How do you use systemd's journalctl patterns

Question

I am trying to use journalctl's pattern matching on SYSLOG_IDENTIFIERS. As an example, I have a ton of message tagged sshd:

$ journalctl -t sshd | wc -l
987

but if I try to use pattern matching to find them:

$ journalctl -t 'ssh*'
-- No Entries --
$ journalctl -t 'ssh.*'
-- No Entries --

The journalctl man page says patterns should work, but I can't find anything else about how patterns are used/defined in systemd.

$ man journalctl
....
-t, --identifier=SYSLOG_IDENTIFIER|PATTERN
       Show messages for the specified syslog identifier SYSLOG_IDENTIFIER,
       or for any of the messages with a "SYSLOG_IDENTIFIER" matched by PATTERN.

I'm running ArchLinux:

$ journalctl --version
systemd 225
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN

Answer 1

This was a doc bug that was closed when the typo in the man page was updated.

The bug report led to the following comments in the code:

We don't actually accept patterns, hence don't claim so.

As a workaround, you may be able to use grep as suggested in the comments to your question. Something like this:

journalctl | grep sshd

Answer 2

journalctl -v 239 supports filtering with -g

From journactl man page

   -g, --grep=
       Filter output to entries where the MESSAGE= field matches the
       specified regular expression. PERL-compatible regular
       expressions are used, see pcre2pattern(3) for a detailed
       description of the syntax.
   If the pattern is all lowercase, matching is case
   insensitive. Otherwise, matching is case sensitive. This can
   be overridden with the --case-sensitive option, see below.

Answer 3

The original question titles "How do you use systemd's journalctl patterns". This points to a very specific feature of the journalctl called "MATCHES" rather than a generic regular expression filtering.

The "MATCHES" feature is fully detailed along with all other features at its friendly man page which states at its very beginning:

If one or more match arguments are passed, the output is filtered accordingly.

The "matches" feature is meant to filter the log entries out based upon a number of possible filters.

For cases like the one in the original question, this is how I do (I do run ArchLinux too).

First, you need to know the service name you are interested in. I usually do this:

systemctl | grep sshd

I get this:

sshd.service       loaded active running   OpenSSH Daemon

Then you can ask journalctl to filter by the "systemd unit name" like this:

journalctl _SYSTEMD_UNIT=sshd.service

It's called "the matches filtering". That'd be it.

In case the original question was written instead to mean "how to apply grep to journalctl output", then you can either apply grep to the logs stored "so far" with

journalctl | grep ssh

or look at the currently incoming log entries with

journalctl -f | grep ssh

and hit CTRL-C to stop the flow. Of course, you can use more complex pipes with either finer grained regular patterns or multiple grep commands.

Answer 4

For anyone needing to just find a term in journalctl, you open the logs with journalctl -u <foo>, then hit the / key. It'll open a prompt in the lower part of the terminal, and input the search term. Journalctl will highlight all the occurrencies.

Answer 5

Here's my approach (allows to keep all things in journalctl):

Just execute this command:

$(printf 'journalctl'; printf ' -t %s' $(journalctl -q -F SYSLOG_IDENTIFIER | grep '^ssh'))

Components:

1. printf 'journalctl': This could include any journalctl-specific options (eg. printf 'journalctl --follow' )
2. journalctl -q -F SYSLOG_IDENTIFIER: Lists all of the value variations of SYSLOG_IDENTIFIER fileld.
3. grep '^ssh': Filters by any possible grep RegEx mask.
4. printf ' -t %s' $(journalctl -q -F SYSLOG_IDENTIFIER | grep '^ssh')): Constructs sequence of multiple '-t' options from the list of filtered SYSLOG_IDENTIFIER values.

For example:

$ echo "$(printf 'journalctl'; printf ' -t %s' $(journalctl -q -F SYSLOG_IDENTIFIER | grep '^gnome'))"
journalctl -t gnome-system-monitor.desktop -t gnome-shell -t gnome-keyring-daemon -t gnome-session-binary -t gnome-session

Note, obvious, but important: list of identifiers (selected by mask) created at command start, so to include any identifiers, appeared after journalctl started with --follow option, command need to be restarted.

Answer 6

You can define the unit file when you run journalctl.

journalctl -f -u sshd.service

I will only show the journal of sshd