - the specific limit, and is thus redundant. + , and + may be combined in a single invocation to enforce any combination + of a size, a time and a number of files limit on the archived journal files. Specifying any of + these three parameters as zero is equivalent to not enforcing the specific limit, and is thus + redundant. - These three switches may also be combined with into one command. If so, all - active files are rotated first, and the requested vacuuming operation is executed right after. The rotation has - the effect that all currently active files are archived (and potentially new, empty journal files opened as - replacement), and hence the vacuuming operation has the greatest effect as it can take all log data written so - far into account. - - - - - - List the contents of the message catalog as a - table of message IDs, plus their short description strings. - - - If any 128-bit-IDs are - specified, only those entries are shown. - - - - - - - Show the contents of the message catalog, with - entries separated by a line consisting of two dashes and the - ID (the format is the same as .catalog - files). - - If any 128-bit-IDs are - specified, only those entries are shown. - - - - - - - Update the message catalog index. This command - needs to be executed each time new catalog files are - installed, removed, or updated to rebuild the binary catalog - index. - - - - - - Instead of showing journal contents, generate - a new key pair for Forward Secure Sealing (FSS). This will - generate a sealing key and a verification key. The sealing key - is stored in the journal data directory and shall remain on - the host. The verification key should be stored - externally. Refer to the option in - journald.conf5 - for information on Forward Secure Sealing and for a link to a - refereed scholarly paper detailing the cryptographic theory it - is based on. - - - - - - When is passed - and Forward Secure Sealing (FSS) has already been configured, - recreate FSS keys. - - - - - - Specifies the change interval for the sealing - key when generating an FSS key pair with - . Shorter intervals increase CPU - consumption but shorten the time range of undetectable journal - alterations. Defaults to 15min. + These three switches may also be combined with into one command. If + so, all active files are rotated first, and the requested vacuuming operation is executed right + after. The rotation has the effect that all currently active files are archived (and potentially new, + empty journal files opened as replacement), and hence the vacuuming operation has the greatest effect + as it can take all log data written so far into account. - Check the journal file for internal - consistency. If the file has been generated with FSS enabled and - the FSS verification key has been specified with - , authenticity of the journal file - is verified. - - - - - - Specifies the FSS verification key to use for - the operation. + Check the journal file for internal consistency. If the file has been generated + with FSS enabled and the FSS verification key has been specified with + , authenticity of the journal file is verified. - Asks the journal daemon to write all yet - unwritten journal data to the backing file system and - synchronize all journals. This call does not return until the - synchronization operation is complete. This command guarantees - that any log messages written before its invocation are safely + Asks the journal daemon to write all yet unwritten journal data to the backing file + system and synchronize all journals. This call does not return until the synchronization operation + is complete. This command guarantees that any log messages written before its invocation are safely stored on disk at the time it returns. + + + + Asks the journal daemon for the reverse operation to : if + requested the daemon will write further log data to /run/log/journal/ and + stops writing to /var/log/journal/. A subsequent call to + causes the log output to switch back to + /var/log/journal/, see above. + + + + + + Similar to but executes no operation if the root + file system and /var/lib/journal/ reside on the same mount point. This + operation is used during system shutdown in order to make the journal daemon stop writing data to + /var/log/journal/ in case that directory is located on a mount point that + needs to be unmounted. + + @@ -950,48 +785,77 @@ to /var/log/journal/ at the time it returns. - - - - Asks the journal daemon for the reverse operation to : if - requested the daemon will write further log data to /run/log/journal/ and stops - writing to /var/log/journal/. A subsequent call to - causes the log output to switch back to /var/log/journal/, see - above. - - - - - - Similar to but executes no operation if the root file - system and /var/lib/journal/ reside on the same mount point. This operation is - used during system shutdown in order to make the journal daemon stop writing data to - /var/log/journal/ in case that directory is located on a mount point that needs - to be unmounted. - - - Asks the journal daemon to rotate journal files. This call does not return until the rotation - operation is complete. Journal file rotation has the effect that all currently active journal files are marked - as archived and renamed, so that they are never written to in future. New (empty) journal files are then - created in their place. This operation may be combined with , - and into a single command, see - above. + Asks the journal daemon to rotate journal files. This call does not return until + the rotation operation is complete. Journal file rotation has the effect that all currently active + journal files are marked as archived and renamed, so that they are never written to in future. New + (empty) journal files are then created in their place. This operation may be combined with + , and + into a single command, see above. + + + + + + Instead of showing journal contents, show internal header information of the + journal fields accessed. + + This option is particularly useful when trying to identify out-of-order journal entries, as + happens for example when the machine is booted with the wrong system time. + + + + + + List the contents of the message catalog as a table of message IDs, plus their + short description strings. + + If any 128-bit-IDs are specified, only those entries are + shown. + + + + + + Show the contents of the message catalog, with entries separated by a line + consisting of two dashes and the ID (the format is the same as .catalog + files). + + If any 128-bit-IDs are specified, only those entries are + shown. + + + + + + Update the message catalog index. This command needs to be executed each time new + catalog files are installed, removed, or updated to rebuild the binary catalog + index. + + + + + + Instead of showing journal contents, generate a new key pair for Forward Secure + Sealing (FSS). This will generate a sealing key and a verification key. The sealing key is stored in + the journal data directory and shall remain on the host. The verification key should be stored + externally. Refer to the option in + journald.conf5 for + information on Forward Secure Sealing and for a link to a refereed scholarly paper detailing the + cryptographic theory it is based on. - Exit status - On success, 0 is returned; otherwise, a non-zero failure - code is returned. + On success, 0 is returned; otherwise, a non-zero failure code is returned. @@ -999,47 +863,42 @@ Examples - Without arguments, all collected logs are shown - unfiltered: + Without arguments, all collected logs are shown unfiltered: journalctl - With one match specified, all entries with a field matching - the expression are shown: + With one match specified, all entries with a field matching the expression are shown: journalctl _SYSTEMD_UNIT=avahi-daemon.service journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scope - If two different fields are matched, only entries matching - both expressions at the same time are shown: + If two different fields are matched, only entries matching both expressions at the same time are + shown: journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 - If two matches refer to the same field, all entries matching - either expression are shown: + If two matches refer to the same field, all entries matching either expression are shown: journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service - If the separator + is used, two - expressions may be combined in a logical OR. The following will - show all messages from the Avahi service process with the PID - 28097 plus all messages from the D-Bus service (from any of its - processes): + If the separator + is used, two expressions may be combined in a logical OR. The + following will show all messages from the Avahi service process with the PID 28097 plus all messages from + the D-Bus service (from any of its processes): journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service - To show all fields emitted by a unit and about - the unit, option / should be used. - journalctl -u name - expands to a complex filter similar to + To show all fields emitted by a unit and about the unit, + option / should be used. journalctl -u + name expands to a complex filter similar to + _SYSTEMD_UNIT=name.service + UNIT=name.service _PID=1 + OBJECT_SYSTEMD_UNIT=name.service _UID=0 - + COREDUMP_UNIT=name.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1 - - (see systemd.journal-fields7 - for an explanation of those patterns). - + + COREDUMP_UNIT=name.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1 + + (see + systemd.journal-fields7 + for an explanation of those patterns). Show all logs generated by the D-Bus executable: @@ -1049,11 +908,9 @@ journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scopejournalctl -k -b -1 - Show a live log display from a system service - apache.service: + Show a live log display from a system service apache.service: journalctl -f -u apache - diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index f7b018f37b..5e25ed9bfd 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -316,19 +316,23 @@ static int help(void) { printf("%1$s [OPTIONS...] [MATCHES...]\n\n" "%5$sQuery the journal.%6$s\n\n" - "%3$sOptions:%4$s\n" + "%3$sSource Options:%4$s\n" " --system Show the system journal\n" " --user Show the user journal for the current user\n" " -M --machine=CONTAINER Operate on local container\n" + " -m --merge Show entries from all available journals\n" + " -D --directory=PATH Show journal files from directory\n" + " --file=PATH Show journal file\n" + " --root=ROOT Operate on files below a root directory\n" + " --image=IMAGE Operate on files in filesystem image\n" + " --namespace=NAMESPACE Show journal data from specified journal namespace\n" + "\n%3$sFiltering Options:%4$s\n" " -S --since=DATE Show entries not older than the specified date\n" " -U --until=DATE Show entries not newer than the specified date\n" " -c --cursor=CURSOR Show entries starting at the specified cursor\n" " --after-cursor=CURSOR Show entries after the specified cursor\n" - " --show-cursor Print the cursor after all the entries\n" " --cursor-file=FILE Show entries after cursor in FILE and update FILE\n" " -b --boot[=ID] Show current boot or the specified boot\n" - " --list-boots Show terse information about recorded boots\n" - " -k --dmesg Show kernel message log from the current boot\n" " -u --unit=UNIT Show logs from the specified unit\n" " --user-unit=UNIT Show logs from the specified user unit\n" " -t --identifier=STRING Show entries with the specified syslog identifier\n" @@ -336,30 +340,29 @@ static int help(void) { " --facility=FACILITY... Show entries with the specified facilities\n" " -g --grep=PATTERN Show entries with MESSAGE matching PATTERN\n" " --case-sensitive[=BOOL] Force case sensitive or insensitive matching\n" - " -e --pager-end Immediately jump to the end in the pager\n" - " -f --follow Follow the journal\n" - " -n --lines[=INTEGER] Number of journal entries to show\n" - " --no-tail Show all lines, even in follow mode\n" - " -r --reverse Show the newest entries first\n" + " -k --dmesg Show kernel message log from the current boot\n" + "\n%3$sOutput Control Options:%4$s\n" " -o --output=STRING Change journal output mode (short, short-precise,\n" " short-iso, short-iso-precise, short-full,\n" " short-monotonic, short-unix, verbose, export,\n" " json, json-pretty, json-sse, json-seq, cat,\n" " with-unit)\n" " --output-fields=LIST Select fields to print in verbose/export/json modes\n" + " -n --lines[=INTEGER] Number of journal entries to show\n" + " -r --reverse Show the newest entries first\n" + " --show-cursor Print the cursor after all the entries\n" " --utc Express time in Coordinated Universal Time (UTC)\n" " -x --catalog Add message explanations where available\n" + " --no-hostname Suppress output of hostname field\n" " --no-full Ellipsize fields\n" " -a --all Show all fields, including long and unprintable\n" + " -f --follow Follow the journal\n" + " --no-tail Show all lines, even in follow mode\n" " -q --quiet Do not show info messages and privilege warning\n" + "\n%3$sPager Control Options:%4$s\n" " --no-pager Do not pipe output into a pager\n" - " --no-hostname Suppress output of hostname field\n" - " -m --merge Show entries from all available journals\n" - " -D --directory=PATH Show journal files from directory\n" - " --file=PATH Show journal file\n" - " --root=ROOT Operate on files below a root directory\n" - " --image=IMAGE Operate on files in filesystem image\n" - " --namespace=NAMESPACE Show journal data from specified namespace\n" + " -e --pager-end Immediately jump to the end in the pager\n" + "\n%3$sForward Secure Sealing (FSS) Options:%4$s\n" " --interval=TIME Time interval for changing the FSS sealing key\n" " --verify-key=KEY Specify FSS verification key\n" " --force Override of the FSS key pair with --setup-keys\n" @@ -368,6 +371,7 @@ static int help(void) { " --version Show package version\n" " -N --fields List all field names currently used\n" " -F --field=FIELD List all values that a specified field takes\n" + " --list-boots Show terse information about recorded boots\n" " --disk-usage Show total disk usage of all journal files\n" " --vacuum-size=BYTES Reduce disk usage below specified size\n" " --vacuum-files=INT Leave only the specified number of journal files\n" @@ -1050,7 +1054,7 @@ static int parse_argv(int argc, char *argv[]) { if (!!arg_cursor + !!arg_after_cursor + !!arg_since_set > 1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Please specify only one of --since=, --cursor=, and --after-cursor."); + "Please specify only one of --since=, --cursor=, and --after-cursor=."); if (arg_follow && arg_reverse) return log_error_errno(SYNTHETIC_ERRNO(EINVAL),