Introduction to journalism
journalctl is the command line tool that allows you to read and manipulate the system registry managed by systemd. Instead of reviewing log files scattered in / var / log, journalctl centralizes all information in a single journal, facilitating problem diagnosis and performance monitoring.
Basic syntax
The command is simply invoked asjournalctl. No arguments, it shows all the journal entries from the oldest to the most recent, paid byless. Can be combined with options like-nto limit the number of lines or-fto follow the flow in real time, similar totail -f.
Filtered by time
One of the advantages of journalctl is its ability to filter inputs according to time ranges. Options can be used--sinceand--untilfollowed by time and date expressions, for example:
journalctl --since \"2025-09-01 00:00:00\"journalctl --until \"1 hour ago\"journalctl --since yesterday
These expressions support formats such as »YYYY-MM-DD HH: MM: SS», »now», »yesterday», »2 days ago», etc., which allows to quickly isolate relevant events.
Filtered per unit
To focus the output on a specific unit of systemd (service, socket, timer, etc.) the option is used-ufollowed by the name of the unit For example:
journalctl -u ssh.servicejournalctl -u cron.timer
It is also possible to combine several-uto see multiple units simultaneously.
Output in different formats
journalctl can present the information in several formats in addition to the legible by default. With the option-oyou can specify:
short: pre-determined readable format.short-iso: includes timstamps in ISO 8601 format.json: each entry as a JSON object, ideal for later processing.json-pretty: JSON with indentation for human reading.cat: shows only the message, without metadata.
This facilitates integration with software analysis tools or automation scripts.
journal persistence and storage
By default, systemd stores the journal in/run/log/journal(volatile) or/var/log/journalif the directory exists and has appropriate permissions. When creating the directory/var/log/journaland restartsystemd-journald, the journal becomes persistent between rebeginnings, which allows you to keep log for long-term audits.
Cleaning and retention
The maximum journal size is controlled with parametersSystemMaxUse, SystemKeepFreeandSystemMaxFileSizein/etc/systemd/journald.conf. For example, to limit use to 1 GB and keep at least 200 MB free:
- SystemMaxUse = 1G
- SystemKeepFree = 200M
Changes can be applied by recharging the service:sudo systemctl restart systemd-journald. In addition, the option--vacuum-sizeand--vacuum-timeof journalctl allow to remove old entries directly from the command line.
Performance tips
When working with very large journals, it is recommended to use early filters (such as-uor-p) to reduce the amount of data that journalctl must read. Also, combine--no-pagerwith redirection to a file facilitates further processing with tools such asgrep, awkorjqwhen using JSON format.
Combining options and practical examples
The real power of journalctl lies in combining filters. For example, to see the nginx service errors in the last 24 hours in JSON format:
journalctl -u nginx.service --since \"24 hours ago\" -p err -o json
Or to follow in real time kernel events with alert level or higher:
journalctl -k -f -p alert..emerg
These combinations allow administrators to create custom commands that meet their monitoring and debugging needs.
Conclusion
Dominating journalctl is essential for any Linux administrator who works with systemd. Its flexibility in filtering, format and time makes it the preferred tool to access system logs quickly and efficiently.
