Howto use journalctl command usage RHEL 7 / 8

ComputerCarriage > Posts > Commands > Howto use journalctl command usage RHEL 7 / 8
howto use journalctl

Introduction

Howto use journalctl – From RHEL 7 the system users tow logging methods for the system logs, systemd-journald which is configured to only keep logs in memory and rsyslogs which gets messages sent in systemd-journald and stored the data in the disk. To view the systemd messages execute journalctl and can be used with additional parameters. for the troubleshooting it will be very useful.

In this post we are going to see quick howto use journalctl command and how to use it

Check the journal logs

By default from RHEL 7 the system journal stored in /run/log/journal, which is stored on tmpfs, after the reboot the information store in /run/log/journal will be lost, we can change and enable the directory in /var/log/journal to store permanent.

Create the directory in /var/log/journal

Create the directory in any paths. in this we are going to create the directory in the /var/log/journal

[root@rhel8a ~]# mkdir /var/log/journal
[root@rhel8a ~]# ls -ld /var/log/journal/
drwxr-xr-x 2 root root 6 Jun 13 04:50 /var/log/journal/

Change the ownership and permission for the journal folder

set the group ownership and permission for the /var/log/journal folder

[root@rhel8a ~]# chown root:systemd-journal /var/log/journal
[root@rhel8a ~]# chmod 2755 /var/log/journal
[root@rhel8a ~]# ls -ld /var/log/journal/
drwxr-sr-x 2 root systemd-journal 6 Jun 13 04:50 /var/log/journal/
[root@rhel8a ~]# 

Enable the journal service

Enable the journal logs to written in the new location

[root@rhel8a ~]# killall -USR1 systemd-journald

Example commands for journalctl

[root@rhel8a ~]# journalctl --list-boots
 0 7755382ff313429e9bcb58779f7bef71 Sun 2021-06-13 04:07:55 EDT—Sun 2021-06-13 04:55:36 EDT

The above command will display system boot information

[root@rhel8a ~]# journalctl -ef

the above command will show the end of the journal file

[root@rhel8a ~]# journalctl _SYSTEM_UNIT=sshd.service
-- Logs begin at Sun 2021-06-13 04:07:55 EDT, end at Sun 2021-06-13 05:01:01 EDT. --
-- No entries --
 the above will display all messages generated by sshd service

To show logs from specified unit , execute the below command

[root@rhel8a ~]# journalctl -u httpd.service
-- Logs begin at Sun 2021-06-13 04:07:55 EDT, end at Sun 2021-06-13 05:01:01 EDT. --
-- No entries --

Show logs from the current boot only

[root@rhel8a ~]# journalctl -b 
-- Logs begin at Sun 2021-06-13 04:07:55 EDT, end at Sun 2021-06-13 05:01:01 EDT. --
Jun 13 04:07:55 rhel8a kernel: Linux version 4.18.0-240.10.1.el8_3.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com) (gcc version 8.3.1 2019>
Jun 13 04:07:55 rhel8a kernel: Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-240.10.1.el8_3.x86_64 root=/dev/mapper/rhel-root ro resume=/>
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
Jun 13 04:07:55 rhel8a kernel: x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
Jun 13 04:07:55 rhel8a kernel: BIOS-provided physical RAM map:

Show logs for the period requried, also you can use –since and –until seperately.

[root@rhel8a ~]# journalctl --since "2020-12-12 20:30:00" --until "2021-01-01 20:30:00"
-- Logs begin at Sun 2021-06-13 04:07:55 EDT, end at Sun 2021-06-13 05:01:01 EDT. --

The below command will show all files stored in the journal with the filed name and contents

[root@rhel8a ~]# journalctl -o verbose
-- Logs begin at Sun 2021-06-13 04:07:55 EDT, end at Sun 2021-06-13 05:01:01 EDT. --
Sun 2021-06-13 04:07:55.055855 EDT [s=48e5693311ba44ec978812d2ba322168;i=1;b=7755382ff313429e9bcb58779f7bef71;m=259d82;t=5c4a13cf586ef;x=40c6d2d>
    _SOURCE_MONOTONIC_TIMESTAMP=0
    _TRANSPORT=kernel
    PRIORITY=5
    SYSLOG_FACILITY=0
    SYSLOG_IDENTIFIER=kernel
    MESSAGE=Linux version 4.18.0-240.10.1.el8_3.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com) (gcc version 8.3.1 20191121 (Red Hat 8.3.1>
    _BOOT_ID=7755382ff313429e9bcb58779f7bef71
    _MACHINE_ID=6cbcf63a957d4790ab2a95df7c5abcc4
    _HOSTNAME=rhel8a
Sun 2021-06-13 04:07:55.055895 EDT [s=48e5693311ba44ec978812d2ba322168;i=2;b=7755382ff313429e9bcb58779f7bef71;m=259da9;t=5c4a13cf58717;x=249d99d>
    _SOURCE_MONOTONIC_TIMESTAMP=0
    _TRANSPORT=kernel
    SYSLOG_FACILITY=0
    SYSLOG_IDENTIFIER=kernel
    _BOOT_ID=7755382ff313429e9bcb58779f7bef71
    _MACHINE_ID=6cbcf63a957d4790ab2a95df7c5abcc4
    _HOSTNAME=rhel8a
    PRIORITY=6

to show the kernel message log from the current boot

[root@rhel8a ~]# journalctl -k
-- Logs begin at Sun 2021-06-13 04:07:55 EDT, end at Sun 2021-06-13 05:24:43 EDT. --
Jun 13 04:07:55 rhel8a kernel: Linux version 4.18.0-240.10.1.el8_3.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com) (gcc version 8.3.1 2019>
Jun 13 04:07:55 rhel8a kernel: Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-240.10.1.el8_3.x86_64 root=/dev/mapper/rhel-root ro resume=/>
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
Jun 13 04:07:55 rhel8a kernel: x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
Jun 13 04:07:55 rhel8a kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
Jun 13 04:07:55 rhel8a kernel: BIOS-provided physical RAM map:
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000dffeffff] usable
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x00000000dfff0000-0x00000000dfffffff] ACPI data
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
Jun 13 04:07:55 rhel8a kernel: BIOS-e820: [mem 0x0000000100000000-0x000000011fffffff] usable
Jun 13 04:07:55 rhel8a kernel: NX (Execute Disable) protection: active
Jun 13 04:07:55 rhel8a kernel: SMBIOS 2.5 present.

Thanks you for reading the post, hope you have got some information howto use journalctl command and usage. let me know your comments.

See Also

journalctl – https://www.oreilly.com/library/view/red-hat-enterprise/9781784392017/ch04s05.html

sar usage – https://computercarriage.com/2020/06/01/on-demand-sar-command-usage/

Health check – https://computercarriage.com/2020/05/25/qhealth-check-on-linux-servers/

Leave a Reply