Back to Commands

journalctl

systemLinux
The journalctl command is one of the most frequently used commands in Linux/Unix-like operating systems. journalctl Query and display messages from the systemd journal
See ExamplesView Syntax

Quick Reference

Command Name:

journalctl

Category:

system

Platform:

Linux

Basic Usage:

journalctl [options] [arguments]

Common Use Cases

    Syntax

    journalctl [OPTIONS...] [MATCHES...]

    Options

    Option Description
    -f, --follow Follow the journal (show new entries as they're added)
    -n, --lines= Show the most recent N journal entries
    -r, --reverse Show oldest entries first
    -o, --output= Change output mode (short, verbose, json, etc.)
    -p, --priority= Filter by priority (emerg, alert, crit, err, warning, notice, info, debug)
    -b, --boot[=ID] Show messages from a specific boot
    --since=, --until= Show entries since or until the specified date/time
    -u, --unit= Show logs from the specified systemd unit
    -k, --dmesg Show kernel message log from the current boot
    --no-pager Do not pipe output into a pager
    --no-hostname Suppress hostname field in the output
    --disk-usage Show total disk usage of all journal files
    --vacuum-size=, --vacuum-time= Remove journal files until the specified size or age is reached
    --list-boots Show a list of recorded boots
    _SYSTEMD_UNIT=, _PID=, _UID=, etc. Match specific journal fields (systemd unit, PID, UID, etc.)

    Examples

    How to Use These Examples

    The examples below show common ways to use the journalctl command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    journalctl
    Display all collected journal entries.
    journalctl -f
    Follow the journal (show new entries as they are added).
    # Advanced Examples Advanced
    journalctl -u nginx.service Show logs from the nginx service only. journalctl -b Show logs from the current boot. journalctl -b -1 Show logs from the previous boot. journalctl --since="2023-01-01" --until="2023-01-02" Show logs between two dates. journalctl --since="1 hour ago" Show logs from the last hour. journalctl -p err Show only error-level messages and above. journalctl _PID=1234 Show logs from process with PID 1234. journalctl -o json-pretty Output logs in pretty JSON format. journalctl --disk-usage Show how much disk space the journal is using. journalctl --vacuum-time=2weeks Remove journal entries older than 2 weeks.

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    journalctl is a command-line utility for querying and displaying logs from the systemd journal, a centralized logging system introduced with systemd. The tool provides a powerful and flexible interface for accessing system logs and troubleshooting issues on modern Linux systems. Key features of journalctl: 1. Centralized Logging: journalctl accesses the systemd journal, which collects and stores logs from various sources including kernel messages, service output, and syslog entries in a single, indexed database format. 2. Structured Data: Unlike traditional text-based log files, the journal stores logs as structured data with fields like timestamp, service name, priority level, and more, enabling powerful filtering and searching capabilities. 3. Powerful Filtering: journalctl offers numerous options to filter logs by time, service, priority level, process ID, and many other attributes, making it easier to find relevant information when troubleshooting. 4. Real-time Monitoring: With the -f (follow) option, journalctl can display new log entries in real-time, similar to 'tail -f', which is invaluable for monitoring services and debugging issues as they occur. 5. Boot-specific Logs: The -b option allows viewing logs from specific system boots, making it easy to analyze issues that occurred during system startup or previous boot sessions. 6. Time-based Filtering: journalctl supports filtering logs by time ranges using human-readable formats (like "1 hour ago"), simplifying the process of examining logs from specific time periods. 7. Multiple Output Formats: Logs can be displayed in various formats including short (default), verbose, JSON, and others, catering to different use cases from human reading to automated processing. 8. Log Rotation and Management: journalctl includes built-in features for managing journal size and retention with options like --vacuum-time and --vacuum-size, eliminating the need for separate log rotation tools. Common use cases for journalctl include: - Troubleshooting system and service issues - Monitoring service behavior in real-time - Investigating security incidents - Analyzing system performance problems - Reviewing boot processes and startup errors - Collecting logs for system reports and documentation journalctl is available on most Linux distributions that use systemd as their init system, including Ubuntu (since 15.04), Debian (since 8), Fedora, CentOS/RHEL (since 7), and Arch Linux. It has largely replaced traditional log viewing methods like 'cat /var/log/messages' or 'less /var/log/syslog' on these systems, offering a more powerful and consistent approach to system logging.

    Related Commands

    These commands are frequently used alongside journalctl or serve similar purposes:

    systemctl
    systemd
    dmesg
    tail
    less
    grep
    logger
    rsyslogd
    logrotate
    ausearch
    Explore All Commands

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the journalctl command works in different scenarios.

    See ExamplesTry Lab Exercises
    $ journalctl
    View All Commands