Linux - System Logs (journalctl)
Linux systems constantly generate logs that record important events such as service starts, shutdowns, errors, warnings, and system activity. These logs help administrators troubleshoot problems, monitor performance, and investigate failures. On modern Linux distributions that use systemd, logs are managed by the journal and viewed using the journalctl command.
1. What Is journalctl?
journalctl is a command-line tool used to view and manage logs collected by systemd-journal. Unlike traditional log files stored in /var/log/, systemd keeps logs in a structured binary format, which allows fast searching, filtering, and categorization.
With journalctl, you can view system startup messages, service logs, kernel messages, user logs, errors, warnings, and almost everything happening on the system.
2. Basic Usage of journalctl
View all logs
journalctl
This displays the complete system log history from the journal database.
Human-readable timestamps
journalctl -r
-r shows logs in reverse order (newest first).
Show logs with readable time format
journalctl --since today
3. Filtering Logs by Time
From today
journalctl --since "today"
Last 1 hour
journalctl --since "1 hour ago"
Between two times
journalctl --since "2024-01-01 10:00" --until "2024-01-01 12:00"
Time filters are extremely helpful when investigating issues during a specific time window.
4. Viewing Logs for a Specific Service
System logs for each service can be checked individually.
Example: check SSH logs
journalctl -u ssh
Check Apache (httpd) logs
journalctl -u httpd
Follow logs in real-time
journalctl -u nginx -f
-f works like tail -f.
5. Viewing Kernel Logs
Kernel messages (similar to dmesg output) can be seen using:
journalctl -k
6. Filtering by Priority (Error Levels)
Log messages have priority levels (0–7).
| Level | Name | Meaning |
|---|---|---|
| 0 | emerg | System is unusable |
| 1 | alert | Action must be taken |
| 2 | crit | Critical errors |
| 3 | err | Regular errors |
| 4 | warning | Warning messages |
| 5 | notice | Normal but important |
| 6 | info | Informational |
| 7 | debug | Debug messages |
Show only errors
journalctl -p err
Show warnings and above
journalctl -p warning
7. Viewing Logs for a Specific User
journalctl _UID=1000
Useful for debugging user-related issues.
8. Limiting Output
Show only the last 50 logs
journalctl -n 50
Continuous stream (real-time logs)
journalctl -f
9. Persistent Logging
By default, systemd-journald may store logs only in memory.
To enable persistent logs across reboots:
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald
Why journalctl Is Important?
journalctl helps you:
-
Troubleshoot service failures
-
Investigate system crashes
-
Monitor performance issues
-
Analyze boot messages
-
Track security incidents
-
Debug application logs
It centralizes all logs in one place, making analysis faster and more powerful compared to traditional logging systems.
In Summary
-
journalctl is the main command for viewing systemd logs.
-
It allows filtering logs by service, time, priority, user, and more.
-
It provides real-time monitoring and detailed system insights.
-
Essential tool for system administrators, DevOps, and Linux engineers.
Mastering journalctl helps you diagnose issues quickly and maintain a healthy Linux system.