[id='using-the-command-line-to-view-log-files] = Using the command line to view log files The `journalctl` command can be used to view messages in the system journal on the command line. For plain text log files, generic tools may be used: * `cat`, `more`, `less`, `tail`, or `head`. * the `grep` command to search for specific information. * any text editor of your choosing (nano/pico/vim/emacs) Please note that you may require `sudo` access to view these files. [id='using-journalctl-to-view-system-information'] == Using journalctl to view system information * To view all collected journal entries, simply use: ---- $ journalctl ---- * To view a logs related to a specific file, you can provide the `journalctl` command with a filepath. The example shown below shows all logs of the kernel device node `/dev/sda`: ---- $ journalctl /dev/sda ---- * To view log for the current boot use the `-b` option : ---- $ journalctl -b ---- * To view kernel logs for the current boot, you can add the `-k` option: ---- $ journalctl -k -b -1 ---- [id='using-journalctl-to-view-log-information-for-a-specific-service'] == Using journalctl to view log information for a specific service * To filter logs to only see ones matching the "foo" systemd service: ---- $ journalctl -b _SYSTEMD_UNIT=foo ---- * Matches can be combined. For example, to view logs for systemd-units that match `foo`, and the PID `number`: ---- $ journalctl -b _SYSTEMD_UNIT=foo _PID=number ---- * If the separator "+" is used, two expressions may be combined in a logical OR. For example, to view all messages from the `foo` service process with the `PID` plus all messages from the `foo1` service (from any of its processes): ---- $ journalctl -b _SYSTEMD_UNIT=foo _PID=number + _SYSTEMD_UNIT=foo1 ---- * If two matches refer to the same field, all entries matching either expression are shown. For example, this command will show logs matching a systemd-unit `foo` or a systemd-unit `foo1`: ---- $ journalctl -b _SYSTEMD_UNIT=foo _SYSTEMD_UNIT=foo1 ---- NOTE: The files for service modification are stored in a directory within `*/etc/systemd/system*`, to know more about systemd, please refer to <> [id='Using-journalctl-to-view-older-logs'] == Using journalctl to view older logs * To view older logs use the `--list-boots` option : This will show a tabular list of boot numbers, their IDs, and the timestamps of the first and last message pertaining to the boot: ---- $ journalctl --list-boots -8 42cdeac65d494e938b9cb92f315b08a4 Mon 2018-11-12 10:36:42 CET—Mon 2018-11-12 20:08:24 CET -7 c110d2b8705345b786fe310de628bfc7 Tue 2018-11-13 10:29:27 CET—Tue 2018-11-13 10:04:00 CET ---- with this ID you can use `journalctl` as usual : ---- $ journalctl --boot=ID _SYSTEMD_UNIT=foo ---- * To know more about `journalctl`, read the man page: ---- $ man journalctl ----