For old hats like me journalctl seems unnecessarily complicated. Back in the olden days (just a few years ago) system and service logs were all kept in files. It was quite easy to grep through these files for information you wanted. Of course journalctl has similar functionality built in, but old habits die hard. So let’s take a look at how to export logs to a file with journalctl.

There are many reasons why someone might wants to export logs. Maybe you are an old hat like me and just prefer to manipulate logs from a simple text file. Or maybe you want import the logs into a different program, or use a custom Python log aggregator?

If you are new to journalctl I recommend first reading Viewing Logs with Journalctl. It contains a bunch of great information that can also be used when exporting logs to a file.

Export All Logs with Journalctl

If you want to just dump all the logs, you can do a simple redirection. If you are unfamiliar with the concept of redirection read our primer “I/O, Standard Streams, and Redirection“.

You can export all logs from journalctl like so:

[[email protected] ~]$ sudo journalctl > all_logs.txt

Now that you have all the logs in a text file, you can manipulate that file anyway you like. However, be prepared for a rather large text file (mine was 378M). That much raw data in a single text file is daunting. Let’s take a look at how we can refine this output.

Export Specific Logs from Journalctl

In our Viewing Logs with Journalctl primer we show you how to refine your searches with journalctl. You can use any of those options, or a combination of those options to export only the logs you want.

For example let’s say we wanted to find all the NetworkManager logs since yesterday. We can use the -u option to specify the unit and the -S option to specify a start time.

NOTE: -S is the same as --since and you can also use -U or --until to get logs up to a certain date.

In the below example we are pulling all the logs for the NetworkManager service since yesterday.

[[email protected] ~]$ sudo journalctl -u NetworkManager -S yesterday > NetworkManager_logs_1day.txt

Formatting the Output of Journalctl for Export

Journalctl offers many ways to format the journal entries to fit your needs. For example, you can export all the logs into JSON format. You can also use the “short” option which provides classic syslog style logs, one line per entry.

Formatting Output of Journalclt in JSON format

To format journal entries as JSON objects, use the -o or --output option followed by your preferred option. In this example we are using json.

[[email protected] ~]$ sudo journalctl -u NetworkManager --output=json > NetworkManager-JSON
[[email protected] ~]$ head NetworkManager-JSON
{"_SOURCE_REALTIME_TIMESTAMP":"1589046129512828","TIMESTAMP_BOOTTIME":"31.291066","_TRANSPORT":"journal","_SYSTEMD_INVOCATION_ID":"40e94caea07a416a8e9c5a5e5f3428d8","_PID":"952","SYSLOG_IDENTIFIER":"NetworkManager","_SELINUX_CONTEXT":"system_u:system_r:NetworkManager_t:s0"
...OUTPUT TRUNCATED...

Formatting Journalctl Output in Old Syslog Format

Here is an example of formatting the journal entries into a classic syslog style log file.

[[email protected] ~]$ sudo journalctl -u NetworkManager --output=short > NetworkManager.log
[[email protected] ~]$ head NetworkManager.log 
-- Journal begins at Wed 2020-04-01 17:26:10 EDT, ends at Sat 2021-10-16 09:01:10 EDT. --
May 09 13:42:09 putor NetworkManager[952]: <info>  [1589046129.5125] agent-manager: agent[53f749345a6757b0,:1.70/org.gnome.Shell.NetworkAgent/1000]: agent registered
May 09 14:09:13 putor NetworkManager[952]: <info>  [1589047753.9244] agent-manager: agent[36566614e251a8fc,:1.330/org.gnome.Shell.NetworkAgent/1000]: agent registered
...OUTPUT TRUNCATED...

There are quite a few ways to format the output of journal entries. See the man page link below for more information.