journalctl
journalctl is a command for viewing the journal (structured log) managed by systemd. You can use -u to filter by service, -p to specify an error level, and --since / --until to narrow down by time range, making it easy to extract the information you need from large amounts of logs. The -f option lets you follow logs in real time, which is useful for investigating incidents and verifying behavior right after a deployment.
Syntax
# -----------------------------------------------
# Basic syntax of journalctl
# -----------------------------------------------
# journalctl [options] [match conditions ...]
# → Displays logs from the systemd journal
# → With no options, shows all logs in chronological order
# -----------------------------------------------
# Filter by service unit
# -----------------------------------------------
# journalctl -u {unit name}
# → Shows only logs for the specified systemd unit (service)
# Example: journalctl -u nginx.service
# journalctl -u {unit name} -f
# → Follows the service logs in real time (equivalent to tail -f)
# Example: journalctl -u php-fpm.service -f
# -----------------------------------------------
# Limit the number of lines
# -----------------------------------------------
# journalctl -n {number of lines}
# → Shows only the latest N lines
# Example: journalctl -n 50
# journalctl -u {unit name} -n {number of lines}
# → Filters by service and shows the latest N lines
# Example: journalctl -u nginx.service -n 100
# -----------------------------------------------
# Filter by priority (log level)
# -----------------------------------------------
# journalctl -p {level}
# → Shows only logs at or above the specified priority
# Priorities: emerg(0) alert(1) crit(2) err(3) warning(4) notice(5) info(6) debug(7)
# Example: journalctl -p err # err and above (err/crit/alert/emerg)
# Example: journalctl -p warning # warning and above
# -----------------------------------------------
# Filter by time range
# -----------------------------------------------
# journalctl --since "{datetime}" --until "{datetime}"
# → Filters logs by start and end datetime
# Datetime format: "YYYY-MM-DD HH:MM:SS" or "today", "yesterday", "-1h", etc.
# Example: journalctl --since "2026-03-25 08:00:00" --until "2026-03-25 09:00:00"
# Example: journalctl --since "today"
# Example: journalctl --since "-30min"
# -----------------------------------------------
# Filter by boot session
# -----------------------------------------------
# journalctl -b
# → Shows logs from the current boot session (since the last restart)
# journalctl -b -1
# → Shows logs from the previous boot session
# -----------------------------------------------
# Kernel logs
# -----------------------------------------------
# journalctl -k
# → Shows kernel messages (equivalent to dmesg)
# -----------------------------------------------
# Output everything without a pager
# -----------------------------------------------
# journalctl --no-pager
# → Outputs everything to stdout without using a pager like less
# → Use this when piping to grep or other commands
# Example: journalctl -u nginx.service --no-pager | grep "error"
# -----------------------------------------------
# Change the output format
# -----------------------------------------------
# journalctl -o {format}
# → Specifies the output format
# Formats: short (default), short-precise, json, cat, verbose, etc.
# Example: journalctl -u nginx.service -o json
# Example: journalctl -u nginx.service -o short-precise # Shows timestamps down to microseconds
Option Reference
| Option | Description |
|---|---|
-u {unit name} | Shows only logs for the specified systemd unit (service). The .service suffix can be omitted. |
-f | Follows logs in real time. Behaves like tail -f. Press Ctrl+C to exit. |
-n {number of lines} | Shows only the latest N lines. Defaults to the latest 10 lines. |
-p {level} | Shows only logs at or above the specified priority. Specifying err extracts only error, critical, alert, and emergency logs. |
--since "{datetime}" | Shows logs from the specified datetime onward. Relative values such as "today", "yesterday", and "-1h" are also accepted. |
--until "{datetime}" | Shows logs up to the specified datetime. Combine with --since to filter by a time range. |
-b | Shows only logs from the current boot session. Use -b -1 to view the previous boot session. |
-k | Shows only kernel messages. Provides the same information as the dmesg command. |
--no-pager | Outputs everything to stdout without using a pager. Useful for piping to grep and other commands. |
-o {format} | Specifies the output format. Use json for JSON output suitable for scripting, or short-precise for microsecond-precision timestamps. |
--disk-usage | Shows the amount of disk space used by the journal. |
--vacuum-time={period} | Deletes journal entries older than the specified period. Example: --vacuum-time=7d (deletes logs older than 7 days). |
Examples
# ----------------------------------------------- # Checking logs for nginx.service # ----------------------------------------------- # Shows the latest 20 lines of the nginx service logs journalctl -u nginx.service -n 20 # Follows the nginx service logs in real time # Useful right after a deployment or when checking incoming requests journalctl -u nginx.service -f
Run the following command:
$ journalctl -u nginx.service -n 5 Mar 25 08:01:14 kakarot nginx[1423]: 2026/03/25 08:01:14 [notice] 1423#1423: signal process started Mar 25 08:01:14 kakarot systemd[1]: Reloading A high performance web server and a reverse proxy server... Mar 25 08:01:14 kakarot systemd[1]: Reloaded A high performance web server and a reverse proxy server. Mar 25 08:02:35 kakarot nginx[1502]: 192.168.1.10 - - [25/Mar/2026:08:02:35 +0900] "GET / HTTP/1.1" 200 612 Mar 25 08:03:10 kakarot nginx[1502]: 192.168.1.10 - - [25/Mar/2026:08:03:10 +0900] "GET /api/power-level HTTP/1.1" 200 128
Extracting only error logs
# ----------------------------------------------- # Extract errors at priority err or above # ----------------------------------------------- # Shows all error logs from the current boot session journalctl -b -p err # Extracts only errors from the nginx service journalctl -u nginx.service -p err --no-pager # Checks warning-and-above logs for the php-fpm service journalctl -u php-fpm.service -p warning --no-pager
Run the following command:
$ journalctl -u nginx.service -p err --no-pager Mar 25 07:45:02 kakarot nginx[1201]: 2026/03/25 07:45:02 [error] 1201#1201: *3 connect() failed (111: Connection refused) while connecting to upstream Mar 25 07:58:44 kakarot nginx[1201]: 2026/03/25 07:58:44 [error] 1201#1201: *7 open() "/var/www/html/favicon.ico" failed (2: No such file or directory)
Filtering logs by time range
# ----------------------------------------------- # Narrow down by time range with --since / --until # ----------------------------------------------- # Shows logs from 07:00 to 08:00 today journalctl --since "2026-03-25 07:00:00" --until "2026-03-25 08:00:00" # Shows logs from the last 30 minutes journalctl --since "-30min" # Filters nginx errors from the last 30 minutes journalctl -u nginx.service --since "-30min" -p err --no-pager
Run the following command:
$ journalctl --since "2026-03-25 07:00:00" --until "2026-03-25 08:00:00" -u nginx.service --no-pager Mar 25 07:00:05 kakarot systemd[1]: Started A high performance web server and a reverse proxy server. Mar 25 07:00:05 kakarot nginx[987]: 2026/03/25 07:00:05 [notice] 987#987: using the "epoll" event method Mar 25 07:00:05 kakarot nginx[987]: 2026/03/25 07:00:05 [notice] 987#987: nginx/1.24.0 Mar 25 07:45:02 kakarot nginx[1201]: 2026/03/25 07:45:02 [error] 1201#1201: *3 connect() failed (111: Connection refused) while connecting to upstream
Processing logs as JSON with a script
# ----------------------------------------------- # Output logs in JSON format with -o json # ----------------------------------------------- # Outputs the latest 3 entries from the nginx service as JSON # Combine with jq to extract specific fields journalctl -u nginx.service -n 3 -o json --no-pager | jq '._HOSTNAME, .MESSAGE'
Run the following command:
$ journalctl -u nginx.service -n 3 -o json --no-pager | jq '._HOSTNAME, .MESSAGE' "kakarot" "2026/03/25 08:02:35 [notice] 1502#1502: signal process started" "kakarot" "192.168.1.10 - - [25/Mar/2026:08:02:35 +0900] \"GET / HTTP/1.1\" 200 612" "kakarot" "192.168.1.10 - - [25/Mar/2026:08:03:10 +0900] \"GET /api/power-level HTTP/1.1\" 200 128"
Checking journal disk usage and deleting old logs
# ----------------------------------------------- # Managing journal storage # ----------------------------------------------- # Shows the disk space used by the journal journalctl --disk-usage # Deletes journal entries older than 7 days sudo journalctl --vacuum-time=7d # Keeps the journal size at or below 500MB sudo journalctl --vacuum-size=500M
Running these commands produces the following output:
$ journalctl --disk-usage Archived and active journals take up 124.0M in the file system. $ sudo journalctl --vacuum-time=7d Vacuuming done, freed 56.0M of archived journals from /var/log/journal/.
Overview
journalctl is one of the core systemd commands, alongside systemctl. systemd accumulates logs from each service (systemd unit) in a binary-format journal, and journalctl is the interface for reading it. Combining service filtering with -u and error extraction with -p err lets you quickly identify the cause of an incident. Real-time following with -f is also effective for verifying application behavior right after a deployment. If logs grow and start consuming disk space, use --vacuum-time / --vacuum-size to clean them up periodically. You can configure the retention period and size limit permanently by editing /etc/systemd/journald.conf.
If you find any errors or copyright issues, please contact us.
シェアする