journalctl

Show all messages with priority level 3 (errors) from this boot

$ journalctl [[-b|--boot]] [[-p|--priority]] 3

$ journalctl --vacuum-time 2d

$ journalctl [[-n|--lines]] [n] [[-f|--follow]]

$ journalctl [[-u|--unit]] [unit]

$ journalctl _SYSTEMD_INVOCATION_ID=$(systemctl show --value --property=InvocationID [unit])

$ journalctl [[-S|--since]] [now|today|yesterday|tomorrow] [[-U|--until]] "[YYYY-MM-DD HH:MM:SS]"

$ journalctl _PID=[pid]

$ journalctl [path/to/executable]

journalctl [OPTIONS...] [MATCHES...]

-h, --help
    Print help text and exit

--version
    Print version string and exit

-a, --all
    Show all fields in full, even verbose ones

-f, --follow
    Follow new messages as they come in (like tail -f)

-e, --pager-end
    Jump to the end of the journal in pager

-n, --lines[=NUMBER]
    Show the most recent journal lines (default 10)

--no-tail
    Do not tail; show everything from beginning

-p, --priority=PRIORITY
    Show messages with log level <= PRIORITY (0-7)

-b, --boot[=ID]
    Show messages from specified or current boot

-u, --unit=UNIT
    Show messages for the specified systemd unit

-S, --since=TIME
    Show entries not older than specified time (e.g., '2023-01-01')

-U, --until=TIME
    Show entries not newer than specified time

-g, --grep=PATTERN
    Filter messages matching shell glob PATTERN

-o, --output=FORMAT
    Specify output format (short, verbose, json, etc.)

--no-pager
    Do not pipe output into pager

-D, --directory=PATH
    Use journal files from specified directory

-M, --machine=NAME
    Operate on logs from specified machine

--user-unit=UNIT
    Show user unit logs

-k, --dmesg
    Show kernel messages only

--disk-usage
    Print disk usage of journal

--vacuum-time=TIME
    Remove journal files older than TIME

--vacuum-size=BYTES
    Remove journal files until disk space is free

-q, --quiet
    Do not show informational status messages

--utc
    Use UTC timestamps

-r, --reverse
    Show entries in reverse chronological order

journalctl is a versatile command-line utility for viewing and analyzing logs stored in the systemd journal, a binary logging system that collects structured data from the kernel, systemd units, services, and user processes. Unlike traditional text-based logs, the journal stores metadata like timestamps, priorities, PIDs, and units alongside messages, enabling powerful filtering, searching, and output formatting.

Key features include real-time tailing, time-range queries, priority-based filtering, service-specific views, and export to formats like JSON or short-precise. It supports pattern matching, boot-specific logs, and vacuuming old entries. Ideal for debugging, monitoring, and auditing, journalctl replaces tools like tail /var/log/syslog with more efficient, indexed access.

The journal is stored in /run/log/journal (volatile) or /var/log/journal (persistent), configurable via systemd-journald. Logs are rotated automatically based on size, time, or count limits.

Requires systemd; volatile logs lost on reboot unless persistent storage enabled in /etc/systemd/journald.conf. Binary format not human-readable directly. High verbosity may overwhelm output. Filtering with MATCHES requires exact field syntax like '_SYSTEMD_UNIT=ssh.service'.

journalctl -f: Tail live logs.
journalctl -u nginx.service: View nginx service logs.
journalctl -p err -b: Errors from current boot.
journalctl --since "1 hour ago": Recent logs.

Formats: '2012-10-30 18:17:16', 'today', 'yesterday', '1h ago', '+2d 3min', '2016-01-13 13:37:00 America/Los_Angeles' (timezone supported).

Developed as part of systemd project by Lennart Poettering and Kay Sievers. First appeared in systemd v38 (March 2011). Evolved with systemd releases: added JSON support (v209, 2014), colored output (v219), vacuum commands (v236), and catalog integration for better error descriptions.

systemd(1), systemd-journald(8), systemd-analyze(1), loginctl(1), journald.conf(5)