mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 23:21:22 +03:00
893bcd3d07
This new output formatting option is similar to "short-monotonic" but also shows the time delta between two messages. This fixes #24641.
938 lines
48 KiB
XML
938 lines
48 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
||
|
||
<refentry id="journalctl"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude">
|
||
|
||
<refentryinfo>
|
||
<title>journalctl</title>
|
||
<productname>systemd</productname>
|
||
</refentryinfo>
|
||
|
||
<refmeta>
|
||
<refentrytitle>journalctl</refentrytitle>
|
||
<manvolnum>1</manvolnum>
|
||
</refmeta>
|
||
|
||
<refnamediv>
|
||
<refname>journalctl</refname>
|
||
<refpurpose>Query the systemd journal</refpurpose>
|
||
</refnamediv>
|
||
|
||
<refsynopsisdiv>
|
||
<cmdsynopsis>
|
||
<command>journalctl</command>
|
||
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
||
<arg choice="opt" rep="repeat">MATCHES</arg>
|
||
</cmdsynopsis>
|
||
</refsynopsisdiv>
|
||
|
||
<refsect1>
|
||
<title>Description</title>
|
||
|
||
<para><command>journalctl</command> may be used to query the contents of the
|
||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> journal as
|
||
written by
|
||
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
||
|
||
<para>If called without parameters, it will show the full contents of the journal, starting with the
|
||
oldest entry collected.</para>
|
||
|
||
<para>If one or more match arguments are passed, the output is filtered accordingly. A match is in the
|
||
format <literal>FIELD=VALUE</literal>, e.g. <literal>_SYSTEMD_UNIT=httpd.service</literal>, referring to
|
||
the components of a structured journal entry. See
|
||
<citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||
for a list of well-known fields. If multiple matches are specified matching different fields, the log
|
||
entries are filtered by both, i.e. the resulting output will show only entries matching all the specified
|
||
matches of this kind. If two matches apply to the same field, then they are automatically matched as
|
||
alternatives, i.e. the resulting output will show entries matching any of the specified matches for the
|
||
same field. Finally, the character <literal>+</literal> may appear as a separate word between other terms
|
||
on the command line. This causes all matches before and after to be combined in a disjunction
|
||
(i.e. logical OR).</para>
|
||
|
||
<para>It is also possible to filter the entries by specifying an absolute file path as an argument. The
|
||
file path may be a file or a symbolic link and the file must exist at the time of the query. If a file
|
||
path refers to an executable binary, an <literal>_EXE=</literal> match for the canonicalized binary path
|
||
is added to the query. If a file path refers to an executable script, a <literal>_COMM=</literal> match
|
||
for the script name is added to the query. If a file path refers to a device node,
|
||
<literal>_KERNEL_DEVICE=</literal> matches for the kernel name of the device and for each of its ancestor
|
||
devices is added to the query. Symbolic links are dereferenced, kernel names are synthesized, and parent
|
||
devices are identified from the environment at the time of the query. In general, a device node is the
|
||
best proxy for an actual device, as log entries do not usually contain fields that identify an actual
|
||
device. For the resulting log entries to be correct for the actual device, the relevant parts of the
|
||
environment at the time the entry was logged, in particular the actual device corresponding to the device
|
||
node, must have been the same as those at the time of the query. Because device nodes generally change
|
||
their corresponding devices across reboots, specifying a device node path causes the resulting entries to
|
||
be restricted to those from the current boot.</para>
|
||
|
||
<para>Additional constraints may be added using options <option>--boot</option>,
|
||
<option>--unit=</option>, etc., to further limit what entries will be shown (logical AND).</para>
|
||
|
||
<para>Output is interleaved from all accessible journal files, whether they are rotated or currently
|
||
being written, and regardless of whether they belong to the system itself or are accessible user
|
||
journals. The <option>--header</option> option can be used to identify which files
|
||
<emphasis>are</emphasis> being shown.</para>
|
||
|
||
<para>The set of journal files which will be used can be modified using the <option>--user</option>,
|
||
<option>--system</option>, <option>--directory</option>, and <option>--file</option> options, see
|
||
below.</para>
|
||
|
||
<para>All users are granted access to their private per-user journals. However, by default, only root and
|
||
users who are members of a few special groups are granted access to the system journal and the journals
|
||
of other users. Members of the groups <literal>systemd-journal</literal>, <literal>adm</literal>, and
|
||
<literal>wheel</literal> can read all journal files. Note that the two latter groups traditionally have
|
||
additional privileges specified by the distribution. Members of the <literal>wheel</literal> group can
|
||
often perform administrative tasks.</para>
|
||
|
||
<para>The output is paged through <command>less</command> by default, and long lines are "truncated" to
|
||
screen width. The hidden part can be viewed by using the left-arrow and right-arrow keys. Paging can be
|
||
disabled; see the <option>--no-pager</option> option and the "Environment" section below.</para>
|
||
|
||
<para>When outputting to a tty, lines are colored according to priority: lines of level ERROR and higher
|
||
are colored red; lines of level NOTICE and higher are highlighted; lines of level DEBUG are colored
|
||
lighter grey; other lines are displayed normally.</para>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Source Options</title>
|
||
|
||
<para>The following options control where to read journal records from:</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term><option>--system</option></term>
|
||
<term><option>--user</option></term>
|
||
|
||
<listitem><para>Show messages from system services and the kernel (with
|
||
<option>--system</option>). Show messages from service of current user (with
|
||
<option>--user</option>). If neither is specified, show all messages that the user can see.
|
||
</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-M</option></term>
|
||
<term><option>--machine=</option></term>
|
||
|
||
<listitem><para>Show messages from a running, local container. Specify a container name to connect
|
||
to.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-m</option></term>
|
||
<term><option>--merge</option></term>
|
||
|
||
<listitem><para>Show entries interleaved from all available journals, including remote
|
||
ones.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-D <replaceable>DIR</replaceable></option></term>
|
||
<term><option>--directory=<replaceable>DIR</replaceable></option></term>
|
||
|
||
<listitem><para>Takes a directory path as argument. If specified, journalctl will operate on the
|
||
specified journal directory <replaceable>DIR</replaceable> instead of the default runtime and system
|
||
journal paths.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--file=<replaceable>GLOB</replaceable></option></term>
|
||
|
||
<listitem><para>Takes a file glob as an argument. If specified, journalctl will operate on the
|
||
specified journal files matching <replaceable>GLOB</replaceable> instead of the default runtime and
|
||
system journal paths. May be specified multiple times, in which case files will be suitably
|
||
interleaved.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--root=<replaceable>ROOT</replaceable></option></term>
|
||
|
||
<listitem><para>Takes a directory path as an argument. If specified, <command>journalctl</command>
|
||
will operate on journal directories and catalog file hierarchy underneath the specified directory
|
||
instead of the root directory (e.g. <option>--update-catalog</option> will create
|
||
<filename><replaceable>ROOT</replaceable>/var/lib/systemd/catalog/database</filename>, and journal
|
||
files under <filename><replaceable>ROOT</replaceable>/run/journal/</filename> or
|
||
<filename><replaceable>ROOT</replaceable>/var/log/journal/</filename> will be displayed).
|
||
</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--image=<replaceable>IMAGE</replaceable></option></term>
|
||
|
||
<listitem><para>Takes a path to a disk image file or block device node. If specified,
|
||
<command>journalctl</command> will operate on the file system in the indicated disk image. This
|
||
option is similar to <option>--root=</option>, but operates on file systems stored in disk images or
|
||
block devices, thus providing an easy way to extract log data from disk images. The disk image should
|
||
either contain just a file system or a set of file systems within a GPT partition table, following
|
||
the <ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions
|
||
Specification</ulink>. For further information on supported disk images, see
|
||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
||
switch of the same name.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--namespace=<replaceable>NAMESPACE</replaceable></option></term>
|
||
|
||
<listitem><para>Takes a journal namespace identifier string as argument. If not specified the data
|
||
collected by the default namespace is shown. If specified shows the log data of the specified
|
||
namespace instead. If the namespace is specified as <literal>*</literal> data from all namespaces is
|
||
shown, interleaved. If the namespace identifier is prefixed with <literal>+</literal> data from the
|
||
specified namespace and the default namespace is shown, interleaved, but no other. For details about
|
||
journal namespaces see
|
||
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Filtering Options</title>
|
||
|
||
<para>The following options control how to filter journal records:</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term><option>-S</option></term>
|
||
<term><option>--since=</option></term>
|
||
<term><option>-U</option></term>
|
||
<term><option>--until=</option></term>
|
||
|
||
<listitem><para>Start showing entries on or newer than the specified date, or on or older than the
|
||
specified date, respectively. Date specifications should be of the format <literal>2012-10-30
|
||
18:17:16</literal>. If the time part is omitted, <literal>00:00:00</literal> is assumed. If only
|
||
the seconds component is omitted, <literal>:00</literal> is assumed. If the date component is
|
||
omitted, the current day is assumed. Alternatively the strings <literal>yesterday</literal>,
|
||
<literal>today</literal>, <literal>tomorrow</literal> are understood, which refer to 00:00:00 of the
|
||
day before the current day, the current day, or the day after the current day,
|
||
respectively. <literal>now</literal> refers to the current time. Finally, relative times may be
|
||
specified, prefixed with <literal>-</literal> or <literal>+</literal>, referring to times before or
|
||
after the current time, respectively. For complete time and date specification, see
|
||
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Note
|
||
that <option>--output=short-full</option> prints timestamps that follow precisely this format.
|
||
</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-c</option></term>
|
||
<term><option>--cursor=</option></term>
|
||
|
||
<listitem><para>Start showing entries from the location in the journal specified by the passed
|
||
cursor.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--after-cursor=</option></term>
|
||
|
||
<listitem><para>Start showing entries from the location in the journal <emphasis>after</emphasis>
|
||
the location specified by the passed cursor. The cursor is shown when the
|
||
<option>--show-cursor</option> option is used.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--cursor-file=<replaceable>FILE</replaceable></option></term>
|
||
|
||
<listitem><para>If <replaceable>FILE</replaceable> exists and contains a cursor, start showing
|
||
entries <emphasis>after</emphasis> this location. Otherwise show entries according to the other
|
||
given options. At the end, write the cursor of the last entry to
|
||
<replaceable>FILE</replaceable>. Use this option to continually read the journal by sequentially
|
||
calling <command>journalctl</command>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-b <optional><optional><replaceable>ID</replaceable></optional><optional><replaceable>±offset</replaceable></optional>|<constant>all</constant></optional></option></term>
|
||
<term><option>--boot<optional>=<optional><replaceable>ID</replaceable></optional><optional><replaceable>±offset</replaceable></optional>|<constant>all</constant></optional></option></term>
|
||
|
||
<listitem><para>Show messages from a specific boot. This will add a match for
|
||
<literal>_BOOT_ID=</literal>.</para>
|
||
|
||
<para>The argument may be empty, in which case logs for the current boot will be shown.</para>
|
||
|
||
<para>If the boot ID is omitted, a positive <replaceable>offset</replaceable> will look up the boots
|
||
starting from the beginning of the journal, and an equal-or-less-than zero
|
||
<replaceable>offset</replaceable> will look up boots starting from the end of the journal. Thus,
|
||
<constant>1</constant> means the first boot found in the journal in chronological order,
|
||
<constant>2</constant> the second and so on; while <constant>-0</constant> is the last boot,
|
||
<constant>-1</constant> the boot before last, and so on. An empty <replaceable>offset</replaceable>
|
||
is equivalent to specifying <constant>-0</constant>, except when the current boot is not the last
|
||
boot (e.g. because <option>--directory</option> was specified to look at logs from a different
|
||
machine).</para>
|
||
|
||
<para>If the 32-character <replaceable>ID</replaceable> is specified, it may optionally be followed
|
||
by <replaceable>offset</replaceable> which identifies the boot relative to the one given by boot
|
||
<replaceable>ID</replaceable>. Negative values mean earlier boots and positive values mean later
|
||
boots. If <replaceable>offset</replaceable> is not specified, a value of zero is assumed, and the
|
||
logs for the boot given by <replaceable>ID</replaceable> are shown.</para>
|
||
|
||
<para>The special argument <constant>all</constant> can be used to negate the effect of an earlier
|
||
use of <option>-b</option>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-u</option></term>
|
||
<term><option>--unit=<replaceable>UNIT</replaceable>|<replaceable>PATTERN</replaceable></option></term>
|
||
|
||
<listitem><para>Show messages for the specified systemd unit <replaceable>UNIT</replaceable> (such as
|
||
a service unit), or for any of the units matched by <replaceable>PATTERN</replaceable>. If a pattern
|
||
is specified, a list of unit names found in the journal is compared with the specified pattern and
|
||
all that match are used. For each unit name, a match is added for messages from the unit
|
||
(<literal>_SYSTEMD_UNIT=<replaceable>UNIT</replaceable></literal>), along with additional matches for
|
||
messages from systemd and messages about coredumps for the specified unit. A match is also added for
|
||
<literal>_SYSTEMD_SLICE=<replaceable>UNIT</replaceable></literal>, such that if the provided
|
||
<replaceable>UNIT</replaceable> is a
|
||
<citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
unit, all logs of children of the slice will be shown.</para>
|
||
|
||
<para>This parameter can be specified multiple times.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--user-unit=</option></term>
|
||
|
||
<listitem><para>Show messages for the specified user session unit. This will add a match for messages
|
||
from the unit (<literal>_SYSTEMD_USER_UNIT=</literal> and <literal>_UID=</literal>) and additional
|
||
matches for messages from session systemd and messages about coredumps for the specified unit. A
|
||
match is also added for <literal>_SYSTEMD_USER_SLICE=<replaceable>UNIT</replaceable></literal>, such
|
||
that if the provided <replaceable>UNIT</replaceable> is a
|
||
<citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||
unit, all logs of children of the unit will be shown.</para>
|
||
|
||
<para>This parameter can be specified multiple times.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-t</option></term>
|
||
<term><option>--identifier=<replaceable>SYSLOG_IDENTIFIER</replaceable></option></term>
|
||
|
||
<listitem><para>Show messages for the specified syslog identifier
|
||
<replaceable>SYSLOG_IDENTIFIER</replaceable>.</para>
|
||
|
||
<para>This parameter can be specified multiple times.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-p</option></term>
|
||
<term><option>--priority=</option></term>
|
||
|
||
<listitem><para>Filter output by message priorities or priority ranges. Takes either a single numeric
|
||
or textual log level (i.e. between 0/<literal>emerg</literal> and 7/<literal>debug</literal>), or a
|
||
range of numeric/text log levels in the form FROM..TO. The log levels are the usual syslog log levels
|
||
as documented in <citerefentry
|
||
project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||
i.e. <literal>emerg</literal> (0), <literal>alert</literal> (1), <literal>crit</literal> (2),
|
||
<literal>err</literal> (3), <literal>warning</literal> (4), <literal>notice</literal> (5),
|
||
<literal>info</literal> (6), <literal>debug</literal> (7). If a single log level is specified, all
|
||
messages with this log level or a lower (hence more important) log level are shown. If a range is
|
||
specified, all messages within the range are shown, including both the start and the end value of the
|
||
range. This will add <literal>PRIORITY=</literal> matches for the specified
|
||
priorities.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--facility=</option></term>
|
||
|
||
<listitem><para>Filter output by syslog facility. Takes a comma-separated list of numbers or
|
||
facility names. The names are the usual syslog facilities as documented in <citerefentry
|
||
project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||
<option>--facility=help</option> may be used to display a list of known facility names and exit.
|
||
</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-g</option></term>
|
||
<term><option>--grep=</option></term>
|
||
|
||
<listitem><para>Filter output to entries where the <varname>MESSAGE=</varname> field matches the
|
||
specified regular expression. PERL-compatible regular expressions are used, see <citerefentry
|
||
project='url'><refentrytitle
|
||
url='http://pcre.org/current/doc/html/pcre2pattern.html'>pcre2pattern</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||
for a detailed description of the syntax.</para>
|
||
|
||
<para>If the pattern is all lowercase, matching is case insensitive. Otherwise, matching is case
|
||
sensitive. This can be overridden with the <option>--case-sensitive</option> option, see
|
||
below.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--case-sensitive<optional>=BOOLEAN</optional></option></term>
|
||
|
||
<listitem><para>Make pattern matching case sensitive or case insensitive.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-k</option></term>
|
||
<term><option>--dmesg</option></term>
|
||
|
||
<listitem><para>Show only kernel messages. This implies <option>-b</option> and adds the match
|
||
<literal>_TRANSPORT=kernel</literal>.</para></listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Output Options</title>
|
||
|
||
<para>The following options control how journal records are printed:</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term><option>-o</option></term>
|
||
<term><option>--output=</option></term>
|
||
|
||
<listitem><para>Controls the formatting of the journal entries that are shown. Takes one of the
|
||
following options:</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term><option>short</option></term>
|
||
<listitem><para>is the default and generates an output that is mostly identical to the
|
||
formatting of classic syslog files, showing one line per journal entry.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>short-full</option></term>
|
||
<listitem><para>is very similar, but shows timestamps in the format the
|
||
<option>--since=</option> and <option>--until=</option> options accept. Unlike the timestamp
|
||
information shown in <option>short</option> output mode this mode includes weekday, year and
|
||
timezone information in the output, and is locale-independent.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>short-iso</option></term>
|
||
<listitem><para>is very similar, but shows ISO 8601 wallclock timestamps.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>short-iso-precise</option></term>
|
||
<listitem><para>as for <option>short-iso</option> but includes full microsecond
|
||
precision.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>short-precise</option></term>
|
||
<listitem><para>is very similar, but shows classic syslog timestamps with full microsecond
|
||
precision.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>short-monotonic</option></term>
|
||
<listitem><para>is very similar, but shows monotonic timestamps instead of wallclock
|
||
timestamps.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>short-delta</option></term>
|
||
<listitem><para>as for <option>short-monotonic</option> but includes the time difference
|
||
to the previous entry.
|
||
Maybe unreliable time differences are marked by a <literal>*</literal>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>short-unix</option></term>
|
||
<listitem><para>is very similar, but shows seconds passed since January 1st 1970 UTC instead of
|
||
wallclock timestamps ("UNIX time"). The time is shown with microsecond accuracy.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>verbose</option></term>
|
||
<listitem><para>shows the full-structured entry items with all fields.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>export</option></term>
|
||
<listitem><para>serializes the journal into a binary (but mostly text-based) stream suitable
|
||
for backups and network transfer (see <ulink
|
||
url="https://systemd.io/JOURNAL_EXPORT_FORMATS#journal-export-format">Journal Export
|
||
Format</ulink> for more information). To import the binary stream back into native journald
|
||
format use
|
||
<citerefentry><refentrytitle>systemd-journal-remote</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>json</option></term>
|
||
<listitem><para>formats entries as JSON objects, separated by newline characters (see <ulink
|
||
url="https://systemd.io/JOURNAL_EXPORT_FORMATS#journal-json-format">Journal JSON Format</ulink>
|
||
for more information). Field values are generally encoded as JSON strings, with three exceptions:
|
||
<orderedlist>
|
||
<listitem><para>Fields larger than 4096 bytes are encoded as <constant>null</constant>
|
||
values. (This may be turned off by passing <option>--all</option>, but be aware that this may
|
||
allocate overly long JSON objects.)</para></listitem>
|
||
|
||
<listitem><para>Journal entries permit non-unique fields within the same log entry. JSON does
|
||
not allow non-unique fields within objects. Due to this, if a non-unique field is encountered a
|
||
JSON array is used as field value, listing all field values as elements.</para></listitem>
|
||
|
||
<listitem><para>Fields containing non-printable or non-UTF8 bytes are encoded as arrays
|
||
containing the raw bytes individually formatted as unsigned numbers.</para></listitem>
|
||
</orderedlist>
|
||
|
||
Note that this encoding is reversible (with the exception of the size limit).</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>json-pretty</option></term>
|
||
<listitem><para>formats entries as JSON data structures, but formats them in multiple lines in
|
||
order to make them more readable by humans.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>json-sse</option></term>
|
||
<listitem><para>formats entries as JSON data structures, but wraps them in a format suitable for
|
||
<ulink
|
||
url="https://developer.mozilla.org/en-US/docs/Server-sent_events/Using_server-sent_events">Server-Sent
|
||
Events</ulink>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>json-seq</option></term>
|
||
<listitem><para>formats entries as JSON data structures, but prefixes them with an ASCII Record
|
||
Separator character (0x1E) and suffixes them with an ASCII Line Feed character (0x0A), in
|
||
accordance with <ulink url="https://tools.ietf.org/html/rfc7464">JavaScript Object Notation
|
||
(JSON) Text Sequences </ulink> (<literal>application/json-seq</literal>).</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>cat</option></term>
|
||
<listitem><para>generates a very terse output, only showing the actual message of each journal
|
||
entry with no metadata, not even a timestamp. If combined with the
|
||
<option>--output-fields=</option> option will output the listed fields for each log record,
|
||
instead of the message.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>with-unit</option></term>
|
||
<listitem><para>similar to <option>short-full</option>, but prefixes the unit and user unit names
|
||
instead of the traditional syslog identifier. Useful when using templated instances, as it will
|
||
include the arguments in the unit names.</para></listitem>
|
||
</varlistentry>
|
||
</variablelist></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--output-fields=</option></term>
|
||
|
||
<listitem><para>A comma separated list of the fields which should be included in the output. This
|
||
has an effect only for the output modes which would normally show all fields
|
||
(<option>verbose</option>, <option>export</option>, <option>json</option>,
|
||
<option>json-pretty</option>, <option>json-sse</option> and <option>json-seq</option>), as well as
|
||
on <option>cat</option>. For the former, the <literal>__CURSOR</literal>,
|
||
<literal>__REALTIME_TIMESTAMP</literal>, <literal>__MONOTONIC_TIMESTAMP</literal>, and
|
||
<literal>_BOOT_ID</literal> fields are always printed.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-n</option></term>
|
||
<term><option>--lines=</option></term>
|
||
|
||
<listitem><para>Show the most recent journal events and limit the number of events shown. If
|
||
<option>--follow</option> is used, this option is implied. The argument is a positive integer or
|
||
<literal>all</literal> to disable line limiting. The default value is 10 if no argument is
|
||
given.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-r</option></term>
|
||
<term><option>--reverse</option></term>
|
||
|
||
<listitem><para>Reverse output so that the newest entries are displayed first.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--show-cursor</option></term>
|
||
|
||
<listitem><para>The cursor is shown after the last entry after two dashes:</para>
|
||
<programlisting>-- cursor: s=0639…</programlisting>
|
||
<para>The format of the cursor is private and subject to change.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--utc</option></term>
|
||
|
||
<listitem><para>Express time in Coordinated Universal Time (UTC).</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-x</option></term>
|
||
<term><option>--catalog</option></term>
|
||
|
||
<listitem><para>Augment log lines with explanation texts from the message catalog. This will add
|
||
explanatory help texts to log messages in the output where this is available. These short help texts
|
||
will explain the context of an error or log event, possible solutions, as well as pointers to support
|
||
forums, developer documentation, and any other relevant manuals. Note that help texts are not
|
||
available for all messages, but only for selected ones. For more information on the message catalog,
|
||
please refer to the <ulink url="https://www.freedesktop.org/wiki/Software/systemd/catalog">Message
|
||
Catalog Developer Documentation</ulink>.</para>
|
||
|
||
<para>Note: when attaching <command>journalctl</command> output to bug reports, please do
|
||
<emphasis>not</emphasis> use <option>-x</option>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--no-hostname</option></term>
|
||
|
||
<listitem><para>Don't show the hostname field of log messages originating from the local host. This
|
||
switch has an effect only on the <option>short</option> family of output modes (see above).</para>
|
||
|
||
<para>Note: this option does not remove occurrences of the hostname from log entries themselves, so
|
||
it does not prevent the hostname from being visible in the logs.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--no-full</option></term>
|
||
<term><option>--full</option></term>
|
||
<term><option>-l</option></term>
|
||
|
||
<listitem><para>Ellipsize fields when they do not fit in available columns. The default is to show
|
||
full fields, allowing them to wrap or be truncated by the pager, if one is used.</para>
|
||
|
||
<para>The old options <option>-l</option>/<option>--full</option> are not useful anymore, except to
|
||
undo <option>--no-full</option>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-a</option></term>
|
||
<term><option>--all</option></term>
|
||
|
||
<listitem><para>Show all fields in full, even if they include unprintable characters or are very
|
||
long. By default, fields with unprintable characters are abbreviated as "blob data". (Note that the
|
||
pager may escape unprintable characters again.)</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-f</option></term>
|
||
<term><option>--follow</option></term>
|
||
|
||
<listitem><para>Show only the most recent journal entries, and continuously print new entries as
|
||
they are appended to the journal.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--no-tail</option></term>
|
||
|
||
<listitem><para>Show all stored output lines, even in follow mode. Undoes the effect of
|
||
<option>--lines=</option>.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-q</option></term>
|
||
<term><option>--quiet</option></term>
|
||
|
||
<listitem><para>Suppresses all informational messages (i.e. "-- Journal begins at …", "-- Reboot
|
||
--"), any warning messages regarding inaccessible system journals when run as a normal
|
||
user.</para></listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Pager Control Options</title>
|
||
|
||
<para>The following options control page support:</para>
|
||
|
||
<variablelist>
|
||
|
||
<xi:include href="standard-options.xml" xpointer="no-pager" />
|
||
|
||
<varlistentry>
|
||
<term><option>-e</option></term>
|
||
<term><option>--pager-end</option></term>
|
||
|
||
<listitem><para>Immediately jump to the end of the journal inside the implied pager tool. This
|
||
implies <option>-n1000</option> to guarantee that the pager will not buffer logs of unbounded
|
||
size. This may be overridden with an explicit <option>-n</option> with some other numeric value,
|
||
while <option>-nall</option> will disable this cap. Note that this option is only supported for
|
||
the <citerefentry
|
||
project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||
pager.</para></listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Forward Secure Sealing (FSS) Options</title>
|
||
|
||
<para>The following options make be used together with the <option>--setup-keys</option> command, see below.</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term><option>--interval=</option></term>
|
||
|
||
<listitem><para>Specifies the change interval for the sealing key when generating an FSS key pair
|
||
with <option>--setup-keys</option>. Shorter intervals increase CPU consumption but shorten the time
|
||
range of undetectable journal alterations. Defaults to 15min.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--verify-key=</option></term>
|
||
|
||
<listitem><para>Specifies the FSS verification key to use for the <option>--verify</option>
|
||
operation.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--force</option></term>
|
||
|
||
<listitem><para>When <option>--setup-keys</option> is passed and Forward Secure Sealing (FSS) has
|
||
already been configured, recreate FSS keys.</para></listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Commands</title>
|
||
|
||
<para>The following commands are understood. If none is specified the default is to display journal records.</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term><option>-N</option></term>
|
||
<term><option>--fields</option></term>
|
||
|
||
<listitem><para>Print all field names currently used in all entries of the journal.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>-F</option></term>
|
||
<term><option>--field=</option></term>
|
||
|
||
<listitem><para>Print all possible data values the specified field can take in all entries of the
|
||
journal.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--list-boots</option></term>
|
||
|
||
<listitem><para>Show a tabular list of boot numbers (relative to the current boot), their IDs, and
|
||
the timestamps of the first and last message pertaining to the boot.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--disk-usage</option></term>
|
||
|
||
<listitem><para>Shows the current disk usage of all journal files. This shows the sum of the disk
|
||
usage of all archived and active journal files.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--vacuum-size=</option></term>
|
||
<term><option>--vacuum-time=</option></term>
|
||
<term><option>--vacuum-files=</option></term>
|
||
|
||
<listitem><para>Removes the oldest archived journal files until the disk space they use falls below
|
||
the specified size (specified with the usual <literal>K</literal>, <literal>M</literal>,
|
||
<literal>G</literal> and <literal>T</literal> suffixes), or all archived journal files contain no
|
||
data older than the specified timespan (specified with the usual <literal>s</literal>,
|
||
<literal>m</literal>, <literal>h</literal>, <literal>days</literal>, <literal>months</literal>,
|
||
<literal>weeks</literal> and <literal>years</literal> suffixes), or no more than the specified
|
||
number of separate journal files remain. Note that running <option>--vacuum-size=</option> has only
|
||
an indirect effect on the output shown by <option>--disk-usage</option>, as the latter includes
|
||
active journal files, while the vacuuming operation only operates on archived journal
|
||
files. Similarly, <option>--vacuum-files=</option> might not actually reduce the number of journal
|
||
files to below the specified number, as it will not remove active journal files.</para>
|
||
|
||
<para><option>--vacuum-size=</option>, <option>--vacuum-time=</option> and
|
||
<option>--vacuum-files=</option> may be combined in a single invocation to enforce any combination
|
||
of a size, a time and a number of files limit on the archived journal files. Specifying any of
|
||
these three parameters as zero is equivalent to not enforcing the specific limit, and is thus
|
||
redundant.</para>
|
||
|
||
<para>These three switches may also be combined with <option>--rotate</option> into one command. If
|
||
so, all active files are rotated first, and the requested vacuuming operation is executed right
|
||
after. The rotation has the effect that all currently active files are archived (and potentially new,
|
||
empty journal files opened as replacement), and hence the vacuuming operation has the greatest effect
|
||
as it can take all log data written so far into account.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--verify</option></term>
|
||
|
||
<listitem><para>Check the journal file for internal consistency. If the file has been generated
|
||
with FSS enabled and the FSS verification key has been specified with
|
||
<option>--verify-key=</option>, authenticity of the journal file is verified.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--sync</option></term>
|
||
|
||
<listitem><para>Asks the journal daemon to write all yet unwritten journal data to the backing file
|
||
system and synchronize all journals. This call does not return until the synchronization operation
|
||
is complete. This command guarantees that any log messages written before its invocation are safely
|
||
stored on disk at the time it returns.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--relinquish-var</option></term>
|
||
|
||
<listitem><para>Asks the journal daemon for the reverse operation to <option>--flush</option>: if
|
||
requested the daemon will write further log data to <filename>/run/log/journal/</filename> and
|
||
stops writing to <filename>/var/log/journal/</filename>. A subsequent call to
|
||
<option>--flush</option> causes the log output to switch back to
|
||
<filename>/var/log/journal/</filename>, see above.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--smart-relinquish-var</option></term>
|
||
|
||
<listitem><para>Similar to <option>--relinquish-var</option>, but executes no operation if the root
|
||
file system and <filename>/var/lib/journal/</filename> reside on the same mount point. This operation
|
||
is used during system shutdown in order to make the journal daemon stop writing data to
|
||
<filename>/var/log/journal/</filename> in case that directory is located on a mount point that needs
|
||
to be unmounted.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--flush</option></term>
|
||
|
||
<listitem><para>Asks the journal daemon to flush any log data stored in
|
||
<filename>/run/log/journal/</filename> into <filename>/var/log/journal/</filename>, if persistent
|
||
storage is enabled. This call does not return until the operation is complete. Note that this call is
|
||
idempotent: the data is only flushed from <filename>/run/log/journal/</filename> into
|
||
<filename>/var/log/journal/</filename> once during system runtime (but see
|
||
<option>--relinquish-var</option> below), and this command exits cleanly without executing any
|
||
operation if this has already happened. This command effectively guarantees that all data is flushed
|
||
to <filename>/var/log/journal/</filename> at the time it returns.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--rotate</option></term>
|
||
|
||
<listitem><para>Asks the journal daemon to rotate journal files. This call does not return until
|
||
the rotation operation is complete. Journal file rotation has the effect that all currently active
|
||
journal files are marked as archived and renamed, so that they are never written to in future. New
|
||
(empty) journal files are then created in their place. This operation may be combined with
|
||
<option>--vacuum-size=</option>, <option>--vacuum-time=</option> and
|
||
<option>--vacuum-file=</option> into a single command, see above.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--header</option></term>
|
||
|
||
<listitem><para>Instead of showing journal contents, show internal header information of the
|
||
journal fields accessed.</para>
|
||
|
||
<para>This option is particularly useful when trying to identify out-of-order journal entries, as
|
||
happens for example when the machine is booted with the wrong system time.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--list-catalog <optional><replaceable>128-bit-ID…</replaceable></optional></option></term>
|
||
|
||
<listitem><para>List the contents of the message catalog as a table of message IDs, plus their
|
||
short description strings.</para>
|
||
|
||
<para>If any <replaceable>128-bit-ID</replaceable>s are specified, only those entries are
|
||
shown.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--dump-catalog <optional><replaceable>128-bit-ID…</replaceable></optional></option></term>
|
||
|
||
<listitem><para>Show the contents of the message catalog, with entries separated by a line
|
||
consisting of two dashes and the ID (the format is the same as <filename>.catalog</filename>
|
||
files).</para>
|
||
|
||
<para>If any <replaceable>128-bit-ID</replaceable>s are specified, only those entries are
|
||
shown.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--update-catalog</option></term>
|
||
|
||
<listitem><para>Update the message catalog index. This command needs to be executed each time new
|
||
catalog files are installed, removed, or updated to rebuild the binary catalog
|
||
index.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><option>--setup-keys</option></term>
|
||
|
||
<listitem><para>Instead of showing journal contents, generate a new key pair for Forward Secure
|
||
Sealing (FSS). This will generate a sealing key and a verification key. The sealing key is stored in
|
||
the journal data directory and shall remain on the host. The verification key should be stored
|
||
externally. Refer to the <option>Seal=</option> option in
|
||
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
||
information on Forward Secure Sealing and for a link to a refereed scholarly paper detailing the
|
||
cryptographic theory it is based on.</para></listitem>
|
||
</varlistentry>
|
||
|
||
<xi:include href="standard-options.xml" xpointer="help" />
|
||
<xi:include href="standard-options.xml" xpointer="version" />
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>Exit status</title>
|
||
|
||
<para>On success, 0 is returned; otherwise, a non-zero failure code is returned.</para>
|
||
</refsect1>
|
||
|
||
<xi:include href="common-variables.xml" />
|
||
|
||
<refsect1>
|
||
<title>Examples</title>
|
||
|
||
<para>Without arguments, all collected logs are shown unfiltered:</para>
|
||
|
||
<programlisting>journalctl</programlisting>
|
||
|
||
<para>With one match specified, all entries with a field matching the expression are shown:</para>
|
||
|
||
<programlisting>journalctl _SYSTEMD_UNIT=avahi-daemon.service
|
||
journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scope</programlisting>
|
||
|
||
<para>If two different fields are matched, only entries matching both expressions at the same time are
|
||
shown:</para>
|
||
|
||
<programlisting>journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097</programlisting>
|
||
|
||
<para>If two matches refer to the same field, all entries matching either expression are shown:</para>
|
||
|
||
<programlisting>journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service</programlisting>
|
||
|
||
<para>If the separator <literal>+</literal> is used, two expressions may be combined in a logical OR. The
|
||
following will show all messages from the Avahi service process with the PID 28097 plus all messages from
|
||
the D-Bus service (from any of its processes):</para>
|
||
|
||
<programlisting>journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service</programlisting>
|
||
|
||
<para>To show all fields emitted <emphasis>by</emphasis> a unit and <emphasis>about</emphasis> the unit,
|
||
option <option>-u</option>/<option>--unit=</option> should be used. <command>journalctl -u
|
||
<replaceable>name</replaceable></command> expands to a complex filter similar to
|
||
|
||
<programlisting>_SYSTEMD_UNIT=<replaceable>name</replaceable>.service
|
||
+ UNIT=<replaceable>name</replaceable>.service _PID=1
|
||
+ OBJECT_SYSTEMD_UNIT=<replaceable>name</replaceable>.service _UID=0
|
||
+ COREDUMP_UNIT=<replaceable>name</replaceable>.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1</programlisting>
|
||
|
||
(see
|
||
<citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||
for an explanation of those patterns).</para>
|
||
|
||
<para>Show all logs generated by the D-Bus executable:</para>
|
||
|
||
<programlisting>journalctl /usr/bin/dbus-daemon</programlisting>
|
||
|
||
<para>Show all kernel logs from previous boot:</para>
|
||
|
||
<programlisting>journalctl -k -b -1</programlisting>
|
||
|
||
<para>Show a live log display from a system service <filename>apache.service</filename>:</para>
|
||
|
||
<programlisting>journalctl -f -u apache</programlisting>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>See Also</title>
|
||
<para>
|
||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>coredumpctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd-journal-remote.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
||
<citerefentry><refentrytitle>systemd-journal-upload.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||
</para>
|
||
</refsect1>
|
||
</refentry>
|