# journalctl — Query and Search the systemd Journal

> Practical guide to journalctl: filter the systemd journal by unit, time and priority, follow logs live, inspect boot and kernel messages, and reclaim disk space.

Source: https://www.jpkc.com/db/en/cheatsheets/shell-system/journalctl/

<!-- PROSE:intro -->
journalctl is your window into the systemd journal – the central log store that collects messages from the kernel, services and applications in a structured, queryable form. Instead of grepping through scattered files under `/var/log`, you filter precisely by unit, time range, priority or process and follow new entries in real time. This guide walks you through the queries you actually reach for when debugging and operating systems – from diagnosing a single service to reclaiming space from an overgrown journal.
<!-- PROSE:intro:end -->

## Basic Usage

`journalctl` — Show all journal entries (oldest first) in a pager.

```bash
journalctl
```

`journalctl -r` — Show entries in reverse order (newest first).

```bash
journalctl -r
```

`journalctl -n N` — Show only the last N entries (default: 10).

```bash
journalctl -n 50
```

`journalctl -f` — Follow mode — continuously show new log entries (like tail -f).

```bash
journalctl -f
```

`journalctl -e` — Jump to the end of the journal in the pager.

```bash
journalctl -e
```

`journalctl --no-pager` — Output directly without a pager. Useful for piping.

```bash
journalctl --no-pager -n 100
```

## Filter by Unit/Service

`journalctl -u UNIT` — Show logs for a specific systemd unit/service.

```bash
journalctl -u nginx.service
```

`journalctl -u UNIT -f` — Follow logs for a specific service.

```bash
journalctl -u nginx.service -f
```

`journalctl -u UNIT1 -u UNIT2` — Show logs for multiple services.

```bash
journalctl -u nginx.service -u php-fpm.service
```

`journalctl -u 'nginx*'` — Show logs for units matching a pattern.

```bash
journalctl -u 'nginx*'
```

`journalctl -u UNIT --since today` — Show today's logs for a service.

```bash
journalctl -u sshd.service --since today
```

## Filter by Time

`journalctl --since 'YYYY-MM-DD HH:MM:SS'` — Show entries since a specific date and time.

```bash
journalctl --since '2024-01-15 09:00:00'
```

`journalctl --until 'YYYY-MM-DD HH:MM:SS'` — Show entries until a specific date and time.

```bash
journalctl --until '2024-01-15 17:00:00'
```

`journalctl --since today` — Show entries from today.

```bash
journalctl --since today
```

`journalctl --since yesterday --until today` — Show yesterday's entries.

```bash
journalctl --since yesterday --until today
```

`journalctl --since '1 hour ago'` — Show entries from the last hour.

```bash
journalctl --since '1 hour ago'
```

`journalctl --since '30 min ago'` — Show entries from the last 30 minutes.

```bash
journalctl --since '30 min ago'
```

`journalctl --since '2 days ago'` — Show entries from the last 2 days.

```bash
journalctl --since '2 days ago'
```

## Filter by Priority

`journalctl -p err` — Show only error messages and above (err, crit, alert, emerg).

```bash
journalctl -p err
```

`journalctl -p warning` — Show warnings and above.

```bash
journalctl -p warning
```

`journalctl -p crit` — Show only critical and above.

```bash
journalctl -p crit
```

`journalctl -p info` — Show info and above (default).

```bash
journalctl -p info
```

`journalctl -p debug` — Show all messages including debug level.

```bash
journalctl -p debug
```

`journalctl -p err..warning` — Show messages in a priority range.

```bash
journalctl -p err..warning
```

## Filter by Process & User

`journalctl _PID=PID` — Show logs for a specific process ID.

```bash
journalctl _PID=1234
```

`journalctl _UID=UID` — Show logs from a specific user ID.

```bash
journalctl _UID=1000
```

`journalctl _GID=GID` — Show logs from a specific group ID.

```bash
journalctl _GID=33
```

`journalctl _COMM=COMMAND` — Show logs from processes with a specific command name.

```bash
journalctl _COMM=sshd
```

`journalctl _EXE=PATH` — Show logs from a specific executable.

```bash
journalctl _EXE=/usr/sbin/nginx
```

`journalctl _HOSTNAME=HOST` — Show logs from a specific hostname (useful with remote journaling).

```bash
journalctl _HOSTNAME=webserver01
```

## Kernel Messages

`journalctl -k` — Show only kernel messages (equivalent to dmesg).

```bash
journalctl -k
```

`journalctl -k -b` — Show kernel messages from the current boot.

```bash
journalctl -k -b
```

`journalctl -k -p err` — Show kernel errors.

```bash
journalctl -k -p err
```

`journalctl -k -f` — Follow kernel messages in real time.

```bash
journalctl -k -f
```

## Boot Logs

`journalctl -b` — Show logs from the current boot.

```bash
journalctl -b
```

`journalctl -b -1` — Show logs from the previous boot.

```bash
journalctl -b -1
```

`journalctl -b -2` — Show logs from two boots ago.

```bash
journalctl -b -2
```

`journalctl --list-boots` — List all available boot sessions with timestamps.

```bash
journalctl --list-boots
```

## Output Formats

`journalctl -o short` — Default syslog-style output.

```bash
journalctl -o short -n 10
```

`journalctl -o short-precise` — Syslog-style with microsecond precision.

```bash
journalctl -o short-precise -n 10
```

`journalctl -o short-iso` — Syslog-style with ISO 8601 timestamps.

```bash
journalctl -o short-iso -n 10
```

`journalctl -o verbose` — Show all fields for each entry.

```bash
journalctl -o verbose -n 5
```

`journalctl -o json` — Output in JSON format (one object per line).

```bash
journalctl -o json -n 5
```

`journalctl -o json-pretty` — Output in pretty-printed JSON.

```bash
journalctl -o json-pretty -n 5
```

`journalctl -o cat` — Show only the message text (no metadata).

```bash
journalctl -u nginx -o cat -n 20
```

`journalctl -o export` — Binary export format for journalctl --import.

```bash
journalctl -o export > journal.export
```

## Search & Grep

`journalctl -g PATTERN` — Filter entries by a regular expression pattern (grep-like).

```bash
journalctl -g 'error|fail'
```

`journalctl -g PATTERN --case-sensitive=no` — Case-insensitive regex search.

```bash
journalctl -g 'timeout' --case-sensitive=no
```

`journalctl | grep PATTERN` — Pipe through grep for traditional text matching.

```bash
journalctl --no-pager | grep 'Failed password'
```

## Disk Usage & Maintenance

`journalctl --disk-usage` — Show how much disk space the journal occupies.

```bash
journalctl --disk-usage
```

`journalctl --vacuum-size=SIZE` — Remove old entries until the journal is below SIZE. Destructive: deleted logs are gone for good.

```bash
sudo journalctl --vacuum-size=500M
```

`journalctl --vacuum-time=TIME` — Remove entries older than TIME. Destructive.

```bash
sudo journalctl --vacuum-time=30d
```

`journalctl --vacuum-files=N` — Keep only the N most recent journal files; older ones are deleted. Destructive.

```bash
sudo journalctl --vacuum-files=5
```

`journalctl --rotate` — Force rotation of journal files (close the active file, start a new one) – a prerequisite for vacuuming right away.

```bash
sudo journalctl --rotate
```

`journalctl --verify` — Verify the integrity of journal files.

```bash
journalctl --verify
```

## Common Patterns

`journalctl -u nginx -p err --since today` — Today's errors from nginx.

```bash
journalctl -u nginx.service -p err --since today
```

`journalctl -u sshd -g 'Failed password' --since '1 hour ago'` — Failed SSH login attempts in the last hour.

```bash
journalctl -u sshd.service -g 'Failed password' --since '1 hour ago'
```

`journalctl -p err -b --no-pager` — All errors since current boot without pager.

```bash
journalctl -p err -b --no-pager
```

`journalctl -u UNIT -o json --no-pager | jq .` — Parse service logs as JSON with jq.

```bash
journalctl -u nginx -o json --no-pager -n 5 | jq .
```

`journalctl -k -p err -b` — Kernel errors from the current boot.

```bash
journalctl -k -p err -b
```

`journalctl --since '5 min ago' -f` — Show last 5 minutes of logs and continue following.

```bash
journalctl --since '5 min ago' -f
```

<!-- PROSE:outro -->
## Conclusion

journalctl turns scattered log files into a single, searchable source: with `-u`, `--since`, `-p` and `-f` you narrow an incident down in seconds, while `-b` and `-k` take you straight to boot and kernel messages, and `-x` adds explanatory hints for many systemd entries. To read other users' or system-wide logs you need to be in the `adm` or `systemd-journal` group (or use `sudo`); whether the journal survives reboots depends on `Storage=persistent` and an existing `/var/log/journal` directory. Be careful with `--vacuum-size`, `--vacuum-time`, `--vacuum-files` and `--rotate`: these commands permanently delete or discard old entries – handy for freeing disk space, but never run them on a hunch while you still need the logs for analysis.

## Further Reading

- [systemd: journalctl (man page)](https://www.freedesktop.org/software/systemd/man/latest/journalctl.html) – official reference for every option and journal field
- [Arch Wiki: systemd/Journal](https://wiki.archlinux.org/title/Systemd/Journal) – thorough guide to configuring and querying the journal
<!-- PROSE:outro:end -->

## Related Commands

- [systemctl](https://www.jpkc.com/db/en/cheatsheets/shell-system/systemctl/) – manage systemd services and check their status
- [dmesg](https://www.jpkc.com/db/en/cheatsheets/shell-system/dmesg/) – read the kernel ring buffer directly
- [loginctl](https://www.jpkc.com/db/en/cheatsheets/shell-system/loginctl/) – manage login sessions and users via systemd-logind