Demystifying journalctl: Your Guide to Linux System Logs
Learn journalctl commands for viewing, filtering, following, and cleaning up Linux systemd journal logs.
Demystifying journalctl: Your Guide to Linux System Logs
The journalctl utility is the main command for viewing logs collected by systemd-journald. When a service fails, a boot hangs, or a kernel message scrolls past too quickly, journalctl is usually where you find the details.
Unlike plain text log files in /var/log, the journal stores structured entries with metadata such as unit name, priority, boot ID, and timestamp. That lets you filter logs precisely instead of opening several files and guessing.
Understanding the Systemd Journal
Before diving into commands, it helps to know what journalctl is managing. The systemd journal collects logs from the kernel, services (units), applications, and even the system startup process. These logs are typically stored in structured binary files, making them much faster to search and filter than traditional flat files.
Key Concepts:
- Persistence: Logs can be configured to be stored permanently across reboots (persistent mode) or only kept in memory (volatile mode).
- Structured Data: Logs contain metadata (like unit name, priority, boot ID) that
journalctlleverages for filtering.
Essential Viewing Commands
The most common need is simply viewing the logs. Here are the foundational commands to start exploring your system's history.
1. Viewing All Logs
To see every entry collected by the journal since the system started recording logs, use the command without any arguments:
journalctl
By default, this output is paginated using a tool like less, allowing you to navigate up and down using arrow keys or spacebar.
2. Viewing Logs in Real-Time (Following)
Similar to using tail -f, you can monitor logs as they are being written to the journal. This is invaluable when starting or debugging a specific service:
journalctl -f
To exit the real-time view, press Ctrl+C.
3. Limiting Output by Number of Lines
If you only need the most recent entries, use the -n flag to specify the number of lines:
# Show the last 20 log entries
journalctl -n 20
4. Viewing Logs Since a Specific Time
Filtering by time is one of journalctl's strongest features. You can use relative or absolute timestamps.
Relative Time Examples:
| Command | Description |
|---|---|
journalctl --since "1 hour ago" |
Logs from the last hour. |
journalctl --since "yesterday" |
Logs from the start of the previous calendar day. |
journalctl --since "2023-10-26 14:30:00" |
Logs after a specific date and time. |
Tip: You can combine --since and --until to specify a precise range, for example: journalctl --since "2023-10-26" --until "2023-10-27 00:00:00".
Filtering Logs by Unit, Service, or Process
One of the most critical uses of journalctl is isolating messages related to a specific systemd unit (service).
Filtering by Service Name
Use the -u (or --unit) flag followed by the service name (e.g., sshd.service, nginx.service):
# View logs only for the Apache web server service
journalctl -u apache2.service
# Follow logs for the Docker service
journalctl -u docker.service -f
Filtering by Boot ID
Systemd tracks logs across different system boots. To see logs from a previous startup, first list the available boots:
journalctl --list-boots
This outputs an indexed list (e.g., -1, -2, 0 for the current boot). You can then use the index or the full Boot ID:
# Show logs from the immediately preceding boot
journalctl -b -1
# Show logs from a specific boot ID (use the long ID listed above)
journalctl -b a1b2c3d4e5f6...
Filtering by Kernel Messages
To view only messages originating from the kernel (similar to using dmesg):
journalctl -k
# Or, equivalently:
journalctl -b -k
Advanced Filtering and Output Control
Effective troubleshooting often requires combining filters and controlling the output format.
1. Filtering by Priority Level
Logs are assigned priority levels from 0 (emerg) through 7 (debug). You can use the -p or --priority flag to view messages at the selected severity and more severe levels:
| Priority Level | Numeric Value |
|---|---|
err or error |
3 |
warning |
4 |
notice |
5 |
info |
6 |
# Show all errors, critical, and emergency messages from the SSH service
journalctl -u sshd.service -p err
2. Searching for Specific Text
When standard filtering is not enough, you can pipe output to grep or use --grep on systems whose journalctl version supports it:
# Search all logs for lines containing the word 'failed'
journalctl | grep failed
# Or, use the --grep option for simpler filtering (if available/preferred)
journalctl --grep=failed
3. Changing Output Format
For scripting or moving logs to other tools, changing the output format is essential. The default is pretty (human-readable).
--output=json: Outputs entries as structured JSON objects.--output=short: Similar to pretty but less colorful.--output=export: Outputs raw journal entries for archival.
# Output recent logs as JSON
journalctl -n 5 --output=json
4. Combining Filters
Filters stack multiplicatively. To see all errors from Nginx recorded in the last 10 minutes:
journalctl -u nginx.service --since "10 minutes ago" -p err
Managing the Journal Size and Persistence
Over time, the journal can consume significant disk space, especially if configured for persistent logging. System administrators must manage its size.
Checking Current Usage
To see how much disk space the current journal files are occupying:
journalctl --disk-usage
Cleaning Up Old Logs
You can clear logs based on time or total size.
Cleanup by Time:
# Keep only logs from the last 7 days
journalctl --vacuum-time=7d
Cleanup by Size:
# Reduce total log size to a maximum of 500 Megabytes
journalctl --vacuum-size=500M
Warning: Be cautious when deleting logs, especially those from older boots (
-b). Ensure critical diagnostic information is not removed prematurely.
Takeaway
For day-to-day troubleshooting, start with journalctl -u <service> -n 50 --no-pager, add -f when you need live output, and use --since or -b when the problem is tied to a time window or boot. Before deleting logs, check journalctl --disk-usage and keep enough history for rollback and incident review.