On a Linux system managed by systemd, its Journal feature manages the logs for everything from kernel to user level services. These logs can be accessed using the
journalctl command. The particular query of interest is to retrieve kernel logs from the time before current boot.
To display all log messages across all services and components, but since the current boot:
-b arguments specifies the boot ID, which can be obtained from the first column of the output of
journalctl --list-boots. The current boot’s ID is 0, and the previous boot’s ID is -1, and so on.
If you just did a cold reboot following a system crash, you get the logs prior to crash by retrieving the logs for boot ID -1:
journalctl -b -1
Be warned that this displays logs from all components and services. Typically to investigate a system crash you only need the kernel logs; the
-k option will filter out everything bug kernel messages.
journalctl -b -1 -k
This will open
less in which you may press
GG to go the end of the logs. This can be automated by explicitly piping to
less +G (whilst forcing colored output on both ends of the pipe):
SYSTEMD_COLORS=1 journalctl -b -1 -k | less +G -r
k, as well as
Space, to page through the logs.