Practice Use drills for recall and labs for real operating judgment.

LAB-MON-02 - The Journalctl Vault

Use journalctl to view recent logs, filter by service and time, and run one non-interactive error query.

MON Monitoring & Logging Vault

The Journalctl Vault

Use journalctl to view recent logs, filter by service and time, and run one non-interactive error query.

35 min INTERMEDIATE LINUX Curriculum-reviewed
Prerequisites
Lab LAB-MON-01 - Real-time Monitoring (top/htop) Lab LAB-HW-03 - Systemd Service Architecture
Success criteria
  • Use journalctl to view recent logs, filter by service and time, and run one non-interactive error query.
  • Repeat the workflow without copy-paste or step-by-step prompting.
Safety notes
  • Log viewing is usually safe, but use follow mode thoughtfully on shared systems and avoid making unrelated service changes unless the exercise calls for it.

Part A: The Field Guide

What This Lab Is Really About

This lab teaches you how to ask the journal smaller questions.

You will practice:

  • seeing recent logs
  • filtering by service
  • filtering by time
  • following live output
  • building a non-interactive query for scripts

Command Reference

Useful journalctl patterns

sudo journalctl -n 20 sudo journalctl -r sudo journalctl -u ssh —since “1 hour ago” sudo journalctl -p 3 -n 10 —no-pager sudo journalctl -f

Part B: The Drill Deck

Terminal required: use a Linux system that runs systemd and journalctl.

G
Guided Step by step - type exactly this and compare the result
>

Exercise G1: Read Recent Entries

  1. Show the most recent 20 journal lines:
sudo journalctl -n 20
  1. Run the reverse view:
sudo journalctl -r
  1. Quit the pager and compare the two perspectives.

Exercise G2: Filter by Service

  1. Query a service that exists on your system, for example ssh or cron.
  2. Run:
sudo journalctl -u ssh -n 20
  1. If your system uses a different service name, adjust accordingly.

Exercise G3: Filter by Time

  1. Narrow the same service to the last hour:
sudo journalctl -u ssh --since "1 hour ago"
  1. Confirm that the result is smaller and more relevant than the full history.
S
Solo Task described, hints available - figure it out
>

Exercise S1: Follow Live Logs

  1. In one terminal, run:
sudo journalctl -f
  1. In another terminal, perform a safe action that generates service or system activity, such as opening a new login session or restarting a disposable service in your lab environment.
  2. Watch the new lines appear.
  3. Stop follow mode with Ctrl+C.

Exercise S2: Build an Error-Only Query

  1. Run:
sudo journalctl -p 3 -n 10 --no-pager
  1. Confirm that the command prints a limited number of error-priority lines and exits immediately without opening an interactive pager.
M
Mission Real scenario - no hints, combine multiple skills
>

Mission M1: Describe a Reusable Diagnostic Query

Write or memorize one query that you could reuse in a script or runbook to answer:

  • what are the last 10 error-priority journal entries?
  • and can the command print them directly without pausing?

Your answer should include both the limit on lines and the no-pager behavior.