Quick guide to using journalctl for log analysis. journalctl is a powerful and indispensable tool for Linux administrators who want to quickly investigate system or service issues.
With the help of filtering commands and advanced options, log analysis becomes efficient and precise, helping to identify and quickly resolve problems.
Quick Guide to Using journalctl
On modern Linux systems that use systemd, the journalctl command is the primary tool for viewing and analyzing system logs.
This guide provides a quick and practical overview of essential journalctl commands, useful in diagnosing errors, monitoring services, and investigating security events.
What is journalctl?
journalctl is the standard utility for accessing logs stored by systemd-journald.
It offers advanced filtering, chronological sorting, and detailed display functions for messages generated by the system, services, and applications.
Basic Command
To display all available logs:
journalctl
Viewing Recent Logs
Similar to the tail -f command, to follow logs in real time:
journalctl -f
Limiting by Boot
To display logs from the last reboot:
journalctl -b
For a specific previous reboot:
journalctl -b -1 # second-to-last boot journalctl -b -2 # third-to-last boot
Filtering by Service
To see only the logs of a specific service (e.g., sshd):
journalctl -u sshd
To view recent logs of a service:
journalctl -u sshd --since "1 hour ago"
Filtering by Date
journalctl --since "2025-07-24 08:00" --until "2025-07-24 12:00"
You can also use relative expressions:
journalctl --since "yesterday" journalctl --since "2 hours ago"
Filtering by Severity Level
Logs can be filtered based on priority level:
journalctl -p err # errors only journalctl -p warning # warnings only journalctl -p info # general information
Possible values are: emerg, alert, crit, err, warning, notice, info, debug.
Filtering by Multiple Units
journalctl -u nginx -u mysql
Exporting Logs
To save logs to a text file:
journalctl -u apache2 --since "2025-07-24" > apache-log.txt
Persistent vs. Temporary Logs
By default, systemd may store logs only in RAM.
To keep them permanently:
sudo mkdir -p /var/log/journal sudo systemctl restart systemd-journald
Deleting Old Logs
Managing disk space:
sudo journalctl --vacuum-size=100M sudo journalctl --vacuum-time=7d
These commands will remove older logs to save space.
Using with grep
To search for a keyword in logs:
journalctl | grep "error"
Comments (0)