journalctl

1. Filter output by identifiers (-t and -T flags)
2. Filter output by message priorities
3. Filter output by MESSAGE= field (-g flag)
4. Filter output by trusted journal fields, e.g. _COMM=
5. References

1. Filter output by identifiers (`-t` and `-T` flags)

Show messages for kernel identifier

journalctl -t kernel

Exclude messages for kernel identifier, useful to exclude ufw [UFW BLOCK] lines

journalctl -T kernel

Follow the logs while excluding kernel indentifier from the output, useful to exclude ufw [UFW BLOCK] lines

journalctl -T kernel -f

Show sudo logs for current boot

journalctl -b -t sudo

Show sshd login attempts since last month

journalctl --since "1 month ago" -t sshd -t sshd-session

2. Filter output by message priorities

The log levels are the usual syslog log levels as documented in syslog(3), i.e. emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), debug (7).

Filter output starting from warning log level and above

journalctl -p 4

Filter output starting from info log level up to notice

journalctl -p 5..4

Filter output by kernel messages from warning log level and above

Show only kernel messages with -k which implies -b (current boot)

journalctl -k -p4

3. Filter output by `MESSAGE=` field (`-g` flag)

journalctl --since "1 month ago" -g "UFW"

4. Filter output by trusted journal fields, e.g. `_COMM=`

https://manpages.debian.org/stable/systemd/systemd.journal-fields.7#TRUSTED_JOURNAL_FIELDS

journalctl --since "1 week ago" -p5 _COMM=sudo

5. References

https://manpages.debian.org/stable/systemd/journalctl.1

journalctl

Table of Contents

1. Filter output by identifiers (-t and -T flags)

2. Filter output by message priorities

3. Filter output by MESSAGE= field (-g flag)

4. Filter output by trusted journal fields, e.g. _COMM=

5. References

1. Filter output by identifiers (`-t` and `-T` flags)

3. Filter output by `MESSAGE=` field (`-g` flag)

4. Filter output by trusted journal fields, e.g. `_COMM=`