How to show logs for a unit → journalctl -u <unit> - Logs & Auditing Guide

How to Show Logs for a Unit → journalctl -u Table of Contents 1. [Introduction](#introduction) 2. [Prerequisites](#prerequisites) 3. [Understanding journalctl and systemd](#understanding-journalctl-and-systemd) 4. [Basic Usage of journalctl -u](#basic-usage-of-journalctl--u) 5. [Advanced Filtering and Options](#advanced-filtering-and-options) 6. [Practical Examples and Use Cases](#practical-examples-and-use-cases) 7. [Real-time Log Monitoring](#real-time-log-monitoring) 8. [Log Analysis Techniques](#log-analysis-techniques) 9. [Common Issues and Troubleshooting](#common-issues-and-troubleshooting) 10. [Best Practices](#best-practices) 11. [Performance Considerations](#performance-considerations) 12. [Conclusion](#conclusion) Introduction System administrators and developers frequently need to examine logs for specific services or units to diagnose issues, monitor performance, and understand system behavior. The `journalctl -u ` command is an essential tool in the systemd ecosystem that allows you to view logs for specific systemd units with precision and flexibility. This comprehensive guide will teach you everything you need to know about using `journalctl -u` to view unit logs, from basic usage to advanced filtering techniques. You'll learn how to efficiently troubleshoot services, monitor system behavior, and implement best practices for log analysis in production environments. By the end of this article, you'll be proficient in using journalctl to examine unit logs, understand various filtering options, and apply professional techniques for effective system administration and debugging. Prerequisites Before diving into the journalctl command, ensure you have the following: System Requirements - A Linux system running systemd (most modern distributions) - Basic command-line knowledge - Understanding of Linux file permissions - Familiarity with systemd services (helpful but not mandatory) Required Permissions - Root access or sudo privileges for viewing system-wide logs - Regular user access for viewing user session logs - Membership in the `systemd-journal` group (optional but recommended) Verification Steps Check if your system uses systemd: ```bash systemctl --version ``` Verify journalctl is available: ```bash which journalctl ``` Check your current permissions: ```bash groups $USER ``` Understanding journalctl and systemd What is systemd? Systemd is a system and service manager for Linux operating systems. It manages system services, handles system initialization, and provides extensive logging capabilities through its journal system. What is journalctl? Journalctl is the command-line utility for querying and displaying logs from the systemd journal. Unlike traditional syslog systems that store logs in text files, systemd journal stores logs in a binary format, providing enhanced querying capabilities and metadata. Key Benefits of journalctl - Structured logging: Logs include metadata and structured fields - Efficient querying: Fast searches and filtering capabilities - Centralized storage: All logs in one place with consistent format - Real-time monitoring: Live log streaming capabilities - Rich filtering: Multiple filtering options for precise log retrieval Basic Usage of journalctl -u Command Syntax The basic syntax for viewing unit logs is: ```bash journalctl -u ``` Viewing Service Logs To view logs for a specific service: ```bash journalctl -u apache2 ``` This command displays all available logs for the Apache web server service. Understanding Unit Names Systemd units can have different types: - Service units: `.service` (e.g., `apache2.service`) - Socket units: `.socket` (e.g., `docker.socket`) - Timer units: `.timer` (e.g., `logrotate.timer`) - Mount units: `.mount` (e.g., `home.mount`) Implicit .service Extension When dealing with service units, you can omit the `.service` extension: ```bash These commands are equivalent journalctl -u apache2.service journalctl -u apache2 ``` Basic Examples View SSH service logs: ```bash journalctl -u ssh ``` View Docker service logs: ```bash journalctl -u docker ``` View NetworkManager logs: ```bash journalctl -u NetworkManager ``` Advanced Filtering and Options Time-based Filtering Recent Logs View logs from the last hour: ```bash journalctl -u apache2 --since "1 hour ago" ``` View logs from today: ```bash journalctl -u apache2 --since today ``` View logs from a specific date: ```bash journalctl -u apache2 --since "2024-01-01" --until "2024-01-02" ``` Specific Time Ranges ```bash Last 30 minutes journalctl -u nginx --since "30 minutes ago" Between specific times journalctl -u mysql --since "2024-01-15 10:00:00" --until "2024-01-15 12:00:00" Yesterday's logs journalctl -u postgresql --since yesterday --until today ``` Priority Filtering Filter by log priority levels: ```bash Show only error messages and above journalctl -u apache2 -p err Show warning messages and above journalctl -u apache2 -p warning Show only critical messages journalctl -u apache2 -p crit ``` Priority levels (from lowest to highest): - `debug` (7) - `info` (6) - `notice` (5) - `warning` (4) - `err` (3) - `crit` (2) - `alert` (1) - `emerg` (0) Output Formatting JSON Output ```bash journalctl -u docker -o json ``` JSON Pretty Print ```bash journalctl -u docker -o json-pretty ``` Short Format ```bash journalctl -u nginx -o short ``` Verbose Output ```bash journalctl -u apache2 -o verbose ``` Line Limiting Show only the last 50 lines: ```bash journalctl -u apache2 -n 50 ``` Show only the last 10 lines: ```bash journalctl -u mysql --lines=10 ``` Reverse Order Show newest entries first: ```bash journalctl -u nginx -r ``` Practical Examples and Use Cases Web Server Troubleshooting When Apache is not starting properly: ```bash Check recent Apache logs journalctl -u apache2 --since "10 minutes ago" Look for error messages journalctl -u apache2 -p err --since today Check the last boot's Apache logs journalctl -u apache2 -b ``` Database Service Monitoring Monitor PostgreSQL service: ```bash View all PostgreSQL logs journalctl -u postgresql Check for connection issues journalctl -u postgresql --grep="connection" Monitor database startup journalctl -u postgresql --since "1 hour ago" -p info ``` SSH Security Analysis Analyze SSH login attempts: ```bash View SSH service logs journalctl -u ssh --since today Look for failed login attempts journalctl -u ssh --grep="Failed password" Check successful logins journalctl -u ssh --grep="Accepted" ``` Docker Container Issues Troubleshoot Docker daemon: ```bash View Docker service logs journalctl -u docker Check recent Docker errors journalctl -u docker -p err --since "1 hour ago" Monitor Docker daemon startup journalctl -u docker -b -f ``` Network Service Debugging Debug NetworkManager issues: ```bash View NetworkManager logs journalctl -u NetworkManager Check for connection problems journalctl -u NetworkManager --grep="connection" Monitor network state changes journalctl -u NetworkManager --since "30 minutes ago" ``` Real-time Log Monitoring Following Logs in Real-time Use the `-f` flag to follow logs as they're written: ```bash journalctl -u apache2 -f ``` Combining Real-time with Filters Monitor only error messages in real-time: ```bash journalctl -u nginx -f -p err ``` Follow logs from the last 10 lines: ```bash journalctl -u docker -f -n 10 ``` Multiple Unit Monitoring Monitor multiple services simultaneously: ```bash journalctl -u apache2 -u mysql -f ``` Practical Real-time Scenarios Web Server Deployment ```bash Monitor Apache during deployment journalctl -u apache2 -f --since now ``` Database Maintenance ```bash Monitor PostgreSQL during maintenance journalctl -u postgresql -f -p info ``` System Updates ```bash Monitor package manager during updates journalctl -u packagekit -f ``` Log Analysis Techniques Searching and Filtering Grep Integration ```bash Search for specific terms journalctl -u apache2 | grep "404" Case-insensitive search journalctl -u nginx | grep -i "error" Search with context journalctl -u mysql | grep -A 5 -B 5 "connection refused" ``` Using journalctl's Built-in Grep ```bash Built-in grep functionality journalctl -u apache2 --grep="404" Case-insensitive built-in grep journalctl -u nginx --grep="error" --case-sensitive=false ``` Log Statistics and Analysis Boot Analysis ```bash Show logs from current boot journalctl -u apache2 -b Show logs from previous boot journalctl -u apache2 -b -1 List available boots journalctl --list-boots ``` Disk Usage Analysis ```bash Show journal disk usage journalctl --disk-usage Show journal statistics journalctl --header ``` Advanced Querying Field-based Filtering ```bash Filter by specific fields journalctl _SYSTEMD_UNIT=apache2.service Combine multiple fields journalctl _SYSTEMD_UNIT=nginx.service PRIORITY=3 ``` Custom Field Queries ```bash Show available fields journalctl -u apache2 -o verbose | head -20 Filter by process ID journalctl _PID=1234 Filter by user ID journalctl _UID=1000 ``` Common Issues and Troubleshooting Permission Issues Problem: Access Denied ``` Error: Insufficient permissions to access logs ``` Solution: ```bash Use sudo sudo journalctl -u apache2 Or add user to systemd-journal group sudo usermod -a -G systemd-journal $USER ``` Problem: No Logs Visible ```bash Check if service exists systemctl status apache2 Verify unit name systemctl list-units --type=service | grep apache ``` Service-Specific Issues Problem: Service Not Found ``` No entries found for unit apache2.service ``` Solutions: ```bash Check correct service name systemctl list-units --type=service | grep -i apache Check if service was ever active systemctl list-units --all | grep apache Check service files systemctl list-unit-files | grep apache ``` Problem: Empty Log Output ```bash Check if service has been active systemctl is-active apache2 Check service status systemctl status apache2 Force service activity to generate logs sudo systemctl restart apache2 ``` Journal-Specific Issues Problem: Journal Corruption ```bash Verify journal integrity sudo journalctl --verify Rotate journals if corrupted sudo systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald ``` Problem: Large Journal Size ```bash Check journal size journalctl --disk-usage Clean old journals sudo journalctl --vacuum-time=7d sudo journalctl --vacuum-size=100M ``` Time and Date Issues Problem: Incorrect Timestamps ```bash Check system time timedatectl Synchronize time sudo timedatectl set-ntp true ``` Problem: Time Zone Confusion ```bash Set correct timezone sudo timedatectl set-timezone America/New_York View logs in UTC journalctl -u apache2 --utc ``` Best Practices Efficient Log Viewing Use Appropriate Time Ranges ```bash Instead of viewing all logs journalctl -u apache2 Use specific time ranges journalctl -u apache2 --since "1 hour ago" ``` Combine Filters Effectively ```bash Efficient: combine multiple filters journalctl -u nginx --since today -p err -n 50 Less efficient: filter after retrieval journalctl -u nginx | grep error | head -50 ``` Log Management Regular Maintenance ```bash Set up automatic journal cleanup sudo systemctl edit systemd-journald Add configuration: [Journal] MaxRetentionSec=1month MaxFileSec=1week ``` Storage Configuration ```bash Configure journal storage sudo nano /etc/systemd/journald.conf Key settings: Storage=persistent SystemMaxUse=500M RuntimeMaxUse=100M ``` Monitoring and Alerting Automated Log Monitoring ```bash #!/bin/bash Simple log monitoring script journalctl -u apache2 --since "1 minute ago" -p err --quiet if [ $? -eq 0 ]; then echo "Apache errors detected!" | mail -s "Alert" admin@example.com fi ``` Log Rotation Strategy ```bash Configure log rotation sudo journalctl --vacuum-time=30d sudo journalctl --vacuum-size=500M Set up cron job for regular cleanup echo "0 2 0 /usr/bin/journalctl --vacuum-time=30d" | sudo crontab - ``` Security Considerations Sensitive Information Handling ```bash Be cautious with log sharing journalctl -u apache2 | grep -v "password\|token\|key" Use appropriate permissions sudo chmod 640 /var/log/journal// ``` Access Control ```bash Limit access to specific users sudo usermod -a -G systemd-journal monitoring_user Create dedicated log viewing accounts sudo useradd -r -s /bin/bash -G systemd-journal logviewer ``` Performance Considerations Optimizing Query Performance Index Usage ```bash Let journalctl use indexes efficiently journalctl -u apache2 --since "2024-01-01" Avoid expensive operations journalctl -u apache2 | grep pattern # Less efficient journalctl -u apache2 --grep=pattern # More efficient ``` Memory Usage ```bash Limit memory usage for large queries journalctl -u apache2 --since "1 week ago" -n 1000 Use paging for large outputs journalctl -u apache2 | less ``` System Resource Management Journal Size Monitoring ```bash Monitor journal growth watch -n 60 'journalctl --disk-usage' Set up alerts for large journals if [ $(journalctl --disk-usage | awk '{print $6}' | sed 's/M//') -gt 1000 ]; then echo "Journal size exceeds 1GB" fi ``` Network Considerations ```bash For remote log viewing, compress output journalctl -u apache2 --since today | gzip > apache_logs.gz Use SSH compression for remote access ssh -C user@server 'journalctl -u apache2' ``` Conclusion The `journalctl -u ` command is an indispensable tool for system administrators and developers working with systemd-based Linux systems. Throughout this comprehensive guide, we've explored everything from basic usage to advanced filtering techniques, real-world troubleshooting scenarios, and professional best practices. Key Takeaways 1. Master the Basics: Understanding the fundamental `journalctl -u` syntax is essential for effective log analysis 2. Leverage Filtering: Use time-based, priority-based, and field-based filtering to efficiently locate relevant log entries 3. Implement Best Practices: Regular log maintenance, appropriate access controls, and efficient querying techniques are crucial for production environments 4. Troubleshoot Systematically: Follow structured approaches to diagnose and resolve common issues 5. Monitor Proactively: Use real-time monitoring and automated alerting to maintain system health Next Steps To further enhance your journalctl expertise: 1. Practice Regularly: Use journalctl daily to become comfortable with its various options and filters 2. Automate Monitoring: Implement automated log monitoring scripts for critical services 3. Explore Integration: Learn how to integrate journalctl with monitoring tools like Prometheus, Grafana, or ELK stack 4. Study Advanced Features: Investigate structured logging, custom fields, and journal forwarding capabilities 5. Contribute to Documentation: Share your experiences and help improve community knowledge Final Recommendations - Always use appropriate time ranges to avoid overwhelming output - Combine multiple filtering options for precise log retrieval - Implement regular journal maintenance to prevent storage issues - Document your common troubleshooting procedures for team knowledge sharing - Stay updated with systemd developments and new journalctl features By mastering journalctl and following the practices outlined in this guide, you'll be well-equipped to handle log analysis challenges in any systemd environment, from development systems to large-scale production deployments. The investment in learning these skills will pay dividends in reduced troubleshooting time and improved system reliability.