journalctl — Query and Search the systemd Journal
Practical guide to journalctl: filter the systemd journal by unit, time and priority, follow logs live, inspect boot and kernel messages, and reclaim disk space.
journalctl is your window into the systemd journal – the central log store that collects messages from the kernel, services and applications in a structured, queryable form. Instead of grepping through scattered files under /var/log, you filter precisely by unit, time range, priority or process and follow new entries in real time. This guide walks you through the queries you actually reach for when debugging and operating systems – from diagnosing a single service to reclaiming space from an overgrown journal.
Basic Usage
journalctl — Show all journal entries (oldest first) in a pager.
journalctljournalctl -r — Show entries in reverse order (newest first).
journalctl -rjournalctl -n N — Show only the last N entries (default: 10).
journalctl -n 50journalctl -f — Follow mode — continuously show new log entries (like tail -f).
journalctl -fjournalctl -e — Jump to the end of the journal in the pager.
journalctl -ejournalctl --no-pager — Output directly without a pager. Useful for piping.
journalctl --no-pager -n 100Filter by Unit/Service
journalctl -u UNIT — Show logs for a specific systemd unit/service.
journalctl -u nginx.servicejournalctl -u UNIT -f — Follow logs for a specific service.
journalctl -u nginx.service -fjournalctl -u UNIT1 -u UNIT2 — Show logs for multiple services.
journalctl -u nginx.service -u php-fpm.servicejournalctl -u 'nginx*' — Show logs for units matching a pattern.
journalctl -u 'nginx*'journalctl -u UNIT --since today — Show today's logs for a service.
journalctl -u sshd.service --since todayFilter by Time
journalctl --since 'YYYY-MM-DD HH:MM:SS' — Show entries since a specific date and time.
journalctl --since '2024-01-15 09:00:00'journalctl --until 'YYYY-MM-DD HH:MM:SS' — Show entries until a specific date and time.
journalctl --until '2024-01-15 17:00:00'journalctl --since today — Show entries from today.
journalctl --since todayjournalctl --since yesterday --until today — Show yesterday's entries.
journalctl --since yesterday --until todayjournalctl --since '1 hour ago' — Show entries from the last hour.
journalctl --since '1 hour ago'journalctl --since '30 min ago' — Show entries from the last 30 minutes.
journalctl --since '30 min ago'journalctl --since '2 days ago' — Show entries from the last 2 days.
journalctl --since '2 days ago'Filter by Priority
journalctl -p err — Show only error messages and above (err, crit, alert, emerg).
journalctl -p errjournalctl -p warning — Show warnings and above.
journalctl -p warningjournalctl -p crit — Show only critical and above.
journalctl -p critjournalctl -p info — Show info and above (default).
journalctl -p infojournalctl -p debug — Show all messages including debug level.
journalctl -p debugjournalctl -p err..warning — Show messages in a priority range.
journalctl -p err..warningFilter by Process & User
journalctl _PID=PID — Show logs for a specific process ID.
journalctl _PID=1234journalctl _UID=UID — Show logs from a specific user ID.
journalctl _UID=1000journalctl _GID=GID — Show logs from a specific group ID.
journalctl _GID=33journalctl _COMM=COMMAND — Show logs from processes with a specific command name.
journalctl _COMM=sshdjournalctl _EXE=PATH — Show logs from a specific executable.
journalctl _EXE=/usr/sbin/nginxjournalctl _HOSTNAME=HOST — Show logs from a specific hostname (useful with remote journaling).
journalctl _HOSTNAME=webserver01Kernel Messages
journalctl -k — Show only kernel messages (equivalent to dmesg).
journalctl -kjournalctl -k -b — Show kernel messages from the current boot.
journalctl -k -bjournalctl -k -p err — Show kernel errors.
journalctl -k -p errjournalctl -k -f — Follow kernel messages in real time.
journalctl -k -fBoot Logs
journalctl -b — Show logs from the current boot.
journalctl -bjournalctl -b -1 — Show logs from the previous boot.
journalctl -b -1journalctl -b -2 — Show logs from two boots ago.
journalctl -b -2journalctl --list-boots — List all available boot sessions with timestamps.
journalctl --list-bootsOutput Formats
journalctl -o short — Default syslog-style output.
journalctl -o short -n 10journalctl -o short-precise — Syslog-style with microsecond precision.
journalctl -o short-precise -n 10journalctl -o short-iso — Syslog-style with ISO 8601 timestamps.
journalctl -o short-iso -n 10journalctl -o verbose — Show all fields for each entry.
journalctl -o verbose -n 5journalctl -o json — Output in JSON format (one object per line).
journalctl -o json -n 5journalctl -o json-pretty — Output in pretty-printed JSON.
journalctl -o json-pretty -n 5journalctl -o cat — Show only the message text (no metadata).
journalctl -u nginx -o cat -n 20journalctl -o export — Binary export format for journalctl --import.
journalctl -o export > journal.exportSearch & Grep
journalctl -g PATTERN — Filter entries by a regular expression pattern (grep-like).
journalctl -g 'error|fail'journalctl -g PATTERN --case-sensitive=no — Case-insensitive regex search.
journalctl -g 'timeout' --case-sensitive=nojournalctl | grep PATTERN — Pipe through grep for traditional text matching.
journalctl --no-pager | grep 'Failed password'Disk Usage & Maintenance
journalctl --disk-usage — Show how much disk space the journal occupies.
journalctl --disk-usagejournalctl --vacuum-size=SIZE — Remove old entries until the journal is below SIZE. Destructive: deleted logs are gone for good.
sudo journalctl --vacuum-size=500Mjournalctl --vacuum-time=TIME — Remove entries older than TIME. Destructive.
sudo journalctl --vacuum-time=30djournalctl --vacuum-files=N — Keep only the N most recent journal files; older ones are deleted. Destructive.
sudo journalctl --vacuum-files=5journalctl --rotate — Force rotation of journal files (close the active file, start a new one) – a prerequisite for vacuuming right away.
sudo journalctl --rotatejournalctl --verify — Verify the integrity of journal files.
journalctl --verifyCommon Patterns
journalctl -u nginx -p err --since today — Today's errors from nginx.
journalctl -u nginx.service -p err --since todayjournalctl -u sshd -g 'Failed password' --since '1 hour ago' — Failed SSH login attempts in the last hour.
journalctl -u sshd.service -g 'Failed password' --since '1 hour ago'journalctl -p err -b --no-pager — All errors since current boot without pager.
journalctl -p err -b --no-pagerjournalctl -u UNIT -o json --no-pager | jq . — Parse service logs as JSON with jq.
journalctl -u nginx -o json --no-pager -n 5 | jq .journalctl -k -p err -b — Kernel errors from the current boot.
journalctl -k -p err -bjournalctl --since '5 min ago' -f — Show last 5 minutes of logs and continue following.
journalctl --since '5 min ago' -fConclusion
journalctl turns scattered log files into a single, searchable source: with -u, --since, -p and -f you narrow an incident down in seconds, while -b and -k take you straight to boot and kernel messages, and -x adds explanatory hints for many systemd entries. To read other users' or system-wide logs you need to be in the adm or systemd-journal group (or use sudo); whether the journal survives reboots depends on Storage=persistent and an existing /var/log/journal directory. Be careful with --vacuum-size, --vacuum-time, --vacuum-files and --rotate: these commands permanently delete or discard old entries – handy for freeing disk space, but never run them on a hunch while you still need the logs for analysis.
Further Reading
- systemd: journalctl (man page) – official reference for every option and journal field
- Arch Wiki: systemd/Journal – thorough guide to configuring and querying the journal