journalctl

Show all messages with priority level 3 (errors) from this boot

$ journalctl [[-b|--boot]] [[-p|--priority]] 3

$ journalctl --vacuum-time 2d

$ journalctl [[-n|--lines]] [n] [[-f|--follow]]

$ journalctl [[-u|--unit]] [unit]

$ journalctl _SYSTEMD_INVOCATION_ID=$(systemctl show --value --property=InvocationID [unit])

$ journalctl [[-S|--since]] [now|today|yesterday|tomorrow] [[-U|--until]] "[YYYY-MM-DD HH:MM:SS]"

$ journalctl _PID=[pid]

$ journalctl [path/to/executable]

journalctl [OPTIONS...] [MATCHES...]

-f, --follow
    Continuously display new journal entries as they are added, similar to tail -f.

-e, --pager-end
    Jump to the end of the journal output in the pager, instead of showing the beginning.

-n NUMBER, --lines=NUMBER
    Show the specified number of most recent journal entries.

-r, --reverse
    Display entries in reverse chronological order (newest first).

-u UNIT, --unit=UNIT
    Filter messages from a specific systemd unit (e.g., ssh.service, nginx.service).

-b [ID|0], --boot=[ID|0]
    Filter by a specific boot. -b without an ID shows the current boot. -b 0 shows the previous boot. Use --list-boots to see available boot IDs.

-k, --dmesg
    Show only kernel messages, similar to the output of dmesg.

-p LEVEL, --priority=LEVEL
    Filter by message priority level (e.g., emerg, alert, crit, err, warning, notice, info, debug).

-S DATE, --since=DATE
    Show entries from the specified date and time onwards. Date formats like 'YYYY-MM-DD HH:MM:SS', 'yesterday', or 'now'.

-U DATE, --until=DATE
    Show entries until the specified date and time.

-o FORMAT, --output=FORMAT
    Control the output format. Common formats include short, verbose, json, json-pretty, cat, export.

--disk-usage
    Show the current disk usage of the journal files.

--vacuum-size=BYTES
    Reduce the journal size to the specified amount by deleting older entries. Requires root privileges.

--no-pager
    Print all output directly to stdout without piping through a pager like less.

The journalctl command is a powerful utility used to query and display messages from the systemd journal. The systemd journal is a centralized logging system that collects and stores log data from the kernel, systemd services, user processes, and other sources. Unlike traditional syslog files, the journal stores logs in a structured, indexed, and often binary format, making journalctl an indispensable tool for accessing and analyzing this data.

It offers robust filtering capabilities, allowing users to view logs by specific systemd units, time ranges, boot IDs, message priorities, and more. This makes it a primary tool for system administrators and developers to diagnose issues, monitor system activity, and audit events on systems running systemd.

Access to all journal logs, especially those of other users or system processes, typically requires root privileges or membership in the adm or systemd-journal groups.

The systemd journal can consume significant disk space if not managed properly. Regular vacuuming or size limits should be configured for persistent journals.

Journal entries are stored in a binary format, meaning they cannot be directly viewed or manipulated with standard text tools (like cat or grep) and require journalctl for proper interpretation and filtering.

By default, journal logs are stored in /run/log/journal/, which is a volatile filesystem and means logs are lost on reboot. For persistent storage across reboots, the directory /var/log/journal/ must exist. If it exists, systemd-journald will store logs there automatically.

Unlike traditional log files, journal entries are structured, consisting of multiple fields (e.g., _SYSTEMD_UNIT, _PID, MESSAGE). This structured nature allows for powerful and precise filtering (e.g., journalctl _PID=1234) and integration with other tools when using JSON output (-o json or -o json-pretty).

journalctl is an integral part of the systemd init system, which was first released in 2010. It was developed to provide a unified, structured, and persistent logging solution that could replace and consolidate the various logging mechanisms (like syslog and dmesg) traditionally used on Linux systems. Its introduction marked a significant shift from plain-text log files to a centralized, binary journal database, offering enhanced filtering, indexing, and management capabilities that journalctl exposes to the user.

systemd(1), systemd-journald(8), dmesg(1), tail(1), grep(1)