linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
Index
Categories
All entries
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
home/linux/kb/Commands/cmd-journalctl

kb/commands ── Commands ── intermediate

journalctl: systemd journal

`journalctl` reads the binary journal written by systemd-journald. It is the central log for the system: kernel, systemd services, syslog, all through one interface.

view as markdownaka: journal, systemd-journal

Why not just tail /var/log/syslog

  • One source. Kernel, init, services, syslog API, and the stdin/stderr of processes launched through systemd.
  • Structured fields. Beyond plain text there are _PID, _UID, _COMM, MESSAGE_ID, and any KEY=value fields an application writes.
  • Binary format. More compact than plain text, and indexed.
  • Boot-aware. The journal tracks individual boots, so you can filter by boot session.

Basic commands

bash
journalctl                          # entire journal (oldest first)
journalctl -e                       # jump to the end (like less -G)
journalctl -f                       # follow (like tail -f)
journalctl -n 50                    # last 50 lines
journalctl -r                       # reverse: newest first

Filters

bash
journalctl -u nginx                       # only the nginx unit (see [[cmd-systemctl]])
journalctl -u nginx -u php-fpm            # multiple units
journalctl -p err                         # priority: emerg/alert/crit/err/warning/notice/info/debug
journalctl --since "1 hour ago"
journalctl --since "2024-01-01" --until "2024-01-02 12:00"
journalctl _PID=1234                      # by PID (structured field)
journalctl _COMM=sshd                     # by process name
journalctl -k                             # kernel messages only (= dmesg)

By boot session

bash
journalctl --list-boots                   # list all recorded boot sessions
journalctl -b                             # current boot only
journalctl -b -1                          # previous boot (`-1` = one back)

This matters when the system crashed and restarted. You can separate what happened before the crash from what happened after.

Output formats

bash
journalctl -u nginx -o json           # one JSON object per line, useful for parsing
journalctl -u nginx -o json-pretty
journalctl -o cat -u nginx            # MESSAGE only, no prefixes
journalctl -o verbose                  # ALL structured fields

Journal size

bash
journalctl --disk-usage                # how much space the journal uses on disk
sudo journalctl --vacuum-size=500M     # trim to 500 MB
sudo journalctl --vacuum-time=7d       # delete entries older than 7 days

Size limits are configured in /etc/systemd/journald.conf (SystemMaxUse=, MaxRetentionSec=).

Persistent vs volatile

On many distributions the journal is stored in RAM (/run/log/journal) by default and is lost on reboot. To make it persistent:

bash
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald

§ команды

bash
journalctl -u nginx -f

Tail nginx logs in real time

bash
journalctl -p err -b

All errors from the current boot. A good first step when diagnosing a problem.

bash
journalctl --since '10 min ago' -u myapp

Recent logs for a specific service

bash
sudo journalctl --vacuum-time=7d

Delete journal entries older than one week

bash
journalctl -k --since today

Kernel messages since midnight. Replaces dmesg with a time filter.

§ см. также

  • systemdsystemd: the init system and service managersystemd is the Linux init system: PID 1 that starts everything else, tracks dependencies, restarts what crashes, and collects the logs.
  • cmd-systemctlsystemctl: managing systemd services`systemctl` is the main CLI for managing systemd units: services, timers, mounts, and sockets. It replaces SysV init and `service` on modern distros.
  • cmd-cron-crontabcron and crontab: scheduling taskscron is a daemon that reads crontab files and runs jobs on a schedule. Format: `min hour day month weekday command`. anacron handles machines that are powered off. On systemd systems, timers are often used instead.
  • signalsSignals (SIGTERM, SIGKILL, SIGHUP)A signal is an asynchronous notification to a process from the kernel or another process. TERM asks it to quit, KILL kills it now, HUP reloads config.
  • loki-grafana-loggingLoki: label-based logs, LogQL, Promtail/Vector pipelineLoki is log aggregation with a label-based index, not full-text like Elastic. Cheap on S3 storage. Promtail/Vector are the agents. LogQL resembles PromQL: filter, parse, aggregate. Cardinality is the enemy.
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies