Home > Package & System Management > journalctl

journalctl: Real-time System Log Monitoring

journalctl is a powerful tool for querying and analyzing logs generated by the systemd journal. The `-f` option, in particular, is highly useful for diagnosing system issues or monitoring application behavior by tracking new log entries in real-time. It is similar to the traditional `tail -f` command but leverages the structured data of the systemd journal for more robust filtering and searching capabilities.

Overview

journalctl is a command to query logs from the journal, a centralized log management system in systemd-based systems. The `-f` option, short for 'follow', enables real-time monitoring by immediately displaying new log entries as they are written to the journal. This is an essential feature in various scenarios such as server administration, application debugging, and system event tracking.

Key Features

  • Real-time log tracking (-f)
  • Filtering by systemd service
  • Filtering by log level
  • Time-based log querying
  • Utilizes structured log data

Key Options

journalctl offers various options to finely control log querying. Understanding options used with `-f` is particularly beneficial for efficient log analysis.

Real-time Tracking and Filtering

Generated command:

Try combining the commands.

Description:

`journalctl` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Demonstrates various ways to monitor logs in real-time using journalctl -f.

Real-time Tracking of All System Logs

journalctl -f

Monitors all system logs in real-time.

Real-time Tracking of Specific Service Logs

journalctl -f -u nginx.service

Tracks logs only for the `nginx.service` unit in real-time.

Real-time Tracking of Error and Warning Logs

journalctl -f -p err

Monitors only logs with 'err' priority or higher in real-time.

Simultaneous Tracking of Multiple Service Logs

journalctl -f -u sshd.service -u cron.service

Tracks logs from multiple services simultaneously in real-time.

Tracking Logs Since a Specific Time

journalctl -f --since "1 hour ago"

Displays logs from the last hour and continues to track in real-time.

Tips & Precautions

Useful tips and precautions when using journalctl -f.

Useful Tips

  • Stop log tracking: Press `Ctrl+C` to stop real-time log tracking.
  • Additional filtering: You can further filter the output using `grep` with a pipe (|). Example: `journalctl -f | grep "error"`
  • Cursor movement: Use `PageUp`/`PageDown` keys to scroll, and the `End` key to jump to the latest logs.
  • Log coloring: `journalctl` typically colors logs differently based on their level, improving readability.

Precautions

While `journalctl -f` does not consume significant system resources, in environments with a very high volume of rapidly generated logs, terminal output can become overwhelming. It is advisable to use filters like `-u` or `-p` to reduce the load when necessary.

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide