Here's the optimized version of your cheat sheet, maintaining the clear tabular format while removing hashtags and refining the organization: --- ### `journalctl` Sysadmin Cheat Sheet *A comprehensive reference for system log management in systemd-based Linux systems* --- #### **1. Basic Log Inspection** | Command | Description | |--------------------------|----------------------------------------------| | `journalctl` | View full system logs (press `q` to exit) | | `journalctl -n 50` | Show last 50 log entries | | `journalctl -f` | Follow logs in real-time (`Ctrl+C` to stop) | | `journalctl -e` | Jump to end of logs (most recent entries) | --- #### **2. Boot-Specific Logs** | Command | Description | |--------------------------|----------------------------------------------| | `journalctl -b` | Current boot logs | | `journalctl -b -1` | Previous boot logs | | `journalctl -b -2` | Two boots ago | | `journalctl --list-boots`| List all recorded boot sessions | --- #### **3. Service-Specific Logs** | Command | Example | Description | |--------------------------|-----------------------------|--------------------------------------| | `journalctl -u [service]`| `-u nginx` | Show logs for specific service | | `journalctl -fu [service]`| `-fu sshd` | Follow service logs in real-time | | `journalctl _SYSTEMD_UNIT=`| `_SYSTEMD_UNIT=crond` | Alternate service filtering syntax | --- #### **4. Priority Level Filters** | Level | Name | Description | Example Usage | |-------|---------|---------------------------------|-----------------------------------| | 0 | emerg | System is unusable | `journalctl -p emerg -b` | | 3 | err | Error conditions | `journalctl -p err --since today` | | 4 | warning | Warning messages | `journalctl -p 3..4` (error+warn) | --- #### **5. Time-Based Filtering** | Command Format | Example | |---------------------------|----------------------------------| | `--since "YYYY-MM-DD"` | `--since "2023-10-01"` | | `--since "HH:MM:SS"` | `--since "09:30:00"` | | `--since "1 hour ago"` | `--since "yesterday 14:00"` | | `--until "tomorrow"` | `--until "2023-10-05 18:00:00"` | --- #### **6. Advanced Filtering** | Command | Description | |--------------------------|----------------------------------------------| | `journalctl _UID=1000` | Filter by user ID | | `journalctl _PID=1234` | Filter by process ID | | `journalctl _COMM=sshd` | Filter by process name | | `journalctl -k` | Kernel logs (equivalent to `dmesg`) | --- #### **7. Output Formatting** | Command | Description | |--------------------------|----------------------------------------------| | `--output=json` | JSON format for parsing | | `--output=json-pretty` | Human-readable JSON | | `--output=short` | Compact format | | `--output=verbose` | Full details including metadata | --- #### **8. Log Maintenance** | Command | Description | |----------------------------------|------------------------------------------| | `sudo journalctl --vacuum-size=1G` | Limit logs to 1GB (removes oldest) | | `sudo journalctl --vacuum-time=2weeks` | Keep only last 2 weeks of logs | | `journalctl --disk-usage` | Show current log storage usage | --- ### **Practical Examples** **1. Diagnosing SSH Issues** ```bash journalctl -fu sshd ``` **2. Checking Today's Errors** ```bash journalctl -p err --since today ``` **3. Comparing Boot Logs** ```bash journalctl -b -1 | grep "fail" > prev_boot_errors.txt journalctl -b | grep "fail" > current_boot_errors.txt diff prev_boot_errors.txt current_boot_errors.txt ``` **4. Persistent Logging Setup** ```bash sudo mkdir -p /var/log/journal sudo systemctl restart systemd-journald ``` --- ### **Best Practices** - Combine with standard tools: ```bash journalctl -u apache --since yesterday | grep -i timeout | less ``` - For long-term analysis, export to files: ```bash journalctl --since "2023-01-01" --until "2023-06-30" > first_half_2023.log ``` - Monitor log growth regularly: ```bash journalctl --disk-usage