Chapter 5. Reviewing logs in the web console

Learn how to access, review and filter logs in the RHEL 8 web console.

5.1. Reviewing logs in the web console

The RHEL 8 web console Logs section is a UI for the journalctl utility. This section describes how to access system logs in the web console interface.

Prerequisites

Procedure

  1. Log in to the RHEL web console.

    For details, see Logging in to the web console.

  2. Click Logs.

    cockpit logs new

  3. Open log entry details by clicking on your selected log entry in the list.
Note

You can use the Pause button to pause new log entries from appearing. Once you resume new log entries, the web console will load all log entries that were reported after you used the Pause button.

You can filter the logs by time, priority or identifier. For more information, see Section 5.2, “Filtering logs in the web console”.

5.2. Filtering logs in the web console

This section shows how to filter log entries in the web console.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Logs.
  3. By default, web console shows the latest log entries. To filter by a specific time range, click the Time drop-down menu and choose a preferred option.

    cockpit logs time new

  4. Error and above severity logs list is shown by default. To filter by different priority, click the Error and above drop-down menu and choose a preferred priority.

    cockpit logs priority

  5. By default, web console shows logs for all identifiers. To filter logs for a particular identifier, click the All drop-down menu and select an identifier.

    cockpit logs identifier

  6. To open a log entry, click on a selected log.

5.3. Text search options for filtering logs in the web console

The text search option functionality provides a big variety of options for filtering logs. If you decide to filter logs by using the text search, you can use the predefined options that are defined in the three drop-down menus, or you can type the whole search yourself.

Drop-down menus

There are three drop-down menus that you can use to specify the main parameters of your search:

  • Time: This drop-down menu contains predefined searches for different time ranges of your search.
  • Priority: This drop-down menu provides options for different priority levels. It corresponds to the journalctl --priority option. The default priority value is Error and above. It is set every time you do not specify any other priority.
  • Identifier: In this drop-down menu, you can select an identifier that you want to filter. Corresponds to the journalctl --identifier option.

Quantifiers

There are six quantifiers that you can use to specify your search. They are covered in the Options for filtering logs table.

Log fields

If you want to search for a specific log field, it is possible to specify the field together with its content.

Free-form text search in logs messages

You can filter any text string of your choice in the logs messages. The string can also be in the form of a regular expressions.

Advanced logs filtering I

Filter all log messages identified by 'systemd' that happened since October 22, 2020 midnight and journal field 'JOB_TYPE' is either 'start' or 'restart.

  1. Type identifier:systemd since:2020-10-22 JOB_TYPE=start,restart to search field.
  2. Check the results.

    advanced logs search I

Advanced logs filtering II

Filter all log messages that come from 'cockpit.service' systemd unit that happened in the boot before last and the message body contains either "error" or "fail".

  1. Type service:cockpit boot:-1 error|fail to the search field.
  2. Check the results.

    advanced logs search II

5.4. Using a text search box to filter logs in the web console

Using the text search box allows you to filter logs according to different parameters. The search combines usage of the filtering drop-down menus, quantifiers, log fields and free-form string search.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Logs.
  3. Use the drop-down menus to specify the three main quantifiers - time range, priority, and identifier(s) - you want to filter.

    The Priority quantifier always has to have a value. If you do not specify it, it automatically filters the Error and above priority. Notice that the options you set reflect in the text search box.

  4. Specify the log field you want to filter.

    It is possible to add several log fields.

  5. You can use a free-form string to search for anything else. The search box also accepts regular expressions.

5.5. Options for logs filtering

There are several journalctl options, which you can use for filtering logs in the web console, that may be useful. Some of these are already covered as part of the drop-down menus in the web console interface.

Table 5.1. Table

Option nameUsageNotes

priority

Filter output by message priorities. Takes a single numeric or textual log level. The log levels are the usual syslog log levels. If a single log level is specified, all messages with this log level or a lower (hence more important) log level are shown.

Covered in the Priority drop-down menu.

identifier

Show messages for the specified syslog identifier SYSLOG_IDENTIFIER. Can be specified multiple times.

Covered in the Identifier drop-down menu.

follow

Shows only the most recent journal entries, and continuously prints new entries as they are appended to the journal.

Not covered in a drop-down.

service

Show messages for the specified systemd unit. Can be specified multiple times.

Is not covered in a drop-down. Corresponds to the journalctl --unit parameter.

boot

Show messages from a specific boot.

A positive integer will look up the boots starting from the beginning of the journal, and an equal-or-less-than zero integer will look up boots starting from the end of the journal. Thus, 1 means the first boot found in the journal in chronological order, 2 the second and so on; while -0 is the last boot, -1 the boot before last, and so on.

Covered only as Current boot or Previous boot in the Time drop-down menu. Other options need to be written manually.

since

Start showing entries on or newer than the specified date, or on or older than the specified date, respectively. Date specifications should be of the format "2012-10-30 18:17:16". If the time part is omitted, "00:00:00" is assumed. If only the seconds component is omitted, ":00" is assumed. If the date component is omitted, the current day is assumed. Alternatively the strings "yesterday", "today", "tomorrow" are understood, which refer to 00:00:00 of the day before the current day, the current day, or the day after the current day, respectively. "now" refers to the current time. Finally, relative times may be specified, prefixed with "-" or "+", referring to times before or after the current time, respectively.

Not covered in a drop-down.