58

I am trying to use journalctl's pattern matching on SYSLOG_IDENTIFIERS. As an example, I have a ton of message tagged sshd:

$ journalctl -t sshd | wc -l 987

but if I try to use pattern matching to find them:

$ journalctl -t 'ssh*' -- No Entries -- $ journalctl -t 'ssh.*' -- No Entries --

The journalctl man page says patterns should work, but I can't find anything else about how patterns are used/defined in systemd.

$ man journalctl .... -t, --identifier=SYSLOG_IDENTIFIER|PATTERN Show messages for the specified syslog identifier SYSLOG_IDENTIFIER, or for any of the messages with a "SYSLOG_IDENTIFIER" matched by PATTERN.

I'm running ArchLinux:

$ journalctl --version systemd 225 +PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN
Improve this question
4
  • 7
    Based on discussions on IRC, it seems this is a bug (or an issues with the documentation). A bug has been filed. Commented Sep 14, 2015 at 1:18
  • 1
    try this for realtime: journalctl -f | grep sshd Commented Dec 1, 2015 at 12:15
  • You can actually add multiple -t <identifier> if that suits you. Commented Jan 25, 2019 at 12:38
  • 1
    Opened another report for enabling pattern support for syslog identities: github.com/systemd/systemd/issues/20457 Commented Aug 17, 2021 at 11:11

6 Answers 6

Reset to default
54

This was a doc bug that was closed when the typo in the man page was updated.

The bug report led to the following comments in the code:

We don't actually accept patterns, hence don't claim so.

As a workaround, you may be able to use grep as suggested in the comments to your question. Something like this:

journalctl | grep sshd
Improve this answer
2
  • This missing feature or the bug is by design. Nice. Commented Jul 19, 2023 at 9:00
  • This is incorrect and does not work. Commented Oct 23, 2024 at 13:07
30

journalctl -v 239 supports filtering with -g

From journactl man page

 -g, --grep= Filter output to entries where the MESSAGE= field matches the specified regular expression. PERL-compatible regular expressions are used, see pcre2pattern(3) for a detailed description of the syntax. If the pattern is all lowercase, matching is case insensitive. Otherwise, matching is case sensitive. This can be overridden with the --case-sensitive option, see below.
Improve this answer
3
  • 2
    This is what I was actually looking for. Having used the wrong search terms, I ended up here but found this. Thx. Commented May 22, 2022 at 14:14
  • 3
    this actually does not work, it match the message not the identifier field. Commented Jan 27, 2023 at 15:50
  • 2
    In fact you should be looking if journalctl was compiled with systemd --version | grep "+PCRE2" Commented Jan 10, 2024 at 16:50
3

The original question titles "How do you use systemd's journalctl patterns". This points to a very specific feature of the journalctl called "MATCHES" rather than a generic regular expression filtering.

The "MATCHES" feature is fully detailed along with all other features at its friendly man page which states at its very beginning:

If one or more match arguments are passed, the output is filtered accordingly.

The "matches" feature is meant to filter the log entries out based upon a number of possible filters.

For cases like the one in the original question, this is how I do (I do run ArchLinux too).

First, you need to know the service name you are interested in. I usually do this:

systemctl | grep sshd

I get this:

sshd.service loaded active running OpenSSH Daemon

Then you can ask journalctl to filter by the "systemd unit name" like this:

journalctl _SYSTEMD_UNIT=sshd.service

It's called "the matches filtering". That'd be it.

In case the original question was written instead to mean "how to apply grep to journalctl output", then you can either apply grep to the logs stored "so far" with

journalctl | grep ssh

or look at the currently incoming log entries with

journalctl -f | grep ssh

and hit CTRL-C to stop the flow. Of course, you can use more complex pipes with either finer grained regular patterns or multiple grep commands.

Improve this answer
9
  • 1
    Thanks for the response, but _SYTEMD_UNIT doesn't accept patterns. As mentioned in my comment and @Tim's answer, this was a bug in the docs. Commented Oct 30, 2018 at 20:32
  • @MarkGrimes, At least for me (systemd 239) it works. I always test what I say before writing it down. It works as documented. Commented Oct 31, 2018 at 5:16
  • 2
    The question is about using patterns, for example ssh*. The journalctl docs stated that this was possible at one time. The docs were incorrect and have been updated. Commented Oct 31, 2018 at 12:52
  • @MarkGrimes The question is about systemd's journalctl patterns not any character pattern. Please see my updated answer. And it works under ArchLinux exactly as documented. Commented Nov 2, 2018 at 8:47
  • You must be joking. I can't find an explanation of what PATTERN may be anywhere in that man page. Commented Jun 10, 2021 at 20:26
1

For anyone needing to just find a term in journalctl, you open the logs with journalctl -u <foo>, then hit the / key. It'll open a prompt in the lower part of the terminal, and input the search term. Journalctl will highlight all the occurrencies.

Improve this answer
0

Here's my approach (allows to keep all things in journalctl):

Just execute this command:

$(printf 'journalctl'; printf ' -t %s' $(journalctl -q -F SYSLOG_IDENTIFIER | grep '^ssh'))

Components:

  1. printf 'journalctl': This could include any journalctl-specific options (eg. printf 'journalctl --follow' )
  2. journalctl -q -F SYSLOG_IDENTIFIER: Lists all of the value variations of SYSLOG_IDENTIFIER fileld.
  3. grep '^ssh': Filters by any possible grep RegEx mask.
  4. printf ' -t %s' $(journalctl -q -F SYSLOG_IDENTIFIER | grep '^ssh')): Constructs sequence of multiple '-t' options from the list of filtered SYSLOG_IDENTIFIER values.

For example:

$ echo "$(printf 'journalctl'; printf ' -t %s' $(journalctl -q -F SYSLOG_IDENTIFIER | grep '^gnome'))" journalctl -t gnome-system-monitor.desktop -t gnome-shell -t gnome-keyring-daemon -t gnome-session-binary -t gnome-session

Note, obvious, but important: list of identifiers (selected by mask) created at command start, so to include any identifiers, appeared after journalctl started with --follow option, command need to be restarted.

Improve this answer
-3

You can define the unit file when you run journalctl.

journalctl -f -u sshd.service

I will only show the journal of sshd

Improve this answer
1
  • This answer doesn't address the question. The user is asking for using patterns in a filter. Commented Jul 25, 2018 at 11:46

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.