DevOps Knowledge Hub
DevOps Knowledge Hub

Demystifying journalctl: Your Guide to Linux System Logs

Master the systemd `journalctl` utility to effectively view, filter, and analyze Linux system logs. This guide covers essential commands for real-time monitoring, time-based querying, isolating service unit logs, and managing journal disk usage for powerful troubleshooting.

28 views

Demystifying journalctl: Your Guide to Linux System Logs

The journalctl utility is the central command for viewing and analyzing the structured logs managed by systemd's journaling system. As the modern standard for logging on many Linux distributions, understanding journalctl is crucial for effective system administration, service management, and especially, troubleshooting.

Unlike traditional text-based log files (like those found in /var/log), systemd captures logs in a binary, indexed format. This allows for powerful querying based on time, service, boot ID, and more. This guide will walk you through the essential commands needed to unlock the full potential of your system's historical and real-time events.

Understanding the Systemd Journal

Before diving into commands, it helps to know what journalctl is managing. The systemd journal collects logs from the kernel, services (units), applications, and even the system startup process. These logs are typically stored in structured binary files, making them much faster to search and filter than traditional flat files.

Key Concepts:

  • Persistence: Logs can be configured to be stored permanently across reboots (persistent mode) or only kept in memory (volatile mode).
  • Structured Data: Logs contain metadata (like unit name, priority, boot ID) that journalctl leverages for filtering.

Essential Viewing Commands

The most common need is simply viewing the logs. Here are the foundational commands to start exploring your system's history.

1. Viewing All Logs

To see every entry collected by the journal since the system started recording logs, use the command without any arguments:

journalctl

By default, this output is paginated using a tool like less, allowing you to navigate up and down using arrow keys or spacebar.

2. Viewing Logs in Real-Time (Following)

Similar to using tail -f, you can monitor logs as they are being written to the journal. This is invaluable when starting or debugging a specific service:

journalctl -f

To exit the real-time view, press Ctrl+C.

3. Limiting Output by Number of Lines

If you only need the most recent entries, use the -n flag to specify the number of lines:

# Show the last 20 log entries
journalctl -n 20

4. Viewing Logs Since a Specific Time

Filtering by time is one of journalctl's strongest features. You can use relative or absolute timestamps.

Relative Time Examples:

Command Description
journalctl --since "1 hour ago" Logs from the last hour.
journalctl --since "yesterday" Logs from the start of the previous calendar day.
journalctl --since "2023-10-26 14:30:00" Logs after a specific date and time.

Tip: You can combine --since and --until to specify a precise range, for example: journalctl --since "2023-10-26" --until "2023-10-27 00:00:00".

Filtering Logs by Unit, Service, or Process

One of the most critical uses of journalctl is isolating messages related to a specific systemd unit (service).

Filtering by Service Name

Use the -u (or --unit) flag followed by the service name (e.g., sshd.service, nginx.service):

# View logs only for the Apache web server service
journalctl -u apache2.service

# Follow logs for the Docker service
journalctl -u docker.service -f

Filtering by Boot ID

Systemd tracks logs across different system boots. To see logs from a previous startup, first list the available boots:

journalctl --list-boots

This outputs an indexed list (e.g., -1, -2, 0 for the current boot). You can then use the index or the full Boot ID:

# Show logs from the immediately preceding boot
journalctl -b -1

# Show logs from a specific boot ID (use the long ID listed above)
journalctl -b a1b2c3d4e5f6...

Filtering by Kernel Messages

To view only messages originating from the kernel (similar to using dmesg):

journalctl -k
# Or, equivalently:
journalctl -b -k

Advanced Filtering and Output Control

Effective troubleshooting often requires combining filters and controlling the output format.

1. Filtering by Priority Level

Logs are assigned priority levels (0=emerg, 7=debug). You can use the -p (or --priority) flag to view messages at or above a certain severity:

Priority Level Numeric Value
err (Error) 3
warning 4
notice 5
info 6 
# Show all errors, critical, and emergency messages from the SSH service
journalctl -u sshd.service -p err

2. Searching for Specific Text

When standard filtering isn't enough, you can pipe the output to grep, although journalctl has a built-in mechanism for text search, which is often more efficient for structured data:

# Search all logs for lines containing the word 'failed'
journalctl | grep failed

# Or, use the --grep option for simpler filtering (if available/preferred)
journalctl --grep=failed

3. Changing Output Format

For scripting or moving logs to other tools, changing the output format is essential. The default is pretty (human-readable).

  • --output=json: Outputs entries as structured JSON objects.
  • --output=short: Similar to pretty but less colorful.
  • --output=export: Outputs raw journal entries for archival.
# Output recent logs as JSON
journalctl -n 5 --output=json

4. Combining Filters

Filters stack multiplicatively. To see all errors from Nginx recorded in the last 10 minutes:

journalctl -u nginx.service --since "10 minutes ago" -p err

Managing the Journal Size and Persistence

Over time, the journal can consume significant disk space, especially if configured for persistent logging. System administrators must manage its size.

Checking Current Usage

To see how much disk space the current journal files are occupying:

journalctl --disk-usage

Cleaning Up Old Logs

You can clear logs based on time or total size.

Cleanup by Time:

# Keep only logs from the last 7 days
journalctl --vacuum-time=7d

Cleanup by Size:

# Reduce total log size to a maximum of 500 Megabytes
journalctl --vacuum-size=500M

Warning: Be cautious when deleting logs, especially those from older boots (-b). Ensure critical diagnostic information is not removed prematurely.

Conclusion

journalctl is a powerful, flexible tool that moves logging beyond simple text files. By mastering time-based filtering (--since, --until), unit isolation (-u), and real-time monitoring (-f), you gain granular control over monitoring system health. Whether you are checking a service status or digging into a kernel panic from last week, journalctl is your primary interface into the modern Linux system journal.