Docs / Linux Basics / How to Use journalctl to Query System Logs

How to Use journalctl to Query System Logs

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 30 views · 2 min read

What is journalctl?

journalctl is the query tool for systemd-journald, the centralized logging service on modern Linux distributions. Unlike traditional syslog files, the journal stores structured log data including metadata like service name, priority, and PID. Mastering journalctl lets you quickly diagnose issues on your Breeze.

Basic Usage

# View all logs (oldest first)
journalctl

# View logs newest first
journalctl -r

# Follow new entries in real time (like tail -f)
journalctl -f

# Show only the last 50 entries
journalctl -n 50

Filtering by Unit (Service)

# Logs for a specific service
journalctl -u nginx
journalctl -u mysql
journalctl -u sshd

# Follow a specific service in real time
journalctl -u nginx -f

# Multiple services
journalctl -u nginx -u php8.2-fpm

Filtering by Time

# Since a specific date/time
journalctl --since "2026-03-01 00:00:00"

# Since a relative time
journalctl --since "1 hour ago"
journalctl --since "30 min ago"
journalctl --since yesterday

# Time range
journalctl --since "2026-03-01" --until "2026-03-02"

# Today only
journalctl --since today

Filtering by Priority

Priority levels (0=most severe to 7=least):

  • 0 — emerg
  • 1 — alert
  • 2 — crit
  • 3 — err
  • 4 — warning
  • 5 — notice
  • 6 — info
  • 7 — debug
# Show only errors and above
journalctl -p err

# Show warnings and above
journalctl -p warning

# Errors for a specific service
journalctl -u nginx -p err

Filtering by Boot

# Current boot only
journalctl -b

# Previous boot
journalctl -b -1

# List all recorded boots
journalctl --list-boots

Output Formats

# JSON output (useful for parsing)
journalctl -u nginx -o json-pretty -n 5

# Short with timestamps
journalctl -o short-iso

# Verbose (all metadata)
journalctl -o verbose -n 1

# Export format
journalctl -o export

Searching and Grep

# Search for a keyword (using grep)
journalctl -u nginx | grep "500"

# Use built-in grep equivalent
journalctl -g "error|fail" -u sshd

# Search by PID
journalctl _PID=1234

# Search by UID
journalctl _UID=1000

Disk Usage and Maintenance

# Check journal disk usage
journalctl --disk-usage

# Retain only the last 7 days
sudo journalctl --vacuum-time=7d

# Limit total size to 500MB
sudo journalctl --vacuum-size=500M

# Configure persistent limits in /etc/systemd/journald.conf:
# SystemMaxUse=500M
# SystemMaxFileSize=50M
# MaxRetentionSec=1month

Practical Troubleshooting Examples

# Why did a service fail?
journalctl -u myapp --since "10 min ago" -p err

# What happened during last reboot?
journalctl -b -1 -p warning

# SSH login attempts
journalctl -u sshd | grep "Accepted\|Failed"

# Kernel messages (like dmesg)
journalctl -k

# OOM killer events
journalctl -k | grep -i "oom\|killed process"

Was this article helpful?

Related Articles