- Journalctl centralizes and filters systemd logs by time, unit, priority, and more.
- Allows flexible outputs (JSON, ISO 8601, verbose) and real-time tracking.
- Space management with vacuum and limits in journald.conf for fine-grained control.
when you work with Linux modern, systemd and its centralized journal They're the bread and butter for understanding what's happening on the machine. And this is where journalctl comes in, the Swiss Army knife for querying, filtering, and exporting those logs with a speed and precision you won't get with scattered flat files.
This tutorial brings together, step by step, All the essentials and advanced features of journalctl: since seeing the last one Boot, filter by service, user or priority, to manage disk space, change output formats or export in JSON. In addition, you will see how to enable the storage persistent, list previous starts and move through time windows with absolute flexibility.
Journalctl, systemd-journald, and why it matters
On systems with systemd, messages from the kernel, services, initrd, and user processes are collected in a binary journal managed by systemd-journald. Unlike /var/log/syslog and similar, this binary format allows Fast searches, metadata filtering, and versatile outputs (e.g. JSON or syslog style), all from a single access point: journalctl.
First of all: check the time zone
Since records are displayed in local time by default, it is advisable to first validate the time zone with timedatectl. You can list available zones with timedatectl list-timezones and change it with sudo timedatectl set-timezone ZONA. To check the status, uses timedatectl status and confirms that the local clock is correct.
If you are interested in working in UTC, journalctl adds the modifier –utc to display universal timestamps when you need them. This way there's no hassle when comparing with logs. other servers or with monitoring data.
Getting started: viewing, navigating, and paging
Without arguments, journalctl displays the entire journal from the oldest entry to the newest using a pagination (usually moins). You can scroll with arrows and, if the line is longer than the screen, see the rest with the right arrow. To reverse the order (recent first), add -r.
If you want the line to be truncated instead of shifted sideways, use --no-full; and to see absolutely everything (including non-printable characters), adds -a. When you want to process the output with other tools, --no-pager disables the pager and leaves the output in stdout.
There are more practical shortcuts for everyday life: -e jump straight to the end of the journal to see the latest happenings and -x instituted add explanations useful to some messages (when available) to speed up diagnosis.
Filter by system boots
The switch -b It shows you only the entries of the current boot. You'll see “– Reboot –” lines delimiting sessions if you navigate through more than one boot. To go to a previous boot, use journalctl -b -1; for five starts ago, -b -5. This is ideal when a problem only occurs after a reboot or in specific boot sequences.
If you want the list of starts that the newspaper knows, journalctl --list-boots will display one per line with: relative offset (0, -1, -2, …), BOOT_ID and time range. You can query by offset or absolute ID: journalctl -b 0 o journalctl -b BOOT_ID.
Important: To have previous boots persist across reboots, enable persistent storage by creating /var/log/journal (sudo mkdir -p /var/log/journal) or editing /etc/systemd/journald.conf Storage=persistent. This way, logs won't be lost on every boot.
Powerful time windows
To limit by time, use --since y --until with the format YYYY-MM-DD HH:MM:SSIf you omit the time, midnight is assumed; if you omit the date, the current day is assumed. For example: journalctl --since "2024-12-01 09:00" --until "2024-12-01 12:00".
You can also use relative expressions: yesterday, today, Tomorrow, now, or phrases like "1 hour ago". A classic: journalctl --since 09:00 --until "1 hour ago" to view from the first hour to the hour before the current one.
Filter by service, processes, users, and more
The most common filter is per systemd unit: -u. For example, journalctl -u nginx.service Displays everything from the nginx service. You can combine multiple units to see how they interact. interspersing chronologically entries from, for example, Nginx and PHP-FPM: journalctl -u nginx.service -u php-fpm.service --since today.
For running or not running services, you can list units with systemctl list-units -t service --all and discover exact names (useful in systems with dozens of services). This way you avoid typos and filter out just what's needed.
If you know the PID, filter by _PID: journalctl _PID=8088. For users and groups, use _UID y _GID: For example, id -u www-data will return the UID that you can then use in journalctl _UID=33 --since today to see what was generated by that user.
The journal indexes many fields automatically: executable, command, transport, facility, etc. With journalctl -F CAMPO you can list the different values from a field and thus build more accurate filters. Consult man systemd.journal-fields to see the complete catalog of filterable fields.
Some very handy filters: by executable path (journalctl /usr/bin/bash), by syslog style facility (SYSLOG_FACILITY=3 corresponds to daemon), by boot ID (_BOOT_ID=...) or by transport (_TRANSPORT=kernel|stdout|journal|syslog|driver|audit) according to origin of the message.
You can even filter by device in some cases, for example for Detect USB events in Linux or with journalctl /dev/sda, useful for locating messages related to storage when there are suspicions of I/O or bad sectors.
Kernel messages and dmesg equivalents
To see only kernel messages you have -k o --dmesg. By default, they are limited to the current boot, but you can combine them with -b for other boots: journalctl -k -b -5 will show the kernel from five boots ago.
This filter is very useful to detect conflicts of drivers, problems of hardware o kernel panic or low-level events that don't appear in user services. It's the modern alternative to the old command dmesg with temporal context and metadata.
Log priorities: 0 to 7 or by name
Journalctl recognizes standard priority levels: 0 emergency, 1 alert, 2 critical, 3 error, 4 warning, 5 notice, 6 information, 7 debug. You can filter with -p using the name or number, and by default includes the chosen level and all the most severe ones.
Examples: journalctl -p err -b (error and highest in current boot) or journalctl -p 3. If you want to narrow down a exact range, use the format desde..hasta: for example, only warning, error and critical with journalctl -p warning..crit or in numbers journalctl -p 4..2.
Follow in real time, latest lines and searches
To “listen” to the live newspaper, -f it works the same as tail -f. Perfect when you restart a service and want to immediately see what it spits out. If you prefer a sampling, -n show the last N lines (default 10): journalctl -n, journalctl -n 20 o journalctl -n12 in its compact form.
In addition to the always useful pipe to grep, journalctl integrates --grep for regex patterns directly in the query. For example, to locate entries containing GnuPG: journalctl --grep GnuPG. Combined with time, drive or priority, search is surgical.
Output and export formats
With -o you change the output format. You have short (syslog style by default), short-iso (ISO 8601 timestamp), short-monotonic (monotonic mark), short-precise (microseconds) and verbose (shows all fields, including internal ones).
For integrations, json y json-pretty are ideal (the latter is more human readable), and json-sse encapsulates the output for server-sent events. The format cat print only the field MESSAGE, useful for clean readings, and export It is used to transfer or backup records in binary.
If you are going to process with other tools, remember to combine --no-pager and redirects: journalctl -b -u nginx -o json --no-pager > nginx.json or simply journalctl > mensajes.log when you need a quick dump.
Permits and security
By design, each user can query their own records. To see the system, you need to be root or belong to groups such as adm, wheel o systemd-journalThis prevents leaks of sensitive information and respects the principle of least privilege.
Disk usage control
To measure how much space the newspaper takes up: journalctl --disk-usage. You will see a summary of the MiB/GiB consumed by the journal files in persistent and volatile storage, something key to avoid scares in small partitions.
If you need to reduce or free up space in LinuxYou have three emptying strategies: by size, by time, and by number of files. Examples: sudo journalctl --vacuum-size=1G, sudo journalctl --vacuum-time=2weeks o sudo journalctl --vacuum-files=10 to preserve as much as possible 10 archived files.
To set permanent limits, edit /etc/systemd/journald.confThe most useful keys: SystemMaxUse= y RuntimeMaxUse= (total limit on persistent and volatile), SystemKeepFree= y RuntimeKeepFree= (space to be reserved in the FS), SystemMaxFileSize= y RuntimeMaxFileSize= (individual file size) and SystemMaxFiles= y RuntimeMaxFiles= (maximum number of archived files). Sizes accept K, M, G, T, P, E suffixes.
Keep in mind that file size limits guide the rotation to reach the marked value and that, by default, if you do not configure anything, journal usually self-limitation to about 10% of the file system where it resides. After changing the configuration, restart the service with sudo systemctl restart systemd-journald.
Quick recipes and tricks
To see only the most serious errors from the last boot: journalctl -p err -b. If you want exactly warning, error and critical: journalctl -p warning..crit o journalctl -p 4..2 to express it in numbers.
List all values in a field and refine filters: journalctl -F _GID (o -F _UID, -F _EXE, etc.). It's perfect for discovering real IDs before building your final query.
Separate by executable or command: journalctl _EXE=/usr/bin/sudo o journalctl _COMM=sudo. If you need to isolate what is coming from the standard services output, filter by _TRANSPORT=stdout.
Filter by host in shared hostname environments: journalctl _HOSTNAME=debian. And to request tickets from a specific user knowing their UID: journalctl _UID=0 (root) or the number that corresponds to your case.
Do you need to see only “user” level messages from the facility syslog? journalctl SYSLOG_FACILITY=1 (and remember that 3 corresponds to daemon). These filters help you emulate classic syslog views when migrating to systemd.
Working in UTC, ISO 8601 and microsecond precision
If you have systems in multiple zones or compare with metrics, add --utc to standardize time. For clear and orderly formats, -o short-iso It's a great choice; if you're interested in monotonic clock sorting (for debugging relative sequences), -o short-monotonic is your friend.
When an incident requires maximum granularity, -o short-precise adds microseconds to the timestamp. It's a gem when correlating with traces, profiles, or network captures.
Good practices for daily use
Enable persistence if you care about history: create /var/log/journal or configure Storage=persistent and restart journald. If you work with a lot of rotation, define SystemMaxUse y SystemKeepFree so that it never drowns the partition.
To debug services, combine: -u servicio + -f + filters of priority and time. Add -x when you suspect cryptic messages; sometimes it provides additional clues that save you valuable minutes.
In pipelines and exports, use --no-pager and formats such as json o export depending on the target tool. Don't forget security: restrict access to appropriate groups and check permissions if you share outputs that may contain sensitive data.
Mastering journalctl changes the way you understand the system: with filters by unit, PID, user, priority or time, with rich outputs and control of disk usage, You will always have the precise story at hand of what's happening. It's a solid tool for monitoring, auditing, and debugging intelligently, without getting lost in thousands of lines.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.