FixPedia
Other

Logs Journalctl

type: "guide" title: "Complete Guide to journalctl: Managing Linux System Logs" description: "Master the journalctl command for effective log analysis in Linux. Step-by-step examples of filtering, searching, and diagnosing issues. Improve your administration skills! Start working with systemd journal today." summary: "This guide explains in detail how to use journalctl to view, filter, and analyze system logs in Linux. You will learn to diagnose problems and monitor the system." platform: "linux" difficulty: "medium" section: "Linux Guides" keywords:

  • "journalctl command"
  • "how to view logs in linux"
  • "systemd journal"
  • "journalctl log filtering"
  • "linux log analysis"
  • "journalctl examples"
  • "debugging linux with journalctl"
  • "viewing system logs"
  • "journalctl sudo"
  • "journalctl since until" tags:
  • "journalctl"
  • "systemd"
  • "linux logs"
  • "log analysis"
  • "administration" related:
  • "/guides/linux/systemd-basics"
  • "/guides/linux/log-rotation"
  • "/errors/linux/journalctl-permission-denied" draft: false createdAt: "2026-02-14 23:17:51" updatedAt: "2026-02-14 23:17:51" author: "FixPedia Team" estimatedTime: "15-30 min" locale: "ru_RU" appliesTo:
  • "Ubuntu 20.04+"
  • "CentOS 7+"
  • "Debian 10+"
  • "Fedora 35+" faq:
  • question: "How to view the latest log entries with journalctl?" answer: "Use the journalctl -n 100 command to view the last 100 entries or journalctl -f to follow in real-time."
  • question: "How to filter logs by service in journalctl?" answer: "Apply the -u flag with the service name, for example, journalctl -u nginx.service for nginx logs."
  • question: "What to do if journalctl doesn't show logs?" answer: "Ensure systemd-journald is running and check the journal storage settings in /etc/systemd/journald.conf."
  • question: "How to clear journalctl logs?" answer: "Use journalctl --rotate and journalctl --vacuum-time=1d to delete logs older than one day, or journalctl --vacuum-size=100M to limit the size." howToSteps:
  • name: "Open the terminal" text: "Launch the terminal on your Linux system. Ensure you have sudo privileges to access all logs if required."
  • name: "View the latest entries" text: "Run journalctl -n 50 to see the last 50 journal entries. Add --no-pager for direct output without pausing, for example, journalctl -n 50 --no-pager."
  • name: "Filter by time" text: "Use journalctl --since "2024-01-01" --until "2024-01-02" to filter entries by dates. Time can be specified in various formats, for example, "1 hour ago"."
  • name: "Filter by service" text: "To view logs for a specific systemd service, use the -u flag, for example, journalctl -u sshd.service will show SSH daemon logs."
  • name: "Search by keywords" text: "Combine journalctl with grep for searching: journalctl | grep "error" will find all entries containing "error". For case-insensitive search use grep -i."
  • name: "Export logs to a file" text: "Save the journal to a file with journalctl > logs.txt for text output or journalctl --output=export > logs.journal for the binary format, which can be imported back." howToTotalTime: "PT20M"

Introduction / Why It Matters

Journalctl is the command for accessing systemd journals, which consolidates logs from various sources, including the kernel, system services, and applications. Unlike traditional log files in /var/log, journalctl provides structured access with filtering, searching, and export capabilities. This guide will help you master the essential operations for daily administration and diagnostics.

Requirements / Preparation

Before starting, ensure:

  • Your system uses systemd: Check by running systemctl status — if the command is available, systemd is installed.
  • Terminal access: You will need a terminal or SSH connection to the server.
  • sudo privileges: To view all journals, including protected ones, use sudo journalctl. Without sudo, you will only see your own logs.
  • systemd-journald package: Usually pre-installed. If not, install it via your package manager (e.g., apt install systemd on Debian/Ubuntu).

Step 1: View All Journal Entries

The basic journalctl command without arguments outputs all entries from the earliest to the latest. By default, it uses a less-like pager for navigation.

journalctl

For direct output without pausing (non-interactive stream), add --no-pager:

journalctl --no-pager

To see only the latest entries, use -n with the number of lines:

journalctl -n 50  # last 50 entries

Step 2: Filtering by Time

Journalctl allows filtering entries by a time range using --since and --until. Time can be specified in various formats.

Example: entries since January 1, 2024:

journalctl --since "2024-01-01"

Range: from January 1 to January 2, 2024:

journalctl --since "2024-01-01" --until "2024-01-02"

Relative time: for the last hour:

journalctl --since "1 hour ago"

Or from a specific time of day:

journalctl --since "09:00" --until "10:00"

Step 3: Filtering by System Service

To view logs for a specific systemd service, use the -u flag with the unit name.

For example, SSH service logs:

journalctl -u sshd.service

For the Nginx service:

journalctl -u nginx.service

You can combine this with time filtering:

journalctl -u sshd.service --since "today"

Step 4: Searching by Keywords and Priority Levels

Journalctl supports filtering by priority level using -p. Levels are: emerg, alert, crit, err, warning, notice, info, debug.

For example, only errors (err) and critical (crit):

journalctl -p err

To search by text, use a pipeline with grep:

journalctl | grep "failed"

For case-insensitive search:

journalctl | grep -i "error"

Combine filters:

journalctl -u nginx.service -p err --since "1 hour ago"

Step 5: Exporting and Saving Logs

To save the journal to a file, redirect the output:

journalctl > all_logs.txt

To export in the binary journal format (which can be imported back):

journalctl --output=export > logs.journal

Export to JSON for script processing:

journalctl --output=json > logs.json

Limit the export size by specifying the number of entries:

journalctl -n 1000 > recent_logs.txt

Step 6: Managing Journal Size and Cleanup

Over time, the journal can consume significant disk space. Use commands to manage it.

Check current disk space usage:

journalctl --disk-usage

Clean up old entries, keeping only the most recent, for example, 100 MB:

sudo journalctl --vacuum-size=100M

Delete entries older than a specific time, for example, 7 days:

sudo journalctl --vacuum-time=7d

Force a journal rotation (create a new one, start writing to it):

sudo journalctl --rotate

These operations require sudo privileges.

Verification

After running commands, ensure:

  • The journalctl command outputs the expected entries (non-empty output if logs are expected).
  • Filters work correctly: for example, journalctl -u sshd.service shows only SSH logs.
  • Exported files are created and contain data (check the file size).
  • When managing size, journalctl --disk-usage shows reduced usage.

If something doesn't work, refer to the "Troubleshooting" section.

Troubleshooting

Problem: journalctl not found or command not recognized.
Solution: Ensure systemd is installed. On very old systems or specialized distributions, syslog might be used instead. Check for the systemd package.

Problem: No access to logs, only your own entries are shown.
Solution: Use sudo journalctl for full access. If sudo is unavailable, check permission settings in /etc/systemd/journald.conf (parameters like SystemMaxUse, but this is more complex).

Problem: Journal is empty or contains few entries.
Solution: Check that systemd-journald is running: systemctl status systemd-journald. Also, the journal might be size-limited or configured to write only to memory (volatile). Check the configuration in /etc/systemd/journald.conf.

Problem: Error during journal cleanup (e.g., "Failed to open directory").
Solution: Ensure you are using sudo for rotation and cleanup operations. Also, check if the journal is currently in use (rare, but possible).

Problem: journalctl command hangs or outputs slowly.
Solution: Add --no-pager to disable the pager. Or limit the output with -n or time filters. Large journals can be slow to process.

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community