Skip to content

journalctl Command Cheat Sheet

journalctl is the command line utility for querying and displaying logs from systemd-journald. It keeps logs in a binary format, allowing for powerful indexing, filtering, and security verification.

Synopsis

journalctl [OPTIONS...] [MATCHES...]

Basic Viewing

View All Logs (Paged)

Shows logs from oldest to newest.

journalctl

Jump to End (-e)

View the most recent logs immediately.

journalctl -e

Follow Mode (-f)

Tail the logs in real-time (like tail -f).

journalctl -f

Filtering by Boot

journald persists logs across reboots (if configured).

Current Boot (-b)

journalctl -b

Previous Boot (-b -1)

journalctl -b -1
(List available boots with --list-boots).

Filtering by Time

Very natural language support.

By Date

journalctl --since "2024-01-01 12:00:00"
journalctl --since "yesterday"
journalctl --since "1 hour ago"

Time Range

journalctl --since "09:00" --until "10:00"

Filtering by Unit / Priority

Specific Service (-u)

Debug a specific specific daemon.

journalctl -u nginx.service
journalctl -u docker

Kernel Logs Only (-k)

Equivalent to dmesg but with timestamps and journal features.

journalctl -k

Priority (-p)

Show logs of a certain level or higher.

Level Name
0 emerg
1 alert
2 crit
3 err
4 warning
5 notice
6 info
7 debug 
# Show Errors, Criticals, Alerts, Emergencies
journalctl -p err

Output Formats (-o)

Short (Default)

Typical syslog style.

JSON (-o json)

Outputs one JSON object per line. Perfect for parsing with jq or shipping to ELK stack.

journalctl -u ssh -o json-pretty

Verbose (-o verbose)

Shows all metadata fields available for the log entry (UID, GID, SELinux context, etc.).

journalctl -n 1 -o verbose

Cat

Shows only the message content, no timestamps or hostnames.

journalctl -o cat

Maintenance

Disk Usage

Check how much space logs are taking.

journalctl --disk-usage

Vacuum (Clean) Logs

Manually clean up logs.

# Retain only last 1GB
sudo journalctl --vacuum-size=1G

# Retain only last 2 weeks
sudo journalctl --vacuum-time=2weeks

Advanced: Reverse Output (-r)

Show newest entries first (reverse chronological).

journalctl -r -u nginx

Troubleshooting Tips

Access Denied?

If you don't see logs, you probably need sudo. Or add your user to systemd-journal group.

Persistent Storage

If logs vanish after reboot, create the directory:

sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journald

Notes

  • Binary vs Text: Unlike /var/log/syslog, you cannot grep the binary files directly. Always use journalctl.
  • Grep integration: You can pipe it: journalctl | grep "Error". Or use built-in grep: journalctl -g "Error".