Linux systems continuously generate logs from services, kernel events, and system activities. With systemd, these logs are centralized in the journal, making journalctl the primary tool for accessing and analyzing them. It provides structured, searchable logs with powerful filtering options, simplifying troubleshooting and system monitoring.
Understanding The Systemd Journal System
Journalctl is the command-line tool that lets you access and filter the systemd journal – basically your system's diary of everything that happens behind the scenes. Unlike old-school log files scattered across your system, the systemd journal centralizes everything in a structured, searchable format.
Think of it as having a search engine specifically for your system events. Instead of manually digging through text files, you can quickly pull up exactly what you need with the right command.
journalctl with Last9, check out this article on practical logging insights.A Quick Reference For Journalctl Commands
Here's a handy reference table of the most useful journalctl commands for quick lookup:
| Command | Description | Example |
|---|---|---|
journalctl | View all journal entries | journalctl |
journalctl -r | Show entries in reverse order (newest first) | journalctl -r |
journalctl -f | Follow journal in real-time (like tail -f) | journalctl -f |
journalctl -n N | Show only the last N entries | journalctl -n 50 |
journalctl -b | Show logs from current boot | journalctl -b |
journalctl -b -1 | Show logs from previous boot | journalctl -b -1 |
journalctl --since today | Show only today's logs | journalctl --since today |
journalctl --since "YYYY-MM-DD" | Show logs since specific date | journalctl --since "2023-09-10" |
journalctl --since "HH:MM" --until "HH:MM" | Show logs between specific times | journalctl --since "09:00" --until "10:00" |
journalctl -u SERVICE | Show logs for specific service | journalctl -u nginx |
journalctl -k | Show only kernel messages | journalctl -k |
journalctl -p PRIORITY | Filter by priority level | journalctl -p err |
journalctl _PID=N | Show logs for specific process ID | journalctl _PID=1234 |
journalctl -g "PATTERN" | Search for pattern in messages | journalctl -g "error|failed" |
journalctl -o json | Output in JSON format | journalctl -o json |
journalctl -o cat | Show only message field | journalctl -o cat |
journalctl --disk-usage | Check journal disk usage | journalctl --disk-usage |
journalctl --vacuum-time=TIME | Remove entries older than TIME | journalctl --vacuum-time=2weeks |
journalctl --vacuum-size=SIZE | Limit journal to SIZE | journalctl --vacuum-size=1G |
journalctl -D PATH | Use journal at specified path | journalctl -D /var/log/journal/UUID |
4 Essential Daily Journalctl Commands For Quick Troubleshooting
Let's start with the bread and butter commands you'll reach for most often:
Viewing Complete System Journal History
journalctlSimple, right? This shows you everything – the whole journal from oldest to newest. It's like opening a book from page one. You'll get a pager view (similar to less command) where you can navigate with arrow keys, Page Up/Down, or search with the slash key (/).
Displaying Recent Events In Reverse Order
journalctl -rThe -r flips the script, showing newest entries first. Much more useful when you're troubleshooting something that just happened.
Monitoring Live System Events As They Happen
journalctl -fThis is your live feed. The -f (follow) option keeps the journal open and shows new entries as they happen – super handy when you're actively debugging an issue. It's like watching the system narrate what it's doing.
Restricting Output To Most Recent Journal Entries
journalctl -n 50This shows only the most recent 50 log entries. Change the number to whatever makes sense for your situation. Great for quick checks without scrolling through thousands of entries.
journalctl logs point to out-of-memory issues, this guide explains how the Linux OOM Killer works.Time-Based Filtering Techniques For Targeted Log Analysis
When troubleshooting, timing is everything. These commands help you narrow down logs to specific timeframes:
Viewing Current And Previous Boot Session Logs
journalctl -bOnly shows logs from the current boot. Add a number to see older boots:
journalctl -b -1 # Previous boot
journalctl -b -2 # Two boots agoRetrieving All Logs From The Current Day
journalctl --since todayJust today's logs – perfect for daily system checks.
Setting Precise Time Windows For Targeted Investigation
journalctl --since "2023-09-10 10:00:00" --until "2023-09-10 11:00:00"Zoom in on a specific window of time. You can also use relative times:
journalctl --since "1 hour ago"Service-Specific Filtering Methods For Efficient Debugging
Instead of wading through every log, focus on just the service you care about:
Isolating Logs From Individual System Services
journalctl -u sshThis shows only logs from the SSH service. Replace ssh with any service name like apache2, nginx, or docker.
Combining Multiple Service Logs In One View
journalctl -u ssh -u apache2Track multiple related services in one view.
Extracting Kernel-Specific Messages For Hardware Troubleshooting
journalctl -kJust the kernel messages – useful for hardware or driver issues.
journalctl, check out this Linux commands cheat sheet.Severity-Based Priority Filtering For Critical Issue Detection
Not all logs are created equal. Filter by severity to focus on what matters:
Focusing On High Priority Error Messages
journalctl -p errThis shows only error, critical, alert, and emergency messages – the stuff you need to worry about.
| Priority Level | Description | When to Use |
|---|---|---|
| 0: emerg | System is unusable | Major system failure |
| 1: alert | Action needed immediately | Critical security issues |
| 2: crit | Critical conditions | Hardware failures |
| 3: err | Error conditions | Application crashes |
| 4: warning | Warning conditions | Resource issues |
| 5: notice | Normal but significant | Security notices |
| 6: info | Informational | Normal operations |
| 7: debug | Debug-level messages | Detailed troubleshooting |
Combining Service And Priority Filters For Precise Results
journalctl -p warning -u nginxCombining filters gives you laser-focused results.
Output Formatting Options For Enhanced Log Readability
Raw logs can be tough to parse. These options make them easier on the eyes:
Disabling Pager For Continuous Terminal Output
journalctl --no-pagerDumps the entire output to your terminal instead of using the pager interface.
Converting Log Output To JSON Format For Script Processing
journalctl -o jsonPerfect for piping to other tools or scripts for automated analysis.
Stripping Metadata To See Only The Core Message Content
journalctl -o catStrips the metadata and just shows you the messages themselves.
Advanced Troubleshooting Techniques For Linux Power Users
Ready to level up? These power-user commands will make you look like a Linux wizard:
Searching Log Entries With Grep-Like Pattern Matching
journalctl -g "error|failed"This grep-like search finds all entries containing either "error" or "failed" – adjust the pattern to match what you're hunting for.
Monitoring Individual Process IDs For Targeted Debugging
journalctl _PID=1234Focus on logs from a specific process ID. Great when you know exactly which process is acting up.
Analyzing Journal Storage Consumption On Your System
journalctl --disk-usageSee how much space your journal is taking up. Useful when storage is tight.
Reclaiming Disk Space By Removing Outdated Journal Entries
sudo journalctl --vacuum-time=2weeksKeep your system tidy by removing logs older than two weeks.
Practical Real-World Troubleshooting Scenarios Using Journalctl
Let's combine these commands for some common troubleshooting scenarios:
Diagnosing Service Startup Failures With Error Filtering
journalctl -u nginx -b -p errThis shows all error messages from the nginx service since the last boot.
Uncovering System Crash Causes From Previous Boot Records
journalctl -b -1 -p critCheck critical messages from the previous boot to find what caused a crash.
Real-Time Security Monitoring Of SSH Authentication Events
journalctl -u ssh -fWatch SSH service logs in real-time to monitor login attempts as they happen.
Configuring Persistent Journal Storage For Complete System History
By default, journalctl logs might not persist across reboots. Make them stick with this one-time setup:
Restart the journal:
sudo systemctl restart systemd-journaldAdjust permissions:
sudo systemd-tmpfiles --create --prefix /var/log/journalCreate the log directory:
sudo mkdir -p /var/log/journalNow your logs will survive reboots, giving you a complete history when you need it most.
Wrap-Up
With these commands, you've got the tools to tackle almost any log-related task on your Linux system. No more blindly searching through text files or guessing what went wrong.
FAQs
How do I check if the journald service is running properly?
Check the status of the systemd-journald service with:
systemctl status systemd-journaldThis will show if the service is active, enabled, and running without errors.
Why can't I see logs older than a few days?
By default, the journal might be configured for volatile storage that clears on reboot. To check your current settings:
journalctl --disk-usageIf it's low, follow the persistent configuration steps in this guide to maintain logs across reboots.
Can I export journal logs to a text file?
Yes, redirect the output to a file:
journalctl -u apache2 > apache_logs.txtFor a specific timeframe:
journalctl --since yesterday --until today > yesterday_logs.txtHow do I troubleshoot when my system won't boot properly?
Boot from a live USB, then mount your system drive and use journalctl with the path to the journal:
sudo mount /dev/sdaX /mnt
sudo journalctl -D /mnt/var/log/journalThis lets you access the journal from your unbootable system.
What's the difference between journalctl and traditional log files?
Traditional logs are plain text files in /var/log/ with different formats per application. Journalctl provides a unified interface to structured binary logs with rich metadata, advanced filtering, and built-in rotation – all from one command.
How can I increase or limit the journal size?
Edit /etc/systemd/journald.conf and set maximum disk usage:
[Journal]
SystemMaxUse=2GAfter editing, restart the journal:
sudo systemctl restart systemd-journaldThis limits journal size to 2GB. Adjust as needed based on your storage constraints.
