In CentOS 7, the systemd-journal is stored in the /run/log/journal/ directory, as shown in the following screenshot:
When we execute the journalctl command as root without any options, then it shows the full system journal, from the oldest log entry to the latest as shown in the following command line:
# journalctl
The journalctl command uses color coding to highlight the severity of messages, as shown in the following table:
|
Priority |
Description of text highlighting used in logs |
|
Error, crit, alert or emerg |
Text is red |
|
Notice or warning |
Text is bold |
|
Info or debug |
Regular text |
Different options are used with the journalctl command to limit the searches of the journal to the desired output:
- Journalctl -n: By default, using the -n option with journalctl will display the last 10 log entries. We can also specify the number of log entries to be displayed in the output as shown in the following screenshot:
- Journalctl -p: We can filter the output of the journal by specifying the priority of the log entries using the -p option. We can specify either name or number of the priority level to display the log entries of the specified or higher-level priority, as shown in the following screenshot:
- Journalctl -f: The -f option is similar to the -f option used with the tail command; it displays the last 10 lines of the journal and keeps it open to display the new entries as they are written in the journal, until you press Ctrl + C as shown in the following screenshot:
Limiting journalctl output to a specific time: The journalctl command can be used to with two more options, --since and --untill, to specify a time range and display the log messages of that duration. The following journalctl query shows all logs recorded between 18:05:00 and 18:10:00:
# journalctl --since 18:05:00 --until 18:10:00
We can use the journalctl command to display today's journal entries only as shown in the following command line:
# journalctl --since today
We can also use the journalctl command to display extra fields attached to the log entries by enabling the verbose output on the journal as shown in the following command line:
# journalctl -o verbose
The following table lists some of the important fields of the journalctl command that are used to filter the query:
|
Field name |
Description |
|
_COMM |
It filters the journal based on the name of the command |
|
_EXE |
It is used to filter the query based on the path of the executable for the process |
|
_PID |
It filters the journal based on the PID of the process |
|
_UID |
It filters the journal based on the UID of the user running the process |
|
_SYSTEMD_UNIT |
It filters the journal based on the systemd unit that started the process |
For example, for listing the journal messages that originated from a systemd process with PID 1 can be filtered using the following command:
# journalctl _PID=1
The journalctl command can also be used to list all the journal messages send by the sshd service, as shown in the following command line:
# journalctl _SYSTEMD_UNIT=sshd.service
The journalctl command can also be used to view the journal log messages since last boot as shown in the following command line:
# journalctl -b