Introduction to journalctl
journalctl is the command-line tool that allows reading and manipulating the system log managed by systemd. Instead of reviewing scattered log files in /var/log, journalctl centralizes all information in a single journal, facilitating problem diagnosis and performance monitoring.
Basic Syntax
The command is invoked simply as journalctl. Without arguments, it shows all journal entries from the oldest to the most recent, paginated via less. It can be combined with options such as -n to limit the number of lines or -f to follow the stream in real time, analogous to tail -f.
Time Filtering
One of the advantages of journalctl is its ability to filter entries according to time ranges. You can use the options --since and --until followed by date and time expressions, for example:
journalctl --since "2025-09-01 00:00:00"journalctl --until "1 hour ago"journalctl --since yesterday
These expressions accept formats such as “YYYY-MM-DD HH:MM:SS”, “now”, “yesterday”, “2 days ago”, etc., allowing you to quickly isolate relevant events.
Unit Filtering
To focus the output on a specific systemd unit (service, socket, timer, etc.), use the option -u followed by the unit name. For example:
journalctl -u ssh.servicejournalctl -u cron.timer
It is also possible to combine several -u options to view multiple units simultaneously.
Output in Different Formats
journalctl can present information in several formats besides the default readable one. With the -o option you can specify:
short: default readable format.short-iso: includes timestamps in ISO 8601 format.json: each entry as a JSON object, ideal for later processing.json-pretty: JSON with indentation for human readability.cat: shows only the message, without metadata.
This facilitates integration with log analysis tools or automation scripts.
Persistence and Storage of the Journal
By default, systemd stores the journal in /run/log/journal (volatile) or in /var/log/journal if the directory exists and has appropriate permissions. By creating the directory /var/log/journal and restarting systemd-journald, the journal becomes persistent across reboots, allowing logs to be retained for long-term auditing.
Cleanup and Retention
The maximum journal size is controlled by the parameters SystemMaxUse, SystemKeepFree, and SystemMaxFileSize in /etc/systemd/journald.conf. For example, to limit usage to 1 GB and keep at least 200 MB free:
- SystemMaxUse=1G
- SystemKeepFree=200M
Changes can be applied by reloading the service: sudo systemctl restart systemd-journald. Additionally, the --vacuum-size and --vacuum-time options of journalctl allow removing old entries directly from the command line.
Performance Tips
When working with very large journals, it is advisable to use early filters (such as -u or -p) to reduce the amount of data journalctl must read. Likewise, combining --no-pager with redirection to a file facilitates later processing with tools like grep, awk, or jq when using JSON format.
Combining Options and Practical Examples
The true power of journalctl lies in combining filters. For example, to view nginx service errors from the last 24 hours in JSON format:
journalctl -u nginx.service --since "24 hours ago" -p err -o json
Or to follow kernel events in real time with alert level or higher:
journalctl -k -f -p alert..emerg
These combinations allow administrators to create custom commands tailored to their monitoring and debugging needs.
Conclusion
Mastering journalctl is essential for any Linux administrator working with systemd. Its flexibility in filtering, format, and time makes it the preferred tool for accessing system logs quickly and efficiently.
This post is also available in ESPAÑOL.