Checking logs using journalctl

Last updated: 10 May 2021

Systems that use systemd write log entries for the kernel and various services to a journal. These log entries are stored in a binary format and can be inspected via the journalctl utility. This article looks at the utility. We also got an article about logging on Linux, which covers how to configure systemd-journald.

journalctl doesn’t replace all log files. Some services, such as Apache, have their own logs. Also, rsyslog is still a thing on servers that run systemd. It works differently – rsyslog nowadays gets its log entries from systemd-journald. However, the end result is largely the same. You still got log files such as /var/log/messages and /var/log/secure.

Filtering options

As said, journal entries are stored in a binary format. Each entry has a large number of fields that can be displayed in several output formats. By default, log entries look much like entries you find in traditional syslog log files, such as /var/log/messages. Here is an example of a journalctl entry:

Sep 24 00:59:37 server.example.net sshd[17255]: Invalid user admin from 59.148.43.97 port 54128

And here is the same entry displayed in JSON format:

{
        "__CURSOR" : "s=a285c16fef31c7;i=b82;b=8d04cfd2dd066c;m=c5e8f;t=59341f0;x=11a8f0",
        "__REALTIME_TIMESTAMP" : "1569283177914864",
        "__MONOTONIC_TIMESTAMP" : "53113740943",
        "_BOOT_ID" : "8d04cfd2dd9744b888u8d3f9cb52066c",
        "PRIORITY" : "6",
        "_UID" : "0",
        "_GID" : "0",
        "_SYSTEMD_SLICE" : "system.slice",
        "_MACHINE_ID" : "21a223f3763983e62f89dc6a5b90c0d1",
        "_HOSTNAME" : "server.example.net",
        "_CAP_EFFECTIVE" : "1fffffffff",
        "_TRANSPORT" : "syslog",
        "SYSLOG_FACILITY" : "10",
        "SYSLOG_IDENTIFIER" : "sshd",
        "_COMM" : "sshd",
        "_EXE" : "/usr/sbin/sshd",
        "_SYSTEMD_CGROUP" : "/system.slice/sshd.service",
        "_SYSTEMD_UNIT" : "sshd.service",
        "_SELINUX_CONTEXT" : "system_u:system_r:sshd_t:s0-s0:c0.c1023",
        "_CMDLINE" : "sshd: unknown [priv]",
        "SYSLOG_PID" : "17255",
        "MESSAGE" : "Invalid user admin from 59.148.43.97 port 54128",
        "_PID" : "17255",
        "_SOURCE_REALTIME_TIMESTAMP" : "1569283177913968"
}

As you can see, the entry contains quite a few fields, including a boot ID (_BOOT_ID) and priority (PRIORITY). You can use these fields to filter the data, which is what we will look at now.

Filtering by time

The --since and --until options let you specify a timestamp in the format YYYY-MM-DD HH:MM:SS. You don’t have to include the time, and if you do include the time you may leave out the seconds (i.e. you can use HH:MM):

# journalctl --since="2019-09-26" --until="2019-09-26 11:00"

You can also use strings such as “yesterday”, “today” and “10m ago”:

# journalctl --since "10m ago"

Filtering by unit

The -u (--unit option is used to show entries related to a systemd unit. So, to return log entries for sshd you can use the following:

# journalctl -u sshd.service
-- Logs begin at Mon 2021-02-08 14:59:39 GMT, end at Mon 2021-03-29 22:20:00 BST. --
Feb 08 20:26:43 centos8 systemd[1]: Stopping OpenSSH server daemon...
Feb 08 20:26:46 centos8 sshd[1053]: Received signal 15; terminating.
Feb 08 20:26:49 centos8 systemd[1]: sshd.service: Succeeded.
Feb 08 20:26:49 centos8 systemd[1]: Stopped OpenSSH server daemon.
...

Alternatively, you can also use the -t (--identifier) option to filter by the SYSLOG_IDENTIFIER field. You can use this to retrieve entries that are not related to a systemd unit. For instance, you can filter out kernel messages or entries about the use of the su and sudo commands:

# journalctl -t su
-- Logs begin at Mon 2021-02-08 14:59:39 GMT, end at Mon 2021-03-29 22:30:16 BST. --
...
Mar 29 19:30:39 centos8 su[2339]: (to root) example on pts/0
Mar 29 19:30:39 centos8 su[2339]: pam_unix(su:session): session opened for user root by example(uid=1000)

Filtering by priority

The JSON output I showed includes a priority field. The priority number indicates the importance of the message. A priority of 0 means we got an emergency, while 7 is a humble debug message. In other words, the lower the number, the higher the priority:

  • 0: emerg
  • 1: alert
  • 2: crit
  • 3: err
  • 4: warning
  • 5: notice
  • 6: info
  • 7: debug

The -p option lets you filter messages by priority. If, say, you want to see all errors you can use either of these commands:

# journalctl -p 3
# journalctl -p err

Either command prints entries with a priority of 3 or lower (i.e. 3, 2, 1 and 0). You can also specify a range. For instance, to limit the output to levels 2 and 3 you can use journalctl -p 2..3.

Filtering by process

The output of journalctl includes the name of the service followed by the process ID (in square brackets). You can use the _PID option to get all entries for a specific process ID:

# journalctl _PID=17255
-- Logs begin at Mon 2021-02-08 14:59:39 GMT, end at Mon 2021-03-29 22:30:16 BST. --
Mar 24 00:59:37 server.example.net sshd[17255]: Invalid user admin from 59.148.43.97 port 54128
Mar 24 00:59:37 server.example.net sshd[17255]: input_userauth_request: invalid user admin [preauth]
Mar 24 00:59:39 server.example.net sshd[17255]: error: maximum authentication attempts exceeded for invalid user admin from 59.148.43.97 port 54128 ssh2 [preauth]
Mar 24 00:59:39 server.example.net sshd[17255]: Disconnecting: Too many authentication failures [preauth]

Tailing logs

You can monitor logs as entries are being written using the -f (--follow) option. This works exactly like tail -f. Of course, you can filter a specific unit at the same time. For example, here I’m following entries for Dovecot:

# journalctl -f -u dovecot.service

And now that I’ve mentioned tail I should also highlight the -n option. As you might have guessed, this option works exactly like tail -n – it displays the last x entries. For instance, to view the last three entries for the Dovecot service you can use:

# journalctl -u dovecot.service -n 3

Manipulating output

Although the filtering options covered so far are quite flexible they don’t necessarily return the data you want. For instance, when you are looking into SSH login attempts you might want to filter entries based on the IP address shown in the MESSAGE field. On Centos 7 and CloudLinux 7 servers you can do that by piping the output of journalctl to grep:

# journalctl -u sshd.service | grep 59.148.43.97
Mar 24 00:59:37 server.example.net sshd[17255]: Invalid user admin from 59.148.43.97 port 54128
Mar 24 00:59:39 server.example.net sshd[17255]: error: maximum authentication attempts exceeded for invalid user admin from 59.148.43.97 port 54128 ssh2 [preauth]

RHEL8-based systems ship with a version of journalctl that includes the -g (--grep) option, which lets you grep the message field. That means that you can instead use this command:

# journalctl -u sshd.service -g 59.148.43.97

More information

This article aimed to give a brief overview of journalctl. There are many topics I didn’t cover. If you want to learn more, the official documentation can be found at freedesktop.org.

Featured Blogs

How to Choose a Dedicated Server for UK Businesses

By catalyst2 Team

Dedicated servers offer numerous advantages for businesses, including optimal performance, speed, reliability, and enhanced security. However, choosing a dedicated server provider for a business can be a challenging task, especially if you’re unsure what factors to consider. Dedicated server requirements will differ based on your type of business type, whether you’re in e-commerce, gaming, media, …

Read Article

Comparing Dedicated Servers with VPS Hosting

By catalyst2 Team

Many businesses begin by managing their own websites or using shared hosting, but as their needs grow, they often require a more robust solution to enhance performance, security, and speed. Whether you run an e-commerce store, an online gaming platform, an IT consultancy, or a news website; increased traffic and business growth may lead you …

Read Article

Why Choose UK Dedicated Server Hosting for Your Business?

By catalyst2 Team

As companies scale their operations and seek to maintain a seamless online presence, many consider upgrading to a dedicated server. This option offers greater control, enhanced security, and improved performance; all crucial elements for growing businesses. Given these advantages, it’s no surprise that dedicated server hosting has become a popular choice.  Deciding if it’s worth …

Read Article

Managed Dedicated Server Hosting for eCommerce Businesses in the UK

By catalyst2 Team

As more UK shoppers increasingly turn to online platforms to make their purchases, having a good online platform as an eCommerce business is essential. As your eCommerce operation grows, you may encounter challenges such as higher traffic, slower loading times, and potential security issues, all of which can negatively impact the visitor experience on the …

Read Article

How Managed Dedicated Servers Can Elevate Your Online Security

By catalyst2 Team

Businesses today are confronted with an increasing array of online threats that can compromise sensitive data, disrupt operations, and harm reputation. As cyber threats continue to grow in both frequency and sophistication, the potential for online breaches can pose a significant risk to any business. Failing to implement robust security measures can lead to data …

Read Article

Managed vs Unmanaged Dedicated Servers; Which is Right for Your Business?

By catalyst2 Team

Many businesses rely on hosting providers for dedicated servers to ensure optimal performance, security, and control. Unlike shared hosting, where resources are divided among multiple users, a dedicated server offers exclusive access to all of the server’s resources. This makes it ideal for businesses that experience high traffic, require substantial resources, or operate in data-sensitive …

Read Article

Dedicated Server Basics; Everything You Need to Know

By catalyst2 Team

With businesses receiving more traffic on their websites than ever before, as more people engage online, the need for a dedicated server has become vital. While smaller businesses can often use shared hosting and virtual private servers, larger businesses with high traffic typically require more advanced and comprehensive hosting solutions; dedicated servers emerge as the …

Read Article

Tips for Creating a User-Friendly Website

By catalyst2 Team

When designing a website, prioritising user-friendliness is crucial for success, especially for businesses offering products or services. A user-friendly website is not just nice-to-have; it’s a necessity. It ensures that visitors can easily navigate your site, enjoy a visually appealing interface, experience fast loading times, and seamlessly interact with the content.  However, creating a user-friendly …

Read Article

Discussing the Importance of Server Scalability for Business Growth

By catalyst2 Team

For business growth, meeting the increasing demands of customers can be challenging. It’s essential to keep pace with these demands without compromising on performance. As a business expands, it typically encounters higher traffic volumes, larger data storage needs, and the requirement to support more complex applications which is where server scalability becomes crucial.  Server scalability …

Read Article

Effective Ways to Improve the Credibility of Your Website

By catalyst2 Team

Now, more than ever, the credibility of a business’s website is crucial for building trust with the target audience and achieving business goals. A credible website not only attracts visitors but also keeps them engaged, encourages conversions, and encourages long-term relationships. A strong online presence is essential for businesses to thrive and compete effectively. Investing …

Read Article

What our clients say

We really rate catalyst2. We get a great response from the team… really happy with the service.

Mike Fieldhouse, realityhouse