4.9 KiB
4.9 KiB
Here's the optimized version of your cheat sheet, maintaining the clear tabular format while removing hashtags and refining the organization:
journalctl Sysadmin Cheat Sheet
A comprehensive reference for system log management in systemd-based Linux systems
1. Basic Log Inspection
| Command | Description |
|---|---|
journalctl |
View full system logs (press q to exit) |
journalctl -n 50 |
Show last 50 log entries |
journalctl -f |
Follow logs in real-time (Ctrl+C to stop) |
journalctl -e |
Jump to end of logs (most recent entries) |
2. Boot-Specific Logs
| Command | Description |
|---|---|
journalctl -b |
Current boot logs |
journalctl -b -1 |
Previous boot logs |
journalctl -b -2 |
Two boots ago |
journalctl --list-boots |
List all recorded boot sessions |
3. Service-Specific Logs
| Command | Example | Description |
|---|---|---|
journalctl -u [service] |
-u nginx |
Show logs for specific service |
journalctl -fu [service] |
-fu sshd |
Follow service logs in real-time |
journalctl _SYSTEMD_UNIT= |
_SYSTEMD_UNIT=crond |
Alternate service filtering syntax |
4. Priority Level Filters
| Level | Name | Description | Example Usage |
|---|---|---|---|
| 0 | emerg | System is unusable | journalctl -p emerg -b |
| 3 | err | Error conditions | journalctl -p err --since today |
| 4 | warning | Warning messages | journalctl -p 3..4 (error+warn) |
5. Time-Based Filtering
| Command Format | Example |
|---|---|
--since "YYYY-MM-DD" |
--since "2023-10-01" |
--since "HH:MM:SS" |
--since "09:30:00" |
--since "1 hour ago" |
--since "yesterday 14:00" |
--until "tomorrow" |
--until "2023-10-05 18:00:00" |
6. Advanced Filtering
| Command | Description |
|---|---|
journalctl _UID=1000 |
Filter by user ID |
journalctl _PID=1234 |
Filter by process ID |
journalctl _COMM=sshd |
Filter by process name |
journalctl -k |
Kernel logs (equivalent to dmesg) |
7. Output Formatting
| Command | Description |
|---|---|
--output=json |
JSON format for parsing |
--output=json-pretty |
Human-readable JSON |
--output=short |
Compact format |
--output=verbose |
Full details including metadata |
8. Log Maintenance
| Command | Description |
|---|---|
sudo journalctl --vacuum-size=1G |
Limit logs to 1GB (removes oldest) |
sudo journalctl --vacuum-time=2weeks |
Keep only last 2 weeks of logs |
journalctl --disk-usage |
Show current log storage usage |
Practical Examples
1. Diagnosing SSH Issues
journalctl -fu sshd
2. Checking Today's Errors
journalctl -p err --since today
3. Comparing Boot Logs
journalctl -b -1 | grep "fail" > prev_boot_errors.txt
journalctl -b | grep "fail" > current_boot_errors.txt
diff prev_boot_errors.txt current_boot_errors.txt
4. Persistent Logging Setup
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald
Best Practices
-
Combine with standard tools:
journalctl -u apache --since yesterday | grep -i timeout | less -
For long-term analysis, export to files:
journalctl --since "2023-01-01" --until "2023-06-30" > first_half_2023.log -
Monitor log growth regularly:
journalctl --disk-usage