Mastering journalctl: Powerful Techniques to Query systemd Logs

Introduction

journalctl is used to query the logs collected by the systemd-journald service, which is part of the systemd init system.

Command syntax: journalctl [OPTIONS…] [MATCHES…] Executable path:

/bin/journalctl

Help

Use the manual page or the -h option for quick help:

man journalctl

journalctl -h

Output All Log Records

Running journalctl without options prints all log entries, which can be overwhelming.

sudo journalctl

Match (Filtering by Field)

Filter logs using the FIELD=VALUE format, e.g.: _SYSTEMD_UNIT=cron.service Multiple fields can be combined (logical AND):

journalctl _SYSTEMD_UNIT=cron.service PRIORITY=6

Use the + operator for logical OR between matches:

journalctl _SYSTEMD_UNIT=cron.service + _PID=28097

Persist Logs to Files

By default logs are stored in /run/log and lost on reboot. To keep them persistently:

Create /var/log/journal and restart the service.

Or edit /etc/systemd/journald.conf, set Storage=persistent, and restart.

Example (method 1):

sudo mkdir /var/log/journal

sudo chown root:systemd-journal /var/log/journal

sudo chmod 2775 /var/log/journal

sudo systemctl restart systemd-journald.service

Check Disk Usage

sudo journalctl --disk-usage

Clean Log Data

Use --vacuum-size to limit total size.

Use --vacuum-time to delete entries older than a given time.

sudo journalctl --vacuum-size=1G

sudo journalctl --vacuum-time=1years

Limit Maximum Log Capacity

Configure /etc/systemd/journald.conf with options such as: SystemMaxUse= – maximum persistent storage. SystemKeepFree= – free space to keep. SystemMaxFileSize= – max size of a single journal file. RuntimeMaxUse= – max size in volatile storage. RuntimeKeepFree= – free space in volatile storage. RuntimeMaxFileSize= – max size of a volatile journal file.

View Logs After a Specific Boot

journalctl --list-boots

sudo journalctl -b -1

sudo journalctl -b 9eaabbc25fe343999ef1024e6a16fb58

View Logs Within a Time Range

Use --since and --until with various date formats:

journalctl --since "2018-03-26 20:20:00"

journalctl --since "2018-03-26" --until "2018-03-26 03:00"

journalctl --since yesterday

journalctl --since 09:00 --until "1 hour ago"

Combine Match and Time Filters

sudo journalctl _SYSTEMD_UNIT=cron.service --since "2018-03-27" --until "2018-03-27 01:00"

Filter by Unit

sudo journalctl -u nginx.service

sudo journalctl -u nginx.service --since today

journalctl -u nginx.service -u php-fpm.service --since today

Filter by Log Level (Priority)

Use -p or PRIORITY= with numeric values (0 = emerg … 7 = debug) or names:

sudo journalctl -p err

Real‑Time Log Updates

sudo journalctl -f

sudo journalctl -f -u prometheus.service

Show Only the Latest N Lines

sudo journalctl -n

sudo journalctl -n 20

journalctl -u cron.service -n 3

Control Output

Redirect output to standard output (disable pager): sudo journalctl --no-pager Format output with -o (e.g., short, json, json-pretty, cat etc.):

sudo journalctl -u cron.service -n 1 --no-pager -o json

Filter by Executable Path

sudo journalctl /usr/lib/systemd/systemd

sudo journalctl /usr/bin/bash

View Kernel Logs

sudo journalctl -k

Summary

With systemd, log viewing has shifted to the unified journalctl tool, eliminating the need for many disparate commands and providing powerful filtering, formatting, and persistence options.