syslog

journalctl [OPTIONS...] [MATCHES...]

-b, --boot[=ID]
    View messages from a specific boot. Can use a numerical offset (e.g., -b -1 for previous boot) or a specific boot ID.

-k, --dmesg
    Show only kernel messages, equivalent to filtering by priority 'err' to 'emerg' and origin kernel.

-u, --unit=UNIT
    Show messages from a specific systemd unit (service). For example, journalctl -u sshd.

-p, --priority=PRIORITY
    Filter messages by priority or a range of priorities (e.g., 'err', 'warning', 'info' or numbers 0-7).

--since=DATE, --until=DATE
    Filter logs by a specific time range. Dates can be 'YYYY-MM-DD HH:MM:SS', 'yesterday', 'now -1 hour', etc.

-f, --follow
    Display new messages as they are written, similar to 'tail -f'.

-o, --output=FORMAT
    Control the output format. Common formats include 'short' (default), 'short-iso', 'verbose', 'json', 'json-pretty', 'cat'.

_PID=PID
    Filter messages by the process ID.

_COMM=NAME
    Filter messages by the command name of the process.

_EXE=PATH
    Filter messages by the absolute path of the executable.

--list-boots
    List all recorded boots with their IDs and timestamps.

--disk-usage
    Show the current disk usage taken by the journal files.

--vacuum-size=SIZE
    Reduce journal file size by removing oldest archived files until the total size is below SIZE (e.g., '1G').

--vacuum-time=TIME
    Reduce journal file size by removing oldest archived files older than TIME (e.g., '2weeks').

--no-pager
    Do not pipe output into a pager, useful for scripting or when output is small.

While "syslog" typically refers to a standard for message logging or the traditional daemon (like syslogd, rsyslogd, or syslog-ng) that implements it, there isn't a single executable command named "syslog" itself for viewing logs.
On modern Linux distributions utilizing systemd, the primary command for querying and displaying system logs is journalctl. It interacts with the systemd journal, which unifies and stores various log messages, including those traditionally handled by syslog daemons, kernel messages (like from dmesg), and application-specific logs.
journalctl offers powerful filtering, paging, and formatting options, making it an essential tool for examining system events, errors, and informational messages in a structured and efficient manner. It represents a more advanced approach to log management compared to direct parsing of plain text syslog files.

journalctl requires systemd to be running and managing the system logs; it is not available on Linux distributions using other init systems. The journal files are stored in a binary format, meaning they cannot be directly read or easily parsed with standard text utilities like grep or cat without journalctl. Proper management of journal file sizes (e.g., using --vacuum-size) is important to prevent excessive disk space consumption.

The systemd journal can store logs persistently (typically in /var/log/journal/) across reboots, or only in memory (volatile storage, in /run/log/journal/), which means logs are lost after a reboot. Persistent storage is the default and recommended configuration on most distributions.

journalctl assigns unique IDs to each system boot. This feature allows users to easily navigate and filter logs across different system reboots, providing a clear historical view, which is a significant improvement over traditional log management.

journalctl was introduced as part of the systemd project, which began development around 2010. Its aim was to modernize and centralize Linux's logging infrastructure, moving beyond the limitations of traditional text-based syslog files. It became the primary log viewing utility on distributions adopting systemd as their init system, starting roughly from 2012-2015, fundamentally changing how system administrators and users interact with logs on these systems.

systemd(1), syslogd(8), rsyslogd(8), syslog-ng(8), dmesg(1), logger(1), tail(1), grep(1)