# 12-E.17: journalctl & last Commands

## The journalctl Command

The journalctl command is used for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources.

These logs are gathered in a central location, which makes them easy to review. The log records in the journal are structured and indexed, and as a result journalctl is able to present your log information in a variety of useful formats.

By default the systemnd journal only stores the logs in memory, therefore, the logs do not persist across reboots. In order to have any persistence in the logs, the /var/log/journal directory must be created. The logs are then kept in that directory.

pbmac@pbmac-server $journalctl -- Logs begin at Sat 2020-03-21 15:10:38 PDT, end at Mon 2020-11-16 14:59:05 PST Mar 21 15:10:38 pbmac-server systemd-journald[294]: Runtime journal (/run/log/jo Mar 21 15:10:38 pbmac-server kernel: Initializing cgroup subsys cpuset Mar 21 15:10:38 pbmac-server kernel: Initializing cgroup subsys cpu Mar 21 15:10:38 pbmac-server kernel: Initializing cgroup subsys cpuacct Mar 21 15:10:38 pbmac-server kernel: Linux version 4.4.0-176-generic (buildd@lgw Mar 21 15:10:38 pbmac-server kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-4.4. Mar 21 15:10:38 pbmac-server kernel: KERNEL supported cpus: Mar 21 15:10:38 pbmac-server kernel: Intel GenuineIntel Mar 21 15:10:38 pbmac-server kernel: AMD AuthenticAMD Mar 21 15:10:38 pbmac-server kernel: Centaur CentaurHauls Mar 21 15:10:38 pbmac-server kernel: x86/fpu: Supporting XSAVE feature 0x01: 'x8 Mar 21 15:10:38 pbmac-server kernel: x86/fpu: Supporting XSAVE feature 0x02: 'SS Mar 21 15:10:38 pbmac-server kernel: x86/fpu: Enabled xstate features 0x3, conte Mar 21 15:10:38 pbmac-server kernel: e820: BIOS-provided physical RAM map: Mar 21 15:10:38 pbmac-server kernel: BIOS-e820: [mem 0x0000000000000000-0x000000  journalctl allows for the filtering of the output by specific fields. If there are many messages to display or filtering of large time span has to be done, the output of this command can be extensively delayed. Examples: • Show all messages from this boot: pbmac@pbmac-server$ journalctl -b
However, often one is interested in messages not from the current, but from the previous boot (e.g. if an unrecoverable system crash happened). This is possible through optional offset parameter of the -b flag: journalctl -b -0 shows messages from the current boot, journalctl -b -1 from the previous boot, journalctl -b -2 from the second previous and so on – you can see the list of boots with their numbers by using journalctl --list-boots. See journalctl(1) for a full description; the semantics are more powerful than indicated here.
• Include explanations of log messages from the message catalog where available:
pbmac@pbmac-server $journalctl -x Note that this feature should not be used when attaching logs to bug reports and support threads, so as to limit extraneous output. You can list all known catalog entries by running journalctl --list-catalog. • Show all messages from date (and optional time): pbmac@pbmac-server$ journalctl --since="2012-10-30 18:17:16"
• Show all messages since 20 minutes ago:
pbmac@pbmac-server $journalctl --since "20 min ago" ## The last Command The last command in Linux is used to display the list of all the users logged in and out since the file /var/log/wtmp was created. One or more usernames can be given as an argument to display their login in (and out) time and their host-name. pbmac@pbmac-server$ last
pbmac    :0           :0               Mon Nov 16 09:48   still logged in
reboot   system boot  4.15.0-91-generi Mon Nov 16 09:46   still running
pbmac    :0           :0               Fri Nov  6 11:20 - crash (9+22:26)
reboot   system boot  4.15.0-91-generi Fri Nov  6 10:53   still running