Show the most recent logs first

1

journalctl --reverse

By time range:

1

journalctl --since "2025-01-01 00:00:00" --until "2025-01-15 23:59:59"

By service:

1

journalctl --unit servicename.service

By severity level:

1

journalctl --priority=warning

Output format and Boot logs

These options allow you to efficiently narrow down the log data to suit your specific needs. Other relevant options to explore include:

  • –no-hostname: Suppresses the hostname in log entries.
  • –no-full: Truncates long log fields in the output instead of displaying them in full.
  • -a/–all: Displays all fields, even those that are normally suppressed or truncated.
  • –truncate-newline: Removes newline characters from the MESSAGE field.
  • -q/–quiet: Suppresses the header and metadata output of the journalctl command to leave only the raw log content.

A simple modification to the output is configuring timestamps to be displayed in UTC instead of the system time:

1

journalctl --utc

The -o/–output option allows you to print the journal output in a variety of formats.

1

journalctl --output json

For improved readability, you can use the json-pretty format:

1

journalctl --output json-pretty

To see all the available fields that are present in the systemd journal, use the –fields flag:

1

journalctl --fields

You can find out more about these fields by reading the systemd manual:

1

man systemd.journal-fields

If you’d like to display specific fields alone, you can then use the –output-fields option when using certain formats such as json, json-pretty, verbose, export and others.

1
2

journalctl --output=json --output-fields=<field1>,<field2>,<field3>
journalctl --output json-pretty --output-fields=MESSAGE,PRIORITY

Here are the other formats that can control the output produced by journalctl (reference)

  • short: This is the default output format.
  • cat: Includes the log message alone by default.
  • json: JSON-formatted output containing all available fields per entry.
  • json-pretty: Prettified json output for better readability.
  • verbose: Displays the entire log entry with all available fields per entry.

journalctl provides options to isolate logs generated during a particular boot, allowing you to focus your analysis on a specific time window.

To display logs from the current boot session, use the -b flag:

1

journalctl -b

This will show all log entries recorded since the system last started, including low-level kernel messages related to the boot process.

To see a list of all recorded boot sessions, use the –list-boots option:

1

journalctl --list-boots

This command outputs a table with information about each boot session, including:

  • IDX: A relative identifier for each boot session.
  • Boot ID: A unique hexadecimal identifier for each boot.
  • Time range: The start and end time of the boot session.

You can use either the offset number or the boot ID to filter logs for a specific boot session:

  • Shows logs from the current boot session
1

journalctl -b 0
  • Shows logs from the previous boot session
1

journalctl -b -1
  • Show logs associated with the specified boot ID.
1

journalctl -b 0f419686d8744067acd4e7ab962a280b

Filtering Journal logs by a time range

reference

You can define a time window for your log search using the –since and –until flags to specify the lower and upper bounds of the time range respectively.

Both flags accept flexible timestamp formats, including:

  • Full timestamps: YYYY-MM-DD HH:MM:SS (e.g., 2021-11-23 23:02:15)
  • Dates only: YYYY-MM-DD (e.g., 2021-05-04)
  • Times only: HH:MM (e.g., 12:00)
  • Relative times: 5 hour ago, 32 min ago
  • Keywords: yesterday, today, now
1

journalctl --since 'today'

You can also filter logs that fall on a specific date or between specific dates with:

1
2

journalctl --since '2022-02-16 21:00:00' --until '2022-02-16 22:00:00'
journalctl --since 12:00 --until '30 min ago'

Filtering Journal logs by Systemd service

to view logs generated by a specific service,

1

journalctl --unit docker.service

You can also filter for multiple services simultaneously by repeating the –unit flag:

1

journalctl --unit rsyslog.service --unit nginx.service --since '1 hour ago'

Filtering Journal entries by metadata

There are many options, but you can see which of the fields are available on the logs you’re interested in through the json or verbose format as follows:

1

journalctl --output verbose

Once you’ve figured out what fields you’re interested in, you can display all possible values for that field with the -F/–field flag. For example, to see all possible priority levels, use:

1

journalctl -F PRIORITY

The numbers can be mapped to the standard syslog priority levels:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

{
  emerg: 0,
  alert: 1,
  crit: 2,
  err: 3,
  warning: 4,
  notice: 5,
  info: 6,
  debug: 7
}

To filter for entries with a specific metadata value, use the field name followed by an equals sign (=) and the desired value.

For example, to show only logs with priority level “3”, use:

1

journalctl PRIORITY=3

You can also combine multiple metadata filters to refine your search further. For instance, to see error logs from the kernel, run:

1

journalctl PRIORITY=3 SYSLOG_IDENTIFIER=kernel

For commonly used fields, you can use dedicated flags to reduce verbosity and make your journalctl commands more concise. This includes:

  • -p/–priority: PRIORITY
  • -f/–facility: SYSLOG_FACILITY
  • -t/–identifier: SYSLOG_IDENTIFIER
  • -u/–unit: _SYSTEMD_UNIT

For example, instead of:

1

journalctl SYSLOG_IDENTIFIER=sshd PRIORITY=3

You can simply write:

1

journalctl -t sshd -p 3

Tailing and following Journal entries

Similar to using tail -f to monitor a file for new content, journalctl provides a way to “tail” or follow journal entries in real time.

1

journalctl --follow

This command will display the most recent 10 log entries and continuously display entries as they are written to the journal. You can configure how many logs are initially displayed with the -n/–lines option:

  • Show 20 initial lines instead
1

journalctl --lines 20 --follow

You can also use the –no-tail option to show all lines even when in follow mode:

1

journalctl --no-tail --follow

The –follow flag can be combined with other journalctl filters to focus on specific events. For example, to tail messages with error severity or higher, use:

1

journalctl --follow --priority err

Or to tail logs from a specific service:

1

journalctl --follow --unit docker.service

Searching for Journal entries

1

journalctl --unit ssh.service --grep 'Invalid user' --since '1 hour ago'

The –grep flag also supports regular expressions for more complex searches:

1

journalctl --grep "error\|failed"

The search is case-insensitive by default, but you can make it case-sensitive through the –case-sensitive flag:

1

journalctl --grep <pattern> --case-sensitive

Maintaining the Systemd Journal

1
2

journalctl --disk-usage
sudo journalctl --rotate

If the journal is taking up too much space, you can choose from the following vacuuming options to manually shrink it to a desired size:

  • –vacuum-size=: Shrink the journal to a desired size.
  • –vacuum-files=: Reduce the number of journal files to .
  • –vacuum-time=

For example, you can reduce the journal size to 500 MB with:

  • shrink journal to 500 MB.
1

sudo journalctl --vacuum-size=500M

Instead of specifying a size, you can also delete logs based on their age using the –vacuum-time option.

1

sudo journalctl --vacuum-time=1month

Configuring Journal storage

To automatically manage journal size, you can modify the following options in the /etc/systemd/journald.conf file:

  • SystemMaxUse and RuntimeMaxUse: Set the maximum amount of space that the journal should take up in persistent storage (/var/log/journal) and volatile storage (/run/log/journal) respectively.
  • SystemKeepFree and RuntimeKeepFree: Defines the percentage of disk space that should always be kept free for other uses.
  • SystemMaxFileSize and RuntimeMaxFileSize: Controls how large journal entries should grow before being rotated.
  • SystemMaxFiles and RuntimeMaxFiles: Specifies the maximum number of journal files to keep.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

[Journal]
Compress=yes
SystemMaxUse=5G
RuntimeMaxUse=1G
SystemKeepFree=10%
RuntimeKeepFree=15%
SystemMaxFileSize=100M
RuntimeMaxFileSize=50M
SystemMaxFiles=100
RuntimeMaxFiles=50