[EN] Journalctl Commands

Author: Soner Sahin

2025-08-08

4 minute read

Linux

linux , journalctl

A comprehensive guide to using journalctl for viewing and managing systemd journal logs.

Top 10 Most Useful Commands
Basic Commands
Filtering Options
Time-Based Filtering
Service-Specific Logs
Output Formats
Advanced Usage
Common Use Cases
Log Management

Top 10 Most Useful Commands

Here are the 10 most essential journalctl commands you’ll use daily:

 1# 1. View all journal entries
 2journalctl
 3
 4# 2. Follow logs in real-time
 5journalctl -f
 6
 7# 3. View logs since last boot
 8journalctl -b
 9
10# 4. View logs for specific service
11journalctl -u service_name
12
13# 5. View only error messages
14journalctl -p err
15
16# 6. View logs since specific time
17journalctl --since "1 hour ago"
18
19# 7. Show last 50 lines
20journalctl -n 50
21
22# 8. View logs in reverse order (newest first)
23journalctl -r
24
25# 9. Check journal disk usage
26journalctl --disk-usage
27
28# 10. Clean up logs older than 7 days
29sudo journalctl --vacuum-time=7d

Basic Commands

View all journal entries

1journalctl

View logs in real-time (follow mode)

1journalctl -f

View logs in reverse order (newest first)

1journalctl -r

Show only the last N lines

1journalctl -n 50

View logs with no paging

1journalctl --no-pager

Filtering Options

Filter by priority level

 1# Emergency messages only
 2journalctl -p emerg
 3
 4# Error messages and above
 5journalctl -p err
 6
 7# Warning messages and above
 8journalctl -p warning
 9
10# Info messages and above
11journalctl -p info
12
13# Debug messages and above
14journalctl -p debug

Filter by facility

1# Kernel messages
2journalctl -f kern
3
4# Mail system messages
5journalctl -f mail
6
7# Authentication messages
8journalctl -f auth

Filter by user

1# Show logs for specific user
2journalctl _UID=1000
3
4# Show logs for current user
5journalctl _UID=$(id -u)

Time-Based Filtering

View logs from specific time

 1# Since specific date
 2journalctl --since "2024-01-01"
 3
 4# Since specific date and time
 5journalctl --since "2024-01-01 12:00:00"
 6
 7# Since yesterday
 8journalctl --since yesterday
 9
10# Since 1 hour ago
11journalctl --since "1 hour ago"
12
13# Since 30 minutes ago
14journalctl --since "30 minutes ago"

View logs until specific time

1# Until specific date
2journalctl --until "2024-01-01"
3
4# Until 1 hour ago
5journalctl --until "1 hour ago"

Combine since and until

1# Logs from a specific time range
2journalctl --since "2024-01-01" --until "2024-01-02"

Service-Specific Logs

View logs for specific service

 1# SSH service logs
 2journalctl -u ssh
 3
 4# Apache/httpd service logs
 5journalctl -u httpd
 6
 7# Nginx service logs
 8journalctl -u nginx
 9
10# Docker service logs
11journalctl -u docker

Follow service logs in real-time

1journalctl -u nginx -f

View service logs with specific priority

1journalctl -u ssh -p err

Output Formats

JSON output

1journalctl -o json

JSON pretty-printed

1journalctl -o json-pretty

Short format (default)

1journalctl -o short

Verbose format

1journalctl -o verbose

Export format

1journalctl -o export

Cat format (no timestamps)

1journalctl -o cat

Advanced Usage

Search for specific text

1# Grep for specific pattern
2journalctl | grep "error"
3
4# Case-insensitive search
5journalctl | grep -i "failed"

Filter by executable

1# Show logs from specific executable
2journalctl /usr/bin/dbus-daemon

Filter by process ID

1# Show logs from specific PID
2journalctl _PID=1234

Filter by systemd unit

1# Show logs from specific unit
2journalctl _SYSTEMD_UNIT=ssh.service

Show kernel ring buffer

1journalctl -k

Show boot logs

1# Current boot
2journalctl -b
3
4# Previous boot
5journalctl -b -1
6
7# List all boots
8journalctl --list-boots

Common Use Cases

Troubleshooting failed services

1# Check service status and recent logs
2systemctl status nginx
3journalctl -u nginx -n 50
4
5# Check for errors in the last hour
6journalctl -u nginx --since "1 hour ago" -p err

Monitoring system startup

1# View boot messages
2journalctl -b -p err
3
4# View specific boot
5journalctl -b -2 -p warning

Debugging authentication issues

1# SSH authentication logs
2journalctl -u ssh --since today | grep -i "authentication\|failed\|error"
3
4# System authentication logs
5journalctl -f auth --since "10 minutes ago"

Monitoring disk space issues

1# Check for disk-related errors
2journalctl -p err | grep -i "disk\|space\|full"
3
4# Check system logs for I/O errors
5journalctl -k | grep -i "i/o\|disk\|ata"

Network troubleshooting

1# Network-related logs
2journalctl -k | grep -i "network\|eth\|wifi"
3
4# DHCP client logs
5journalctl -u NetworkManager --since "1 hour ago"

Log Management

Check disk usage

1# Show disk usage of journal files
2journalctl --disk-usage

Clean up old logs

1# Remove logs older than 7 days
2sudo journalctl --vacuum-time=7d
3
4# Keep only 100MB of logs
5sudo journalctl --vacuum-size=100M
6
7# Keep only 10 most recent journal files
8sudo journalctl --vacuum-files=10

Verify journal integrity

1# Verify journal file integrity
2journalctl --verify

Rotate journal files

1# Force rotation of journal files
2sudo systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service

Useful Combinations

Monitor failed services

1# Watch for failed services in real-time
2journalctl -f -p err

System health check

1# Check for errors and warnings since last boot
2journalctl -b -p warning --no-pager

Application debugging

1# Debug specific application with timestamps
2journalctl -u myapp.service -o short-precise -f

Security monitoring

1# Monitor authentication attempts
2journalctl -f _COMM=sshd -o json-pretty

Thank you for taking the time to read this write-up! I hope you found it insightful and helpful.

Keep learning and stay sharp. 👊

Keep up the good work!

Table of Contents