Introduction / Why This Matters
Systemd maintains a centralized log of all system events—from kernel messages to your services' output. Journalctl is the primary tool for working with this log. Understanding how to efficiently check and filter these logs is critically important for diagnosing service failures, analyzing performance, and investigating incidents. After completing this guide, you'll be able to quickly find the information you need even in huge log volumes.
Prerequisites / Preparation
Before you begin, ensure:
- You have access to a Linux terminal with
systemdinstalled (relevant for most modern distributions: Ubuntu, Debian, CentOS, Fedora). - Reading all logs, especially system ones, often requires sudo privileges. Some commands will work without sudo, but use
sudofor full access. - You have basic command-line skills (navigation, using
grep).
Basic Commands for Viewing Logs
Step 1: Basic Viewing of the Entire Journal
Simply run:
journalctl
By default, you'll see all entries since logging began (which can be a lot). Navigation:
PgUp/PgDn— scroll.Space— next page.q— quit.
💡 Tip: For a quick view of the latest entries, immediately add the
-nflag (number of lines):journalctl -n 100.
Step 2: Viewing in Reverse Chronological Order
Most often, you're interested in the latest events. Use:
journalctl -r
This shows entries from newest to oldest. Combine with -n: journalctl -r -n 50.
Step 3: Filtering by a Specific Unit (Service)
If there's an issue with a particular service (e.g., nginx, docker, postgresql), filter by its name:
journalctl -u nginx.service
Important: Specify the full unit name (with .service). For other unit types: .socket, .mount, etc.
Step 4: Filtering by Time
This is the most powerful filter. Formats:
- Relative time:
--since "10 minutes ago",--since "today",--since "yesterday". - Absolute time:
--since "2026-02-15 09:00:00" --until "2026-02-15 10:00:00". Example: show logs from the last 2 hours:
journalctl --since "2 hours ago"
Step 5: Filtering by Severity Level (Priority)
Systemd classifies messages by priority. To see only errors and above:
journalctl -p err.. emerg
Or just warnings and errors:
journalctl -p warning
Levels (from most critical):
emerg > alert > crit > err > warning > notice > info > debug.
Step 6: Searching Within Log Text
Journalctl doesn't have built-in grep, but you can pipe output to grep:
journalctl | grep "permission denied"
For case-insensitive search: grep -i. To see context (2 lines before/after): grep -C 2.
⚠️ Important:
grepoperates on already formatted output. If you filtered by unit or time,grepsearches only the filtered data.
Step 7: Real-Time Monitoring (Like tail -f)
To follow new entries as they appear:
journalctl -f
This is especially useful when restarting a service or performing an action expected to log something. To exit — Ctrl+C.
Step 8: Combining Filters
You can combine filters for a precise query. Example: errors from the sshd service in the last 30 minutes:
journalctl -u sshd.service -p err --since "30 minutes ago"
Or kernel logs (-k) from the last hour:
journalctl -k --since "1 hour ago"
Step 9: Viewing Logs with Full Executable Path
By default, journalctl shows only the process name. To see the full path:
journalctl -o verbose
This is handy when multiple binaries have similar names.
Step 10: Clearing the Journal (If It Takes Up Too Much Space)
The journal stores data in /var/log/journal/. If the disk is full, you can:
- Delete old entries (e.g., older than 3 days):
sudo journalctl --vacuum-time=3d - Limit total size (e.g., 200 MB):
sudo journalctl --vacuum-size=200M - Completely clear (caution!):
sudo journalctl --rotate && sudo journalctl --vacuum-time=1s
⚠️ Important: Clearing permanently deletes data. Ensure it's not needed for an investigation.
Step 11: Viewing Logs with less for Easy Navigation
By default, journalctl uses less for display. You can use all less features:
- Forward search:
/text - Backward search:
?text - Go to start/end:
g/G - Quit:
q
Verifying the Result
After running the commands, you should see a readable list of log entries. Example of successful output for a service filter:
-- Logs begin at Fri 2026-02-14 10:00:00 MSK, end at Sat 2026-02-15 09:30:00 MSK. --
Feb 15 09:25:01 myhost systemd[1]: Starting Nginx - high performance web server...
Feb 15 09:25:01 myhost nginx[1234]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Feb 15 09:25:01 myhost systemd[1]: Started Nginx - high performance web server.
If the output is empty — check that filters aren't excluding all entries (e.g., overly restrictive time range) and that you have read permissions.
Common Issues
Issue: journalctl returns "Failed to open file /var/log/journal/...: Permission denied".
Solution: Add sudo at the start of the command. Reading system journals requires administrator privileges.
Issue: No entries for a specific service, even though it's running.
Solution: Ensure the service actually writes to the journal (check its configuration, e.g., StandardOutput=journal). Also check if separate log rotation to a file is configured for it.
Issue: Journal fills the entire disk, but clearing commands don't work.
Solution: The journal might be mounted separately or there are permission issues. Check disk usage: df -h. As a last resort, you can manually delete files in /var/log/journal/ (only if the journal is inactive), but using --vacuum is safer.
Issue: journalctl -f doesn't show new entries.
Solution: Ensure you ran the command with sudo if new entries require elevated privileges. Also check if the disk is full (the journal may automatically stop writing).