journalctl command usage and examples on Linux

The journalctl command can be used to view all of the logs collected by systemd on a Linux system. This includes logs related to the system’s kernel, initrd, various services and applications, as well as systemd itself. The journalctl command makes querying all of these logs pretty painless, since systemd gathers and stores all these various logs in a central location for administrators to view.

In this tutorial, you will see how to use the journalctl command on Linux. This will include frequently used options, as well as information about how to interpret system logs, since they can be rather cryptic to the uninitiated. Check some of the examples below to grasp the command, and try out some of the command options on your own system while you follow along.

In this tutorial you will learn:

  • How to use the journalctl command on Linux
  • How to view logged errors with journalctl
  • How to view previous boot logs
  • Frequently used options for the journalctl command
journalctl command usage and examples on Linux
journalctl command usage and examples on Linux
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software journalctl
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Frequently Used Options

journalctl command in Linux Basic Examples

  1. The most basic way to use journalctl is with no further options. This will show you everything that has been logged, which will definitely be an overwhelming amount of data if your system has been powered on for any amount of time. It is not uncommon for the log entries to number into the millions.
    $ journalctl

    Check the screenshot below to see the general format for the logs. The output will get piped to less automatically. Use the Enter key to scroll line by line, or Space to scroll page by page. To exit the log output, press q on your keyboard.

    Running the journalctl command on Linux
    Running the journalctl command on Linux
  2. The logs are stored separately for each boot, which makes it easy to isolate certain logs if you are trying to pinpoint an error that occurred before a recent reboot. Use the --list-boots option to see list of all the logs from previous boots.
    $ journalctl --list-boots

    The screenshot below shows that journalctl can access the logs from the past 15 boots of our system. Our current boot is indicated with number 0, and our previous boot is number 1.

    Viewing the past boot logs with journalctl
    Viewing the past boot logs with journalctl
  3. To view the logs from the previous system boot, we can use option -b (boot) and the number -1. Specify a different number if you want to view the logs for an even older boot.
    $ journalctl -b -1
  4. You can also use the boot ID to view the logs of a previous boot. This alphanumeric string will not change, unlike the sequential numbers which continue to increment after each boot.
    $ journalctl -b d1389cc42a75447dba69c0b7f74cc0e9
  5. The --since and --until options can be used to help you isolate relevant logs that were logged during a certain timeframe. For example, to see all of the logs since yesterday:
    $ journalctl --since yesterday
  6. You can also use the options in conjunction with each other.
    $ journalctl --since yesterday --until "2 hours ago"

  7. Use the YYYY-MM-DD HH:MM:SS date format with these two options if you want to isolate log entries for a very particular timeframe.
    $ journalctl --since 2022-10-03 01:00:00 --until 2022-10-04 14:30:00

    This can be useful if you know for sure that an error or relevant event occurred somewhere during this time, and need to pinpoint when exactly it happened or see what data was logged when it did.

  8. To see entries that have been logged for a particular system service, use the -u flag. For example, to see all entries logged by Apache:
    $ journalctl -u apache2.service
  9. To see some of the most recent entries, we can use the -n option. By default, this will show you the last 10 log entries.
    $ journalctl -n
  10. To see the last 100 entries, use the -n flag again but specify the number after it.
    $ journalctl -n 100

    You could also pipe the output to the tail command. To see the last 100 entries of journalctl:

    $ journalctl | tail -100
You can always use the man command to read more about the journalctl command and its official documentation. Click the previous link to see how to open the manual pages for any command on a Linux system.

Advanced Usage

The journalctl command is pretty simple, but as you’ve observed throughout the examples section of this article, it comes packed with a lot of options. Many of these options fly under the radar, and even some seasoned system administrators may not know them. However, they can definitely come in handy in various situations. In this section of the tutorial, we’ll show you a few of the lesser known options of the journalctl command that we think are useful.

journalctl command in Linux Advanced Examples

  1. To see only kernel related messages, use the -k option.
    $ journalctl -k
  2. Since there are so many log entries, it can be helpful to only see those of a certain priority. The highest priority is level 0, and the lowest is level 7. The log levels are as follows:
    0: emergency
    1: alert
    2: critical
    3: error
    4: warning
    5: notice
    6: info
    7: debug

    Use the -p option to see logs of a certain level, plus any above it in priority. In this example, we will go with level 3, which is any entry marked as an error, critical, alert, or emergency.

    $ journalctl -p 3
  3. To get the output in JSON format, which can make it easier to parse in certain programs, use the -o option as follows:
    $ journalctl -o json


    $ journalctl -o json-pretty
  4. To see all of the logs as they are being produced, use the -f option. This works exactly like the -f option does for the tail command.
    $ journalctl -f
  5. To see how much disk space all your log files are consuming:
    $ journalctl --disk-usage

Closing Thoughts

In this tutorial, we learned all about the journalctl command on Linux. The journalctl command is essential to master for users and administrators who need to troubleshoot system errors or monitor logs for anomalies. For further reading, check out our other tutorial on Introduction to the Systemd journal.