Evaluate systemd logs using Journalctl

Status and verification

Your operating system contains a Journal for each user as well as one for the system itself. If a user belongs to the group systemd-journal, they can access the journal and view all the data without running as root. Before you dive in and view all the data available, you may want to master a few basic but important commands.

View the current status of the Journal daemon using Systemctl (Listing 1). Use journalctl --disk-usage to check the current journal size and journalctl - verify to test the integrity of your data (Listing 2).

$ systemctl status systemd-journald
 systemd-journald.service - Journal Service
   Loaded: loaded (/lib/systemd/system/systemd-journald.service; static; vendor preset: enabled)
   Active: active (running) since Fr 2017-03-10 14:33:37 CET; 4h 21min ago
     Docs: man:systemd-journald.service(8)
           man:journald.conf(5)
 Main PID: 10376 (systemd-journal)
   Status: "Processing requests..."
   CGroup: /system.slice/systemd-journald.service
            10376 /lib/systemd/systemd-journald
Mar 10 14:33:37 rpg-pi3b-01 systemd-journald[10376]: Runtime journal (/run/log/journal/) is 4.7M, max 38.3M, 33.5M free.
Mar 10 14:33:37 rpg-pi3b-01 systemd-journald[10376]: Journal started
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

$ sudo journalctl --disk-usage
Archived and active journals take up 4.7M on disk.
$ sudo journalctl --verify
PASS: /run/log/journal/747bced4498d729c8a19f23400000006/system.journal

To see whether your log is recording the correct time, run timedatectl status. This command lets you check that your time zone corresponds to your location (Listing 3). The top line should show the current time. If you're running the computer in a new time zone use timedatectl set-timezone <zone> to adjust.

$ timedatectl status
Local time: Tue 2017-05-16 18:42:42 IST
  Universal time: Tue 2017-05-16 17:42:42 UTC
        RTC time: Tue 2017-05-16 17:42:42
       Time zone: Europe/Dublin (IST, +0100)
 Network time on: yes
NTP synchronized: yes
 RTC in local TZ: no

In theory, you can display any data from the journal using the journalctl command. By default the terminal pager program less is used to display data. It allows you to scroll back and forth through the log. Most importantly, you can use it from your regular user account without root privileges. When you've finished examining the binary files, return to the command prompt by pressing Q.

The whole story

You can display the complete Journal output by running the command journalctl without any additional options. This will show all saved logs subject to any file size limitations and the time since your last reboot.

Each time you restart the computer, the program will insert the line – Reboot – to break up the information. This not only makes the logs easier on the eye, but is useful to determine how long an error has been occurring. Use journalctl -p err to limit the output if necessary. This option will display only ERROR log levels from the Journal.

Normally you'll most probably want to focus on issues occurring at a certain time or filter results. For instance, you can use journalctl -b to show all logs since the last boot. If you're interested in log files from the last boot but one, run journalctl -b -1. Use journalctl --list-boots to display all boot events saved in the Journal (Listing 4). Use the value from the first column of the output to display information on a specific boot e.g. journalctl -b -0

$ sudo journalctl --list-boots
 0 9e814cbee30a47ea85a58a5674829a95 Mi 2017-02-08 14:09:34 CET-Fr 2017-03-10 19:03:25 CET