FixPedia
Linux

journalctl: complete guide to reading Linux logs

This guide will teach you to use journalctl to view, filter, and analyze systemd logs in Linux. You'll master key commands for troubleshooting and system monitoring.

Updated at February 15, 2026
15-30 min
Medium
FixPedia Team
Применимо к:Linux with systemd (Ubuntu 16.04+, CentOS 7+, Debian 8+, Fedora)

Introduction / Why This Matters

journalctl is a powerful utility for viewing and analyzing logs collected by systemd-journald. In modern Linux distributions, it often replaces traditional text logs in /var/log/. With it, you can quickly find the cause of a service failure, track security events, or simply understand what's happening in your system. This guide will transform you from a beginner into a confident journalctl user.

Requirements / Preparation

  1. Operating System: Any modern Linux distribution with systemd (check with systemctl --version).
  2. Access Permissions: To view all logs, including messages from the kernel and system services, root privileges are typically required. Use sudo or log in as the superuser.
  3. Journal must be active: Ensure the systemd-journald service is running: systemctl status systemd-journald.
  4. Understanding log structure: systemd logs are stored in a binary format (usually in /var/log/journal/ or /run/log/journal/). This allows for efficient indexing and filtering of entries by metadata.

Step-by-Step Guide

Step 1: Basic viewing of the entire journal

Simply type the command journalctl. You will see the full system log, starting from the earliest available entry, in chronological order (from oldest to newest).

sudo journalctl
  • Navigation: Use PgUp/PgDown or arrow keys. To search within the less pager, press /, enter your query, and Enter.
  • Exit: Press q.
  • By default: Output is limited to recent entries (depends on configuration). To see everything, use --no-pager to output directly to the terminal without pausing.

Step 2: Filtering by time

This is one of the most common scenarios. journalctl understands flexible time formats.

# Logs from today
sudo journalctl --since today

# Logs from the last 2 hours
sudo journalctl --since "2 hours ago"

# Logs for a specific day
sudo journalctl --since "2026-02-14" --until "2026-02-15"

# Logs from 09:00 to 18:00 today
sudo journalctl --since "09:00" --until "18:00"

Step 3: Filtering by service (systemd unit)

To see logs only from a specific service (e.g., nginx or docker), use the -u flag.

# Logs for the SSH service
sudo journalctl -u ssh.service

# Logs for the Docker service from the last 30 minutes
sudo journalctl -u docker.service --since "30 minutes ago"

This eliminates all the "noise" from other processes and immediately focuses you on the problem.

Step 4: Filtering by priority (log level)

System messages have severity levels. Filter by them to ignore less important entries.

# Only errors (err) and critical (crit, alert, emerg)
sudo journalctl -p err

# Everything except debug and info
sudo journalctl -p warning..crit

# Levels (from highest to lowest):
# emerg, alert, crit, err, warning, notice, info, debug

You can combine these with other filters: sudo journalctl -u nginx -p err.

Step 5: Searching by keywords and fields

Use grep-like syntax to search within message text or filter by structured fields (e.g., _PID, _COMM, SYSLOG_IDENTIFIER).

# Simple text search (case-insensitive)
sudo journalctl | grep -i "failed"

# Search by executable name (e.g., all calls to apt)
sudo journalctl _COMM=apt

# Search by Process ID (PID)
sudo journalctl _PID=1234

# Combination: find errors in the cron service
sudo journalctl -u cron -p err

💡 Tip: For field searches, use the syntax FIELD=value. You can see a list of all entry fields in the output of journalctl -o verbose or in the documentation.

Step 6: Real-time monitoring (like tail -f)

Add the -f (follow) flag to any command to see new entries as they appear.

# Follow all new logs
sudo journalctl -f

# Follow logs only for the NetworkManager service
sudo journalctl -u NetworkManager -f

# Follow errors in real-time
sudo journalctl -p err -f

Use Ctrl+C to stop.

Step 7: Managing output (formatting and limiting)

Learn how to make the output more readable or limit its volume.

# Show only the last 50 entries (like tail)
sudo journalctl -n 50

# Show entries from a specific time forward (reverse chronological order)
sudo journalctl --reverse

# Output in "short" format (one line per entry)
sudo journalctl -o short

# Output in "JSON" format for parsing by scripts
sudo journalctl -o json --no-pager

# Rotate the journal (requires root, be careful!)
sudo journalctl --rotate
sudo journalctl --vacuum-time=3d  # Delete entries older than 3 days

Verification

You have successfully mastered journalctl if you can:

  1. Find error logs for a specific service from the last hour.
  2. Filter entries to only the critical level.
  3. Start monitoring logs from a new process in real-time.
  4. Search for all calls to a specific command (e.g., sudo) by the _COMM field.

Test: Run the command sudo journalctl -u systemd-journald -p err --since today. If the output is not empty and shows entries, your filtering works.

Common Issues

Issue: "No journal files were found"

Cause: The systemd-journald service is not running, the journal is disabled, or it's stored only in memory (/run/log/journal/, which clears on reboot). Solution:

  1. Check the status: sudo systemctl status systemd-journald.
  2. If the service is inactive, start it: sudo systemctl start systemd-journald.
  3. Check the configuration in /etc/systemd/journald.conf. Ensure Storage= is not set to none or volatile. For persistent storage on disk, it should be Storage=auto or Storage=persistent.

Issue: Insufficient permissions to view logs

Cause: Some entries (e.g., from the kernel or certain services) are only accessible to root. Solution: Always use sudo before journalctl if you need full access. For viewing only your own user logs (from your processes), sudo may not be needed.

Issue: The journal is too large, commands are slow

Cause: A large amount of historical data has accumulated. Solution: Regularly perform "vacuuming" (cleanup) of old entries. For example, to keep logs only for the last 7 days:

sudo journalctl --vacuum-time=7d

Or limit the total journal size (e.g., 500MB):

sudo journalctl --vacuum-size=500M

Configure automatic cleanup: Edit /etc/systemd/journald.conf and set the SystemMaxUse=, SystemKeepFree=, or MaxRetentionSec= parameters. After changes, restart the service: sudo systemctl restart systemd-journald.

Issue: Can't find logs by old filename (e.g., /var/log/syslog)

Cause: In systemd-based systems, traditional logs may be redirected into journald or disabled. Files in /var/log/ might be symbolic links or not updated. Solution: Use journalctl as the primary tool. If you need to preserve logs in classic format for external systems, configure systemd-journald to forward them to /var/log/ by setting ForwardToSyslog=yes in the config and running rsyslog or syslog-ng.

F.A.Q.

How to show logs from the last hour?
How to monitor logs in real-time, like tail -f?
How to find logs for a specific PID?
Why does journalctl show fewer entries than old files in /var/log?

Hints

Viewing main system logs
Filtering by time
Searching by unit (service)
Searching by priority (log level)
Real-time monitoring

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community