From 19f4f86bfed21c5326ed2acebe1163f3a83e832b Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 04:25:50 +0200 Subject: Adding upstream version 241. Signed-off-by: Daniel Baumann --- man/journalctl.xml | 992 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 992 insertions(+) create mode 100644 man/journalctl.xml (limited to 'man/journalctl.xml') diff --git a/man/journalctl.xml b/man/journalctl.xml new file mode 100644 index 0000000..7ff0a47 --- /dev/null +++ b/man/journalctl.xml @@ -0,0 +1,992 @@ + + + + + + + + + journalctl + systemd + + + + journalctl + 1 + + + + journalctl + Query the systemd journal + + + + + journalctl + OPTIONS + MATCHES + + + + + Description + + journalctl may be used to query the + contents of the + systemd1 + journal as written by + systemd-journald.service8. + + If called without parameters, it will show the full + contents of the journal, starting with the oldest entry + collected. + + If one or more match arguments are passed, the output is + filtered accordingly. A match is in the format + FIELD=VALUE, + e.g. _SYSTEMD_UNIT=httpd.service, referring + to the components of a structured journal entry. See + systemd.journal-fields7 + for a list of well-known fields. If multiple matches are + specified matching different fields, the log entries are + filtered by both, i.e. the resulting output will show only + entries matching all the specified matches of this kind. If two + matches apply to the same field, then they are automatically + matched as alternatives, i.e. the resulting output will show + entries matching any of the specified matches for the same + field. Finally, the character + may appear + as a separate word between other terms on the command line. This + causes all matches before and after to be combined in a + disjunction (i.e. logical OR). + + It is also possible to filter the entries by specifying an + absolute file path as an argument. The file path may be a file or + a symbolic link and the file must exist at the time of the query. If a + file path refers to an executable binary, an _EXE= + match for the canonicalized binary path is added to the query. If a + file path refers to an executable script, a _COMM= + match for the script name is added to the query. If a file path + refers to a device node, _KERNEL_DEVICE= matches for + the kernel name of the device and for each of its ancestor devices is + added to the query. Symbolic links are dereferenced, kernel names are + synthesized, and parent devices are identified from the environment at + the time of the query. In general, a device node is the best proxy for + an actual device, as log entries do not usually contain fields that + identify an actual device. For the resulting log entries to be correct + for the actual device, the relevant parts of the environment at the time + the entry was logged, in particular the actual device corresponding to + the device node, must have been the same as those at the time of the + query. Because device nodes generally change their corresponding devices + across reboots, specifying a device node path causes the resulting + entries to be restricted to those from the current boot. + + Additional constraints may be added using options + , , etc., to + further limit what entries will be shown (logical AND). + + Output is interleaved from all accessible journal files, + whether they are rotated or currently being written, and + regardless of whether they belong to the system itself or are + accessible user journals. + + The set of journal files which will be used can be + modified using the , + , , and + options, see below. + + All users are granted access to their private per-user + journals. However, by default, only root and users who are + members of a few special groups are granted access to the system + journal and the journals of other users. Members of the groups + systemd-journal, adm, and + wheel can read all journal files. Note + that the two latter groups traditionally have additional + privileges specified by the distribution. Members of the + wheel group can often perform administrative + tasks. + + The output is paged through less by + default, and long lines are "truncated" to screen width. The + hidden part can be viewed by using the left-arrow and + right-arrow keys. Paging can be disabled; see the + option and the "Environment" section + below. + + When outputting to a tty, lines are colored according to + priority: lines of level ERROR and higher are colored red; lines + of level NOTICE and higher are highlighted; lines of level DEBUG + are colored lighter grey; other lines are displayed normally. + + + + Options + + The following options are understood: + + + + + + + + Ellipsize fields when they do not fit in + available columns. The default is to show full fields, + allowing them to wrap or be truncated by the pager, if one + is used. + + The old options + / are not useful + anymore, except to undo . + + + + + + + + Show all fields in full, even if they include unprintable characters or are very long. By + default, fields with unprintable characters are abbreviated as "blob data". (Note that the pager may escape + unprintable characters again.) + + + + + + + Show only the most recent journal entries, + and continuously print new entries as they are appended to + the journal. + + + + + + + Immediately jump to the end of the journal + inside the implied pager tool. This implies + to guarantee that the pager will not + buffer logs of unbounded size. This may be overridden with + an explicit with some other numeric + value, while will disable this cap. + Note that this option is only supported for the + less1 + pager. + + + + + + + Show the most recent journal events and + limit the number of events shown. If + is used, this option is + implied. The argument is a positive integer or + all to disable line limiting. The default + value is 10 if no argument is given. + + + + + + Show all stored output lines, even in follow + mode. Undoes the effect of . + + + + + + + + Reverse output so that the newest entries + are displayed first. + + + + + + + Controls the formatting of the journal + entries that are shown. Takes one of the following + options: + + + + + + + is the default and generates an output that is + mostly identical to the formatting of classic syslog + files, showing one line per journal entry. + + + + + + + + + is very similar, but shows timestamps in the format the and + options accept. Unlike the timestamp information shown in + output mode this mode includes weekday, year and timezone information in the + output, and is locale-independent. + + + + + + + + + is very similar, but shows ISO 8601 wallclock + timestamps. + + + + + + + + + as for but includes full + microsecond precision. + + + + + + + + + is very similar, but shows classic syslog timestamps + with full microsecond precision. + + + + + + + + + is very similar, but shows monotonic timestamps + instead of wallclock timestamps. + + + + + + + + + is very similar, but shows seconds passed since January 1st 1970 UTC instead of wallclock + timestamps ("UNIX time"). The time is shown with microsecond accuracy. + + + + + + + + + shows the full-structured entry items with all + fields. + + + + + + + + + serializes the journal into a binary (but mostly + text-based) stream suitable for backups and network + transfer (see + Journal Export Format + for more information). To import the binary stream back + into native journald format use + systemd-journal-remote8. + + + + + + + + + formats entries as JSON objects, separated by newline characters (see Journal JSON Format for more + information). Field values are generally encoded as JSON strings, with three exceptions: + + Fields larger than 4096 bytes are encoded as null values. (This + may be turned off by passing , but be aware that this may allocate overly long + JSON objects.) + + Journal entries permit non-unique fields within the same log entry. JSON does not allow + non-unique fields within objects. Due to this, if a non-unique field is encountered a JSON array is + used as field value, listing all field values as elements. + + Fields containing non-printable or non-UTF8 bytes are encoded as arrays containing + the raw bytes individually formatted as unsigned numbers. + + + Note that this encoding is reversible (with the exception of the size limit). + + + + + + + + + formats entries as JSON data structures, but + formats them in multiple lines in order to make them + more readable by humans. + + + + + + + + + formats entries as JSON data structures, but wraps + them in a format suitable for + Server-Sent Events. + + + + + + + + + + formats entries as JSON data structures, but prefixes them with an ASCII Record Separator + character (0x1E) and suffixes them with an ASCII Line Feed character (0x0A), in accordance with JavaScript Object Notation (JSON) Text Sequences + (application/json-seq). + + + + + + + + + + generates a very terse output, only showing the + actual message of each journal entry with no metadata, + not even a timestamp. + + + + + + + + + similar to short-full, but prefixes the unit and + user unit names instead of the traditional syslog + identifier. Useful when using templated instances, as it + will include the arguments in the unit names. + + + + + + + + + + A comma separated list of the fields which should be included in the output. This only has an + effect for the output modes which would normally show all fields (, + , , , and + ). The __CURSOR, __REALTIME_TIMESTAMP, + __MONOTONIC_TIMESTAMP, and _BOOT_ID fields are always + printed. + + + + + + Express time in Coordinated Universal Time + (UTC). + + + + + + Don't show the hostname field of log messages originating from the local host. This switch only + has an effect on the family of output modes (see above). + + + + + + + Augment log lines with explanation texts from + the message catalog. This will add explanatory help texts to + log messages in the output where this is available. These + short help texts will explain the context of an error or log + event, possible solutions, as well as pointers to support + forums, developer documentation, and any other relevant + manuals. Note that help texts are not available for all + messages, but only for selected ones. For more information on + the message catalog, please refer to the + Message Catalog Developer Documentation. + + Note: when attaching journalctl + output to bug reports, please do not use + . + + + + + + + + Suppresses all informational messages + (i.e. "-- Logs begin at …", "-- Reboot --"), + any warning messages regarding + inaccessible system journals when run as a normal + user. + + + + + + + Show entries interleaved from all available + journals, including remote ones. + + + + + + + Show messages from a specific boot. This will + add a match for _BOOT_ID=. + + The argument may be empty, in which case logs for the + current boot will be shown. + + If the boot ID is omitted, a positive + offset will look up the boots + starting from the beginning of the journal, and an + equal-or-less-than zero offset will + look up boots starting from the end of the journal. Thus, + 1 means the first boot found in the + journal in chronological order, 2 the + second and so on; while -0 is the last + boot, -1 the boot before last, and so + on. An empty offset is equivalent + to specifying -0, except when the current + boot is not the last boot (e.g. because + was specified to look at logs + from a different machine). + + If the 32-character ID is + specified, it may optionally be followed by + offset which identifies the boot + relative to the one given by boot + ID. Negative values mean earlier + boots and positive values mean later boots. If + offset is not specified, a value of + zero is assumed, and the logs for the boot given by + ID are shown. + + + + + + + Show a tabular list of boot numbers (relative to + the current boot), their IDs, and the timestamps of the first + and last message pertaining to the boot. + + + + + + + Show only kernel messages. This implies + and adds the match + _TRANSPORT=kernel. + + + + + + + Show messages for the specified syslog + identifier + SYSLOG_IDENTIFIER. + + This parameter can be specified multiple + times. + + + + + + + Show messages for the specified systemd unit + UNIT (such as a service unit), or + for any of the units matched by + PATTERN. If a pattern is + specified, a list of unit names found in the journal is + compared with the specified pattern and all that match are + used. For each unit name, a match is added for messages from + the unit + (_SYSTEMD_UNIT=UNIT), + along with additional matches for messages from systemd and + messages about coredumps for the specified unit. + + This parameter can be specified multiple times. + + + + + + + Show messages for the specified user session + unit. This will add a match for messages from the unit + (_SYSTEMD_USER_UNIT= and + _UID=) and additional matches for messages + from session systemd and messages about coredumps for the + specified unit. + + This parameter can be specified multiple times. + + + + + + + + Filter output by message priorities or + priority ranges. Takes either a single numeric or textual log + level (i.e. between 0/emerg and + 7/debug), or a range of numeric/text log + levels in the form FROM..TO. The log levels are the usual + syslog log levels as documented in + syslog3, + i.e. emerg (0), + alert (1), crit (2), + err (3), warning (4), + notice (5), info (6), + debug (7). If a single log level is + specified, all messages with this log level or a lower (hence + more important) log level are shown. If a range is specified, + all messages within the range are shown, including both the + start and the end value of the range. This will add + PRIORITY= matches for the specified + priorities. + + + + + + + Filter output to entries where the MESSAGE= + field matches the specified regular expression. PERL-compatible regular expressions + are used, see + pcre2pattern3 + for a detailed description of the syntax. + + If the pattern is all lowercase, matching is case insensitive. + Otherwise, matching is case sensitive. This can be overridden with the + option, see below. + + + + + + + Make pattern matching case sensitive or case insenstive. + + + + + + + + Start showing entries from the location in the + journal specified by the passed cursor. + + + + + + Start showing entries from the location in the + journal after the location specified by + the passed cursor. The cursor is shown when the + option is used. + + + + + + + The cursor is shown after the last entry after + two dashes: + -- cursor: s=0639… + The format of the cursor is private + and subject to change. + + + + + + + + + Start showing entries on or newer than the specified date, or on or older than the specified + date, respectively. Date specifications should be of the format 2012-10-30 18:17:16. If the + time part is omitted, 00:00:00 is assumed. If only the seconds component is omitted, + :00 is assumed. If the date component is omitted, the current day is assumed. Alternatively + the strings yesterday, today, tomorrow are understood, + which refer to 00:00:00 of the day before the current day, the current day, or the day after the current day, + respectively. now refers to the current time. Finally, relative times may be specified, + prefixed with - or +, referring to times before or after the current + time, respectively. For complete time and date specification, see + systemd.time7. Note that + prints timestamps that follow precisely this format. + + + + + + + + + Print all possible data values the specified + field can take in all entries of the journal. + + + + + + + Print all field names currently used in all entries of the journal. + + + + + + + Show messages from system services and the + kernel (with ). Show messages from + service of current user (with ). If + neither is specified, show all messages that the user can see. + + + + + + + + Show messages from a running, local + container. Specify a container name to connect to. + + + + + + + + Takes a directory path as argument. If + specified, journalctl will operate on the specified journal + directory DIR instead of the + default runtime and system journal paths. + + + + + + Takes a file glob as an argument. If + specified, journalctl will operate on the specified journal + files matching GLOB instead of the + default runtime and system journal paths. May be specified + multiple times, in which case files will be suitably + interleaved. + + + + + + Takes a directory path as an argument. If + specified, journalctl will operate on journal directories and catalog file hierarchy + underneath the specified directory instead of the root + directory (e.g. will create + ROOT/var/lib/systemd/catalog/database, + and journal files under ROOT/run/journal + or ROOT/var/log/journal will be displayed). + + + + + + + Instead of showing journal contents, show + internal header information of the journal fields + accessed. + + + + + + Shows the current disk usage of all journal + files. This shows the sum of the disk usage of all archived + and active journal files. + + + + + + + + Removes the oldest archived journal files until the disk space they use falls below the + specified size (specified with the usual K, M, G and + T suffixes), or all archived journal files contain no data older than the specified timespan + (specified with the usual s, m, h, + days, months, weeks and years + suffixes), or no more than the specified number of separate journal files remain. Note that running + has only an indirect effect on the output shown by + , as the latter includes active journal files, while the vacuuming operation only + operates on archived journal files. Similarly, might not actually reduce the + number of journal files to below the specified number, as it will not remove active journal + files. + + , and + may be combined in a single invocation to enforce any combination of a size, a time and a number of files limit + on the archived journal files. Specifying any of these three parameters as zero is equivalent to not enforcing + the specific limit, and is thus redundant. + + These three switches may also be combined with into one command. If so, all + active files are rotated first, and the requested vacuuming operation is executed right after. The rotation has + the effect that all currently active files are archived (and potentially new, empty journal files opened as + replacement), and hence the vacuuming operation has the greatest effect as it can take all log data written so + far into account. + + + + + + List the contents of the message catalog as a + table of message IDs, plus their short description strings. + + + If any 128-bit-IDs are + specified, only those entries are shown. + + + + + + + Show the contents of the message catalog, with + entries separated by a line consisting of two dashes and the + ID (the format is the same as .catalog + files). + + If any 128-bit-IDs are + specified, only those entries are shown. + + + + + + + Update the message catalog index. This command + needs to be executed each time new catalog files are + installed, removed, or updated to rebuild the binary catalog + index. + + + + + + Instead of showing journal contents, generate + a new key pair for Forward Secure Sealing (FSS). This will + generate a sealing key and a verification key. The sealing key + is stored in the journal data directory and shall remain on + the host. The verification key should be stored + externally. Refer to the option in + journald.conf5 + for information on Forward Secure Sealing and for a link to a + refereed scholarly paper detailing the cryptographic theory it + is based on. + + + + + + When is passed + and Forward Secure Sealing (FSS) has already been configured, + recreate FSS keys. + + + + + + Specifies the change interval for the sealing + key when generating an FSS key pair with + . Shorter intervals increase CPU + consumption but shorten the time range of undetectable journal + alterations. Defaults to 15min. + + + + + + Check the journal file for internal + consistency. If the file has been generated with FSS enabled and + the FSS verification key has been specified with + , authenticity of the journal file + is verified. + + + + + + Specifies the FSS verification key to use for + the operation. + + + + + + Asks the journal daemon to write all yet + unwritten journal data to the backing file system and + synchronize all journals. This call does not return until the + synchronization operation is complete. This command guarantees + that any log messages written before its invocation are safely + stored on disk at the time it returns. + + + + + + Asks the journal daemon to flush any log data + stored in /run/log/journal into + /var/log/journal, if persistent storage + is enabled. This call does not return until the operation is + complete. Note that this call is idempotent: the data is only + flushed from /run/log/journal into + /var/log/journal once during system + runtime, and this command exits cleanly without executing any + operation if this has already happened. This command + effectively guarantees that all data is flushed to + /var/log/journal at the time it + returns. + + + + + + Asks the journal daemon to rotate journal files. This call does not return until the rotation + operation is complete. Journal file rotation has the effect that all currently active journal files are marked + as archived and renamed, so that they are never written to in future. New (empty) journal files are then + created in their place. This operation may be combined with , + and into a single command, see + above. + + + + + + + + + + Exit status + + On success, 0 is returned; otherwise, a non-zero failure + code is returned. + + + + + + Examples + + Without arguments, all collected logs are shown + unfiltered: + + journalctl + + With one match specified, all entries with a field matching + the expression are shown: + + journalctl _SYSTEMD_UNIT=avahi-daemon.service +journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scope + + If two different fields are matched, only entries matching + both expressions at the same time are shown: + + journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + + If two matches refer to the same field, all entries matching + either expression are shown: + + journalctl _SYSTEMD_UNIT=avahi-daemon.service _SYSTEMD_UNIT=dbus.service + + If the separator + is used, two + expressions may be combined in a logical OR. The following will + show all messages from the Avahi service process with the PID + 28097 plus all messages from the D-Bus service (from any of its + processes): + + journalctl _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service + + To show all fields emitted by a unit and about + the unit, option / should be used. + journalctl -u name + expands to a complex filter similar to + _SYSTEMD_UNIT=name.service + + UNIT=name.service _PID=1 + + OBJECT_SYSTEMD_UNIT=name.service _UID=0 + + COREDUMP_UNIT=name.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1 + + (see systemd.journal-fields5 + for an explanation of those patterns). + + + Show all logs generated by the D-Bus executable: + + journalctl /usr/bin/dbus-daemon + + Show all kernel logs from previous boot: + + journalctl -k -b -1 + + Show a live log display from a system service + apache.service: + + journalctl -f -u apache + + + + + See Also + + systemd1, + systemd-journald.service8, + systemctl1, + coredumpctl1, + systemd.journal-fields7, + journald.conf5, + systemd.time7, + systemd-journal-remote.service8, + systemd-journal-upload.service8 + + + -- cgit v1.2.3