journalctl — Query the systemd journal
journalctl  [OPTIONS...] [MATCHES...]
journalctl may be used to query the contents of the systemd(1) journal as written by systemd-journald.service(8).
If called without parameter it will show the full contents of the journal, starting with the oldest entry collected.
If one or more match arguments are passed the
                output is filtered accordingly. A match is in the
                format FIELD=VALUE,
                e.g. _SYSTEMD_UNIT=httpd.service,
                referring to the components of a structured journal
                entry. See
                systemd.journal-fields(7)
                for a list of well-known fields. If multiple matches
                are specified matching different fields the log
                entries are filtered by both, i.e. the resulting output
                will show only entries matching all the specified
                matches of this kind. If two matches apply to the same
                field, then they are automatically matched as
                alternatives, i.e. the resulting output will show
                entries matching any of the specified matches for the
                same field. Finally, if the character
                "+" appears as separate word on the
                command line all matches before and after are combined
                in a disjunction (i.e. logical OR).
As shortcuts for a few types of field/value
                matches file paths may be specified. If a file path
                refers to an executable file, this is equivalent to an
                _EXE= match for the canonicalized
                binary path. Similar, if a path refers to a device
                node, this is equivalent to a
                _KERNEL_DEVICE= match for the
                device.
Output is interleaved from all accessible journal files, whether they are rotated or currently being written, and regardless whether they belong to the system itself or are accessible user journals.
All users are granted access to their private
                per-user journals. However, by default only root and
                users who are members of the adm
                group get access to the system journal and the
                journals of other users.
The following options are understood:
-h, --help¶Prints a short help text and exits.
--version¶Prints a short version string and exits.
--no-pager¶Do not pipe output into a pager.
--full¶Show all (printable) fields in full.
-a, --all¶Show all fields in full, even if they include unprintable characters or are very long.
-f, --follow¶Show only the most recent journal entries, and continuously print new entries as they are appended to the journal.
-e, --pager-end¶Immediately jump to
                                the end of the journal inside the
                                implied pager tool. This implies
                                -n1000 to guarantee
                                that the pager won't buffer logs of
                                unbounded size. This may be overridden
                                with an explicit -n
                                with some other numeric value on the
                                command line. Note that this option is
                                only supported for the
                                less(1)
                                pager.
-n, --lines=¶Show the most recent
                                journal events and limit the number of
                                events shown. If
                                --follow is used,
                                this option is implied. The argument,
                                a positive integer, is optional, and
                                defaults to 10. 
--no-tail¶Show all stored output
                                lines, even in follow mode. Undoes the
                                effect of
                                --lines=.
-r, --reverse¶Reverse output, so the newest entries are displayed first.
-o, --output=¶Controls the
                                formatting of the journal entries that
                                are shown. Takes one of
                                short,
                                short-monotonic,
                                verbose,
                                export,
                                json,
                                json-pretty,
                                json-sse,
                                cat. short
                                is the default and generates an output
                                that is mostly identical to the
                                formatting of classic syslog log
                                files, showing one line per journal
                                entry. short-monotonic
                                is very similar but shows monotonic
                                timestamps instead of wallclock
                                timestamps. verbose
                                shows the full structured entry items
                                with all
                                fields. export
                                serializes the journal into a binary
                                (but mostly text-based) stream
                                suitable for backups and network
                                transfer (see Journal
                                Export Format for more
                                information). json
                                formats entries as JSON data
                                structures, one per
                                line (see Journal
                                JSON Format for more
                                information). json-pretty
                                also formats entries as JSON data
                                structures, but formats them in
                                multiple lines in order to make them
                                more readable for
                                humans. json-sse
                                also formats entries as JSON data
                                structures, but wraps them in a format
                                suitable for Server-Sent
                                Events. cat
                                generates a very terse output only
                                showing the actual message of each
                                journal entry with no meta data, not
                                even a timestamp.
-x, --catalog¶Augment log lines with explanation texts from the message catalog. This will add explanatory help texts to log messages in the output where this is available. These short help texts will explain the context of an error or log event, possible solutions, as well as pointers to support forums, developer documentation and any other relevant manuals. Note that help texts are not available for all messages, but only for selected ones. For more information on the message catalog please refer to the Message Catalog Developer Documentation.
-q, --quiet¶Suppresses any warning message regarding inaccessible system journals when run as normal user.
-m, --merge¶Show entries interleaved from all available journals, including remote ones.
-b, --this-boot¶Show data only from
                                current boot. This will add a match
                                for _BOOT_ID= for
                                the current boot ID of the
                                kernel.
-u, --unit=¶Show messages for the
                                specified systemd unit. This will add
                                a match for messages from the unit
                                (_SYSTEMD_UNIT=)
                                and additional matches for messages
                                from systemd and messages about
                                coredumps for the specified unit.
This parameter can be specified multiple times.
--user-unit=¶Show messages for the
                                specified user session unit. This will
                                add a match for messages from the unit
                                (_SYSTEMD_USER_UNIT=
                                and _UID=) and
                                additional matches for messages from
                                session systemd and messages about
                                coredumps for the specified unit.
This parameter can be specified multiple times.
-p, --priority=¶Filter output by
                                message priorities or priority
                                ranges. Takes either a single numeric
                                or textual log level (i.e. between
                                0/emerg and
                                7/debug), or a
                                range of numeric/text log levels in
                                the form FROM..TO. The log levels are
                                the usual syslog log levels as
                                documented in
                                syslog(3),
                                i.e. emerg (0),
                                alert (1),
                                crit (2),
                                err (3),
                                warning (4),
                                notice (5),
                                info (6),
                                debug (7). If a
                                single log level is specified all
                                messages with this log level or a
                                lower (hence more important) log level
                                are shown. If a range is specified all
                                messages within the range are shown,
                                including both the start and the end
                                value of the range. This will add
                                PRIORITY= matches
                                for the specified
                                priorities.
-c, --cursor=¶Start showing entries from the location in the journal specified by the passed cursor.
--since=, --until=¶Start showing entries
                                on or newer than the specified date,
                                or on or older than the specified
                                date, respectively. Date specifications should be of
                                the format "2012-10-30 18:17:16". If
                                the time part is omitted, 00:00:00 is
                                assumed. If only the seconds component
                                is omitted, :00 is assumed. If the
                                date component is omitted, the
                                current day is assumed. Alternatively
                                the strings
                                yesterday,
                                today,
                                tomorrow are
                                understood, which refer to 00:00:00 of
                                the day before the current day, the
                                current day, or the day after the
                                current day, respectively. now
                                refers to the current time. Finally,
                                relative times may be specified,
                                prefixed with - or
                                +, referring to
                                times before or after the current
                                time, respectively.
-F, --field=¶Print all possible data values the specified field can take in all entries of the journal.
-D, --directory=¶Takes a directory path as argument. If specified journalctl will operate on the specified journal directory instead of the default runtime and system journal paths.
--root=ROOT¶Takes a directory path
                                as argument. If specified journalctl
                                will operate on catalog file hierarchy
                                underneath the specified directory
                                instead of the root directory
                                (e.g. --update-catalog
                                will create
                                ROOT/var/lib/systemd/catalog/database
--new-id128¶Instead of showing journal contents generate a new 128 bit ID suitable for identifying messages. This is intended for usage by developers who need a new identifier for a new message they introduce and want to make recognizable. Will print the new ID in three different formats which can be copied into source code or similar.
--header¶Instead of showing journal contents show internal header information of the journal fields accessed.
--disk-usage¶Shows the current disk usage of all journal files.
--list-catalog
                                [ID128...]
                                ¶List the contents of the message catalog, as table of message IDs plus their short description strings.
If any
                                ID128s are
                                specified, only those entries are shown.
                                
--dump-catalog
                                [ID128...]
                                ¶Show the contents of
                                the message catalog, with entries
                                separated by a line consisting of two
                                dashes and the id (the format is the
                                same as .catalog
                                files.
If any
                                ID128s are
                                specified, only those entries are shown.
                                
--update-catalog¶Update the message catalog index. This command needs to be executed each time new catalog files are installed, removed or updated to rebuild the binary catalog index.
--setup-keys¶Instead of showing journal contents generate a new key pair for Forward Secure Sealing (FSS). This will generate a sealing key and a verification key. The sealing key is stored in the journal data directory and shall remain on the host. The verification key should be stored externally.
--interval=¶Specifies the change
                                interval for the sealing key, when
                                generating an FSS key pair with
                                --setup-keys. Shorter
                                intervals increase CPU consumption but
                                shorten the time range of
                                undetectable journal
                                alterations. Defaults to
                                15min.
--verify¶Check the journal file
                                for internal consistency. If the
                                file has been generated with FSS
                                enabled, and the FSS verification key
                                has been specified with
                                --verify-key=
                                authenticity of the journal file is
                                verified.
--verify-key=¶Specifies the FSS
                                verification key to use for the
                                --verify
                                operation.
$SYSTEMD_PAGER¶Pager to use when
                                --no-pager is not given;
                                overrides $PAGER.  Setting
                                this to an empty string or the value
                                cat is equivalent to passing
                                --no-pager.
Without arguments all collected logs are shown unfiltered:
journalctl
With one match specified all entries with a field matching the expression are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service
If two different fields are matched only entries matching both expressions at the same time are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097
If two matches refer to the same field all entries matching either expression are shown:
journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service
If the separator "+" is used
                two expressions may be combined in a logical OR. The
                following will show all messages from the Avahi
                service process with the PID 28097 plus all messages
                from the D-Bus service (from any of its
                processes):
journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
Show all logs generated by the D-Bus executable:
journalctl /usr/bin/dbus-daemon
Show all logs of the kernel device node /dev/sda:
journalctl /dev/sda