Diplaying Logs with journalctl [CentOS7]

To simply view the logs on your system, you can execute the following command:
journalctl
This will display the logs with the oldest entries first. Although this is simple, it is not very useful since we do not tend to read logs like a book.
By default journalctl displays the logs in a pager. It shows you one page of logs requiring you to hit the space bar to proceed.
Diplaying Logs by Date
More than likely you are looking for an event. One way to find something is the logs is to display the logs from a certain time. You can specify a single time and it will display all logs SINCE that time, or you can specify a time window.
To find all logs since December 25th 2016 at 07:00 PM you can run:
journalctl --since "2016-12-25 19:00:00"
To find all logs between December 25th 2015 and January 1st 2016:
journalctl --since "2016-12-25" --until "2017-1-1"
You can also use the more human friendly relative terms. For example, to see all logs since yesterday:
journalctl --since yesterday
You also have the option to mix the absolute and relative terms:
journalctl –since “2016-12-25” –until “2 hours ago”
Displaying Logs by Unit or Service
Another way to find the logs you need would be to filter the results by unit (or service). For example, if you want to see all the logs vsftpd (FTP software) produced you can specify that in the journalctl command like so:
journalctl -u vsftpd.service
You can mix in a time, or a time window to find logs from a specific service during a specific time.
To find all the vsftpd logs from December 5 2015 to January 8 2016 you can runt he following command:
journalctl -u vsftpd.service --since "2015-12-05 16:17:47" --until "2016-1-8 15:03:02"
You can also request logs from two different services at the same time. This comes in handy when trying to get information about how two services are interacting or debugging an issue.
To see all the logs from vsftpd and firewalld you can run this command:
journalctl -u vsftpd.service -u firewalld.service
You can also specify a time in absolute, relative or any combination.
journalctl -u vsftpd.service -u firewalld.service --since "2 days ago"
Displaying Logs by User or Group
Other things you can do is find logs generated by a specific user (UID) or group (GUID).
For example, let’s say I wanted to see all logs from the user “savona”. First I would find their UID like so:
[[email protected] ~]# id savona
uid=1000(savona) gid=1000(savona) groups=1000(savona)
Now that I know their UID is 1000, I can use the _UID filter in journalctl like so:
journalctl _UID=1000
And of course I can mix this with a time window:
journalctl _UID=1000 --since "2 days ago"
Displaying Logs by Process ID
You can also use _PID to search for process id, or _GUID for group id.
journalctl _PID=1221
Displaying Kernel Logs
Since all the logs are kept in one place, we can use the same tool (journalctl) to view just the kernel logs:
journalctl -k
The above command will show you all the kernel messages from the current boot. You can specify a different boot using the boot selection option like so:
journalctl -k -b 2
The above command will show you all the kernel messages from 2 boots ago.
Displaying Logs Since Last Boot
The boot selection option will work on it’s own as well. If you would like to see all the logs generated since the last boot up, simply give the -b option:
journalctl -b
Displaying Logs by Priority
You can also select to view logs by priority. The journal uses the same syslog message levels:
0: emerg
1: alert
2: critical
3: error
4: warning
5: notice
6: info
7: debug
To see all logs from priority 4 (warning) and higher:
journalctl -p 4
To see all the logs from priority 3 (error) and higher since last boot:
journalctl -p 3 -b
And of course you can use time windows if you like:
journalctl -p 3 --since "2 days ago"
Tailing or Following the Log
In my opinion on for the most useful commands for viewing logs, follow allows you to view the log as they are bring written. You may of used “tail -f” in the past. The journalctl utility has the same function.
journalctl -f
Also, similar to tail, you can view the last 10 entries by using the -n option like so:
journalctl -n
Or you can see the last 50 entries by specifying a number of the “-n” option:
journalctl -n 50
You can also see the last 50 entries, then begin to follow by mixing the commands like so:
journalctl -n 50 -f
Finding Size of Logs / Log Maintenance
To find how much disk space is being used by the journal simply ask:
journalctl --disk-usage
If you are concerned about disk space, you can trim (remove oldest) the logs.
You can do this by specifying the amount of disk space you want to keep or the time you would like to keep.
For example, if you want to delete all logs and keep just 5GB of data:
journalctl --vacuum-size=5GB
If you want to keep only logs from the last year:
journalctl --vacuum-time=1years
Now you should have a decent idea of how to find the logs you are looking for (I just said that in the voice of Obi-Wan).