journalctl Log Viewer

journalctl cheatsheet — view, filter, follow systemd logs. journalctl -u nginx -f, journalctl --since '1 hour ago', journalctl -p err. Full systemd log reference.

6 min read

What it is

A tool for querying and displaying log data from the systemd journal. Use it to inspect system logs, service logs, and kernel messages.

Installation

journalctl is part of systemd and is installed by default on most Linux distributions that use systemd.

Core Concepts

  • Journal: The central log storage managed by systemd. It’s a binary, indexed database, not plain text files.
  • Units: Refers to systemd units, such as services (.service), timers (.timer), sockets (.socket), etc. You can filter logs by unit.
  • Fields: Log entries have structured fields (e.g., _PID, _COMM, SYSLOG_IDENTIFIER, MESSAGE). journalctl allows filtering by these fields.

Commands / Usage

Viewing Recent Logs

  • View all logs:

    journalctl

    Displays all log entries from the current boot, newest first.

  • View logs from the current boot:

    journalctl -b

    Shows logs specifically from the current boot session.

  • View logs from the previous boot:

    journalctl -b -1

    Displays logs from the immediately preceding boot session. Use -b -2 for the boot before that, and so on.

  • View logs in real-time (like tail -f):

    journalctl -f

    Follows the log output as new entries are added.

  • View logs from a specific boot, follow new entries:

    journalctl -b -f

    Combines viewing logs from the current boot with following new entries.

Filtering Logs

  • Filter by service name:

    journalctl -u nginx.service

    Shows logs only for the nginx.service unit.

  • Filter by multiple service names:

    journalctl -u sshd.service -u cron.service

    Displays logs for both sshd.service and cron.service.

  • Filter by kernel messages:

    journalctl -k

    Shows only kernel log messages.

  • Filter by process ID (PID):

    journalctl _PID=1234

    Displays logs generated by the process with PID 1234.

  • Filter by executable name:

    journalctl _COMM=bash

    Shows logs where the executable name is bash.

  • Filter by systemd unit and executable name:

    journalctl -u myapp.service _COMM=myapp

    Logs for myapp.service where the executable is named myapp.

  • Filter by message content (case-sensitive):

    journalctl -g "error"

    Shows log entries containing the exact string "error".

  • Filter by message content (case-insensitive):

    journalctl -G "error"

    Shows log entries containing "error", ignoring case.

  • Filter by syslog identifier:

    journalctl SYSLOG_IDENTIFIER=systemd

    Logs from the systemd process.

Time-Based Filtering

  • Logs since a specific date and time:

    journalctl --since "2023-10-27 10:00:00"

    Shows logs generated after the specified timestamp.

  • Logs since a relative time:

    journalctl --since "1 hour ago"

    Displays logs from the last hour.

  • Logs until a specific date and time:

    journalctl --until "2023-10-27 11:00:00"

    Shows logs generated before the specified timestamp.

  • Logs between two times:

    journalctl --since "2023-10-27 10:00:00" --until "2023-10-27 11:00:00"

    Displays logs within a specific time range.

  • Logs from today:

    journalctl --since today

  • Logs from yesterday:

    journalctl --since yesterday --until today

Output Formatting

  • Show logs in JSON format:

    journalctl -o json

    Outputs each log entry as a JSON object. Useful for programmatic parsing.

  • Show logs in verbose format:

    journalctl -o verbose

    Displays all available fields for each log entry.

  • Show logs with executable name and PID:

    journalctl -o verbose _COMM=sshd

    Combines verbose output with filtering for sshd.

  • Show logs with only the message field:

    journalctl -o cat

    Prints only the message part of the logs, stripping metadata.

  • Show logs with short format (default):

    journalctl -o short

    The default, compact format.

Paging and Searching

  • Scroll through logs with less (default pager): journalctl typically pipes its output to less by default. Use standard less commands:

    • j or arrow down: scroll down one line
    • k or arrow up: scroll up one line
    • space: scroll down one page
    • b: scroll up one page
    • /search_term: search forward for search_term
    • ?search_term: search backward for search_term
    • n: go to next match
    • N: go to previous match
    • q: quit

  • Disable the pager:

    journalctl --no-pager

    Outputs directly to standard output without using a pager.

Archiving and Rotating Logs

  • View archived logs from previous rotation:

    journalctl --file /var/log/journal/persistent/system.journal

    Inspects a specific journal file. The path might vary.

  • Show logs from all persistent journals:

    journalctl --directory /var/log/journal/persistent

    Queries logs stored in the persistent journal directory.

Other Useful Flags

  • Show only new logs since last check:

    journalctl -n 100

    Shows the last 100 log entries.

  • Show logs with specific fields:

    journalctl -o verbose _TRANSPORT=kernel

    Shows verbose output for kernel messages.

Common Patterns

  • Check if a service started correctly:

    journalctl -u myapp.service -b

    View logs for myapp.service from the current boot to diagnose startup issues.

  • Find errors from a specific service in the last hour:

    journalctl -u apache2.service --since "1 hour ago" -g "error"

    Searches apache2.service logs for "error" within the last hour.

  • See what happened before a crash:

    journalctl -b -1 -n 500

    View the last 500 log lines from the previous boot session to understand the state before a reboot.

  • Troubleshoot a failing service:

    journalctl -u myapp.service -f

    Follow the logs of a service in real-time to see errors as they occur.

  • View kernel messages related to a specific device:

    journalctl -k -g "sd[a-z][0-9]"

    Searches kernel messages for patterns that look like disk device names.

  • Export logs for debugging:

    journalctl -u myapp.service --since "2023-10-27 09:00:00" --until "2023-10-27 10:00:00" -o json > myapp_logs.json

    Exports logs for myapp.service within a specific time range in JSON format.

Gotchas

  • Permissions: You might need sudo to view all logs, especially those from other users or system services.
    sudo journalctl -u some_service.service
  • Log Rotation: By default, journalctl shows logs from the current boot. Use -b -1, --since, or --until to access historical data. Persistent storage needs to be configured.
  • Filtering is powerful but can be complex: Understanding journalctl’s field names (like _PID, _COMM, SYSLOG_IDENTIFIER) is key for precise filtering. Use journalctl -o verbose to see available fields.
  • Case Sensitivity: The -g (grep) flag is case-sensitive. Use -G for case-insensitive searches.
  • Units vs. Executables: -u filters by systemd unit name (e.g., nginx.service), while _COMM filters by the executable name (e.g., nginx). A single unit might run multiple executables, or an executable might be run outside of a systemd unit.
  • Empty Output: If journalctl returns nothing, it means there are no matching log entries for your query. Double-check your filters, time ranges, and boot selections.
  • journald Configuration: The behavior and storage location of logs depend on the journald.conf configuration file (usually /etc/systemd/journald.conf). For instance, Storage=volatile means logs are lost on reboot unless Storage=persistent is set.