journalctl Cheat Sheet

journalctl is a utility for querying and displaying messages from the journal, managed by systemd-journald, a system service that collects and stores logging data. Below is a basic cheat sheet for using journalctl:

Viewing Logs

View All Logs:

journalctl

View Logs from a Specific Unit (e.g., service, target, etc.):

journalctl -u [unit-name]

Time-Based Filtering

Show Logs Since a Specific Time:

journalctl --since "yyyy-mm-dd HH:MM:SS"

Show Logs Until a Specific Time:

journalctl --until "yyyy-mm-dd HH:MM:SS"

Show Logs for the Last N Minutes/Hours/Days:

journalctl --since "N minutes ago"

Real-time Monitoring

Follow the Journal Live:

journalctl -f

Output Formatting

Show Full Log Entries:

journalctl -x

Output in Short Form:

journalctl -n

Filtering by Priority

Show Only Messages with a Specific Priority:

journalctl -p [priority]

Priorities: 0 (emerg), 1 (alert), 2 (crit), 3 (err), 4 (warning), 5 (notice), 6 (info), 7 (debug).

Filtering by Boot or Unit

Show Logs from a Specific Boot:

journalctl -b [boot-number]

Filtering by Process ID (PID)

Show Logs from a Specific Process ID:

journalctl _PID=[process-id]

Filtering by Message Fields

Show Logs Matching a Specific Field (e.g., _SYSTEMD_UNIT, _COMM, etc.):

journalctl _SYSTEMD_UNIT=[unit-name]

Filtering by User Unit

Show Logs for a Specific User Service:

journalctl --user -u [user-unit-name]

Clear Journal Logs

Remove All Journal Logs:

sudo journalctl --rotate
sudo journalctl --vacuum-time=1s

Show Journal Size

Display Disk Usage of Journal:

journalctl --disk-usage

These are some common journalctl commands, and there are more options available for advanced filtering and customization. Refer to the journalctl man page (man journalctl) for comprehensive details and additional options.