The journalctl command can be used to view all of the logs collected by systemd on a Linux system. This includes logs related to the system’s kernel, initrd, various services and applications, as well as systemd itself. The journalctl command makes querying all of these logs pretty painless, since systemd gathers and stores all these various logs in a central location for administrators to view.
In this tutorial, you will see how to use the journalctl command on Linux. This will include frequently used options, as well as information about how to interpret system logs, since they can be rather cryptic to the uninitiated. Check some of the examples below to grasp the command, and try out some of the command options on your own system while you follow along.
In this tutorial you will learn:
- How to use the journalctl command on Linux
- How to view logged errors with journalctl
- How to view previous boot logs
- Frequently used options for the journalctl command
|Category||Requirements, Conventions or Software Version Used|
|System||Any Linux distro|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
Frequently Used Options
journalctl command in Linux Basic Examples
- The most basic way to use
journalctlis with no further options. This will show you everything that has been logged, which will definitely be an overwhelming amount of data if your system has been powered on for any amount of time. It is not uncommon for the log entries to number into the millions.
Check the screenshot below to see the general format for the logs. The output will get piped to
lessautomatically. Use the
Enterkey to scroll line by line, or
Spaceto scroll page by page. To exit the log output, press
qon your keyboard.
- The logs are stored separately for each boot, which makes it easy to isolate certain logs if you are trying to pinpoint an error that occurred before a recent reboot. Use the
--list-bootsoption to see list of all the logs from previous boots.
$ journalctl --list-boots
The screenshot below shows that
journalctlcan access the logs from the past 15 boots of our system. Our current boot is indicated with number 0, and our previous boot is number 1.
- To view the logs from the previous system boot, we can use option
-b(boot) and the number
-1. Specify a different number if you want to view the logs for an even older boot.
$ journalctl -b -1
- You can also use the boot ID to view the logs of a previous boot. This alphanumeric string will not change, unlike the sequential numbers which continue to increment after each boot.
$ journalctl -b d1389cc42a75447dba69c0b7f74cc0e9
--untiloptions can be used to help you isolate relevant logs that were logged during a certain timeframe. For example, to see all of the logs since yesterday:
$ journalctl --since yesterday
- You can also use the options in conjunction with each other.
$ journalctl --since yesterday --until "2 hours ago"
- Use the
YYYY-MM-DD HH:MM:SSdate format with these two options if you want to isolate log entries for a very particular timeframe.
$ journalctl --since 2022-10-03 01:00:00 --until 2022-10-04 14:30:00
This can be useful if you know for sure that an error or relevant event occurred somewhere during this time, and need to pinpoint when exactly it happened or see what data was logged when it did.
- To see entries that have been logged for a particular system service, use the
-uflag. For example, to see all entries logged by Apache:
$ journalctl -u apache2.service
- To see some of the most recent entries, we can use the
-noption. By default, this will show you the last 10 log entries.
$ journalctl -n
- To see the last 100 entries, use the
-nflag again but specify the number after it.
$ journalctl -n 100
You could also pipe the output to the
tailcommand. To see the last 100 entries of
$ journalctl | tail -100
You can always use the man command to read more about the journalctl command and its official documentation. Click the previous link to see how to open the manual pages for any command on a Linux system.
The journalctl command is pretty simple, but as you’ve observed throughout the examples section of this article, it comes packed with a lot of options. Many of these options fly under the radar, and even some seasoned system administrators may not know them. However, they can definitely come in handy in various situations. In this section of the tutorial, we’ll show you a few of the lesser known options of the journalctl command that we think are useful.
journalctl command in Linux Advanced Examples
- To see only kernel related messages, use the
$ journalctl -k
- Since there are so many log entries, it can be helpful to only see those of a certain priority. The highest priority is level 0, and the lowest is level 7. The log levels are as follows:
0: emergency 1: alert 2: critical 3: error 4: warning 5: notice 6: info 7: debug
-poption to see logs of a certain level, plus any above it in priority. In this example, we will go with level 3, which is any entry marked as an error, critical, alert, or emergency.
$ journalctl -p 3
- To get the output in JSON format, which can make it easier to parse in certain programs, use the
-ooption as follows:
$ journalctl -o json
$ journalctl -o json-pretty
- To see all of the logs as they are being produced, use the
-foption. This works exactly like the
-foption does for the
$ journalctl -f
- To see how much disk space all your log files are consuming:
$ journalctl --disk-usage
In this tutorial, we learned all about the journalctl command on Linux. The journalctl command is essential to master for users and administrators who need to troubleshoot system errors or monitor logs for anomalies. For further reading, check out our other tutorial on Introduction to the Systemd journal.