Query and Display Systemd Journal Logs
The journalctl command is the query tool for systemd's journal logging system. It displays and filters system logs collected by journald, including boot messages, service logs, kernel messages, and application errors.
Think of journalctl as your system's black box recorder. Every important event—services starting or crashing, login attempts, kernel warnings, application errors—gets logged here in a structured, searchable format. Unlike old-school logs scattered across /var/log, journalctl centralizes everything in one place with powerful filtering. IT admins use it daily to troubleshoot issues: "Why did the web server crash?", "Who tried to SSH in?", "What happened during the last boot?". You can follow logs in real-time with -f, filter by service with -u, or show only errors with -p err. It's essential for any modern Linux sysadmin.
Advertisement
[ Insert Google AdSense Banner Code Here ]
Find out why a service failed to start or keeps crashing.
Follow logs live to watch events as they happen.
Review login attempts, SSH access, and security events.
Investigate what happened during system startup or previous boots.
journalctl View all system logs (paginated with less).
journalctl -f Follow logs in real-time (like tail -f).
journalctl -u nginx Show logs for a specific service (nginx in this example).
journalctl -p err Show only error-level logs (filter by priority).
journalctl -b Show logs from the current boot only.
journalctl -n 20 Show only the last 20 log entries.
journalctl --since "1 hour ago" Show logs from the past hour.
journalctl -k Show kernel messages only (equivalent to dmesg).
journalctl --disk-usage Show how much disk space journal logs are using.
Use -f to follow live: journalctl -f is perfect when troubleshooting in real-time. Watch logs update as events happen.
Filter by service: journalctl -u service-name narrows down to specific service logs instead of seeing everything.
Priority levels matter: Use -p err to filter noise and focus on actual problems. Priority levels: emerg, alert, crit, err, warning, notice, info, debug.
Practice journalctl commands in the interactive terminal below: