journalctl for Beginners: Working with systemd Logs

Systemd is an initialization system used in most modern Linux distributions. One of its important functions is maintaining system logs through a special component called journald. The journalctl command allows you to work with these logs. In this article, we'll look at how to use journalctl for diagnostics and analysis of system logs.

What is journald and journalctl?

Journald is a systemd component that collects and stores logs in binary format. Unlike traditional text logs in /var/log, journald stores additional structured information about each message, including:

Timestamp with microsecond precision
Process PID
User UID and GID
Return code
Additional data fields

The journalctl command is a command-line tool for viewing and filtering these logs.

Basic journalctl Commands

View All Logs

bash journalctl

Shows all available logs, starting with the oldest ones. Use arrow keys to navigate or q to exit.

View Recent Logs

bash journalctl -n 20

Shows the last 20 entries. By default, the last 10 are shown.

View Logs with Live Updates

bash journalctl -f

Similar to tail -f for traditional logs. Shows recent entries and continues to display new ones as they appear.

Time Filtering

View Today's Logs

bash journalctl --today

View Logs for a Specific Date

bash journalctl --since "2026-03-03" journalctl --until "2026-03-03"

View Logs for a Specific Period

bash journalctl --since "2026-03-01" --until "2026-03-03"

View Logs for the Last N Minutes/Hours

bash journalctl --since "2 hours ago" journalctl --since "30 minutes ago"

Service Filtering

View Logs for a Specific Service

bash journalctl -u nginx.service journalctl -u ssh.service

View Service Logs for a Specific Period

bash journalctl -u nginx.service --since "2026-03-03 10:00:00"

Priority Level Filtering

Journalctl allows filtering messages by priority level:

```bash

Show only errors

journalctl -p err

Show errors and critical messages

journalctl -p crit

Show all messages below the specified level

journalctl -p info ```

Available levels: - 0/emerg: Emergency - 1/alert: Alert - 2/crit: Critical error - 3/err: Error - 4/warning: Warning - 5/notice: Notice - 6/info: Information - 7/debug: Debug

Process and User Filtering

View Logs by Process PID

bash journalctl _PID=1234

View Logs by User

bash journalctl _UID=1000

View Logs by Command

bash journalctl _COMM=systemd

Practical Usage Examples

Finding Errors in the System

```bash

Show all errors for the last 24 hours

journalctl --since "24 hours ago" -p err..alert

Show all kernel error messages

journalctl -k ```

Analyzing Boot Issues

```bash

View current boot logs

journalctl -b

View previous boot logs

journalctl -b -1

View logs for a specific boot by UUID

journalctl -b 12345678-1234-1234-1234-123456789abc ```

Keyword Search

```bash

Search for keyword

journalctl | grep "error"

Search in logs for a specific service

journalctl -u nginx.service | grep "404" ```

Output Formats

Journalctl supports various output formats:

```bash

JSON format

journalctl -o json

Short format

journalctl -o short

Verbose format

journalctl -o verbose

Custom format

journalctl -o export ```

Managing Journal Size

Check Journal Size

bash journalctl --disk-usage

Clean Old Journals

```bash

Remove logs older than 7 days

journalctl --vacuum-time=7d

Limit journal size to 100MB

journalctl --vacuum-size=100M

Keep only N archives

journalctl --vacuum-files=3 ```

Configuring Persistent Log Storage

By default, journald stores logs only in /run/log/journal, which means they will be lost on reboot. To permanently save logs:

Create directory: bash sudo mkdir -p /var/log/journal
Add to /etc/systemd/journald.conf: [Journal] Storage=persistent
Restart journald: bash sudo systemctl restart systemd-journald

Practical Tips

Save Results to File

```bash

Save results to file

journalctl -u nginx.service --since "2026-03-03" > nginx_logs.txt

Save in JSON format

journalctl -u nginx.service --since "2026-03-03" -o json > nginx_logs.json ```

Real-Time Monitoring with Filtering

```bash

Monitor SSH logs in real-time

journalctl -u ssh.service -f

Monitor kernel errors in real-time

journalctl -k -f ```

Compare Logs Before and After Changes

```bash

Mark time before change

MARK_START=$(date +"%Y-%m-%d %H:%M:%S")

Perform changes

systemctl restart nginx

View logs after changes

journalctl --since "$MARK_START" -u nginx.service ```

Conclusion

The journalctl command is a powerful tool for diagnostics and analysis of system logs in modern Linux systems. Thanks to its flexibility and rich filtering capabilities, it enables quick problem identification and system behavior analysis. Mastering journalctl is an important skill for any system administrator working with modern Linux distributions.

Remember that journald complements, rather than replaces, traditional logs in /var/log. Many applications continue to write logs to traditional files, so knowledge of both approaches is necessary for effective system diagnostics.