1. Library
  2. Computer Networks
  3. Tools and Commands
  4. System Tools

journalctl: Querying the Systemd Journal

Updated 8 hours ago

Something broke. Your web server returned errors, a service failed to start, or the system rebooted unexpectedly. Somewhere in the logs is the answer—but modern Linux systems generate millions of log entries. Finding the relevant ones by scrolling through text files isn't just tedious, it's often impossible.

The systemd journal changes the game. Instead of scattered text files, it maintains a centralized binary database capturing everything: kernel messages, service output, authentication events, application logs. And journalctl lets you query it.

Traditional logs are text files you grep blindly. The journal is a database you can query.

Viewing the Journal

See all journal entries:

sudo journalctl

This dumps everything—potentially millions of entries. The output uses a pager, so press G to jump to the end (recent entries) or q to quit.

More useful: show entries in reverse chronological order, most recent first:

sudo journalctl -r

Or follow new entries as they arrive, like tail -f:

sudo journalctl -f

Press Ctrl+C to stop following.

Filtering by Time

This is where the journal's structure pays off. Show only logs from the current boot:

sudo journalctl -b

After a reboot, this filters out all historical noise. See logs from a previous boot:

sudo journalctl -b -1    # Previous boot
sudo journalctl -b -2    # Two boots ago

List all recorded boots:

sudo journalctl --list-boots

Filter by specific time ranges:

sudo journalctl --since "2025-01-15 10:00:00"
sudo journalctl --since "1 hour ago"
sudo journalctl --since yesterday
sudo journalctl --since "2 days ago" --until "1 day ago"

Relative times like "1 hour ago" save you from timestamp arithmetic at 3am.

Filtering by Service

Show logs from a specific systemd service:

sudo journalctl -u nginx
sudo journalctl -u ssh
sudo journalctl -u mysql

Combine with time filters:

sudo journalctl -u nginx --since "1 hour ago"
sudo journalctl -u ssh -f    # Follow SSH logs live

View multiple services:

sudo journalctl -u nginx -u mysql

Filtering by Priority

Log messages have priority levels from 0 (emergency) to 7 (debug). Show only messages at or above a severity:

sudo journalctl -p err        # Errors and worse
sudo journalctl -p warning    # Warnings and worse
sudo journalctl -p crit       # Critical and worse

This cuts through noise immediately. Show all errors from the current boot:

sudo journalctl -p err -b

Filtering by Process

When you know the process but not the service unit:

sudo journalctl _PID=1234
sudo journalctl _COMM=sshd
sudo journalctl _COMM=nginx

Combining Filters

Here's where journalctl's power becomes clear. Show nginx errors from the last hour:

sudo journalctl -u nginx -p err --since "1 hour ago"

Follow SSH logs from the current boot:

sudo journalctl -u ssh -f -b

Critical messages from any service since yesterday:

sudo journalctl -p crit --since yesterday

Filters combine with AND logic—all conditions must match.

Output Formats

Default output is human-readable. For all metadata:

sudo journalctl -o verbose

For machine-parseable JSON:

sudo journalctl -o json
sudo journalctl -o json-pretty

Minimal format:

sudo journalctl -o short

Kernel Messages

Show only kernel messages (equivalent to dmesg):

sudo journalctl -k
sudo journalctl -k -b    # Kernel messages from current boot

Searching Within Logs

Use grep on journal output:

sudo journalctl -u nginx | grep "404"
sudo journalctl | grep -i "error"

Or search within the pager: press / to search forward, ? to search backward.

Limiting Output

Show only the last N entries:

sudo journalctl -u nginx -n 50

Useful when a service just failed and you want recent context.

Managing Disk Space

Check journal size:

sudo journalctl --disk-usage

Clean up old entries:

sudo journalctl --vacuum-time=30d    # Keep last 30 days
sudo journalctl --vacuum-size=1G     # Keep max 1GB

For permanent limits, edit /etc/systemd/journald.conf:

SystemMaxUse=1G
MaxFileSec=30day

Exporting Logs

Save logs for sharing or analysis:

sudo journalctl -u nginx --since "1 hour ago" > nginx-logs.txt
sudo journalctl -u nginx -o json > nginx-logs.json

User Logs

Regular users can view their own journal entries without sudo:

journalctl --user

Troubleshooting Patterns

Service won't start? Check its recent logs:

sudo journalctl -u service-name -n 50

System acting strange after reboot? Compare current and previous boot:

sudo journalctl -b 0     # Current boot
sudo journalctl -b -1    # Previous boot

Looking for patterns? Pipe to standard tools:

# Count error messages by source
sudo journalctl -p err --since today | awk '{print $5}' | sort | uniq -c | sort -nr

# Extract SSH login timestamps
sudo journalctl -u ssh | grep "Accepted" | awk '{print $1, $2, $3}'

Frequently Asked Questions About journalctl

Was this page helpful?

😔
🤨
😃
journalctl: Querying the Systemd Journal • Library • Connected