Quantum Ink

Writing about the future as it unfolds.

journalctl command usage on RHEL showing systemd logs in a Linux terminal

The Ultimate journalctl Command Reference on RHEL

, ,

journalctl Command Guide — The Complete Reference for Linux System Logs

On modern Linux systems using systemd, traditional text log files such as
/var/log/messages or /var/log/syslog are no longer the primary source of truth.
Instead, logs are collected, indexed, and queried using the systemd journal.

The journalctl command is the primary interface for reading and querying these logs.
This guide is a one-stop reference covering how journalctl works, its most useful options,
common troubleshooting patterns, and best practices for production servers.

What Is journalctl?

journalctl is a command-line utility used to query and display logs stored in the
systemd journal. Unlike plain text log files, the journal:

  • Stores logs in a structured, indexed format
  • Includes rich metadata (service, PID, UID, boot ID, hostname)
  • Allows powerful filtering and time-based queries
  • Supports persistent and volatile logging

The journal collects logs from:

  • systemd services
  • Kernel messages
  • Applications using stdout / stderr
  • Syslog forwarders

Basic journalctl Usage

View all logs

journalctl

Displays all available journal entries, starting from the oldest.
Use paging (less) to navigate.

View logs for the current boot

journalctl -b

This is one of the most commonly used options when debugging recent issues.

View logs from the previous boot

journalctl -b -1

Time-Based Filtering

Logs since a specific time

journalctl --since "2026-01-25 10:00:00"

Logs until a specific time

journalctl --until "2026-01-25 12:00:00"

Relative time examples


journalctl --since "1 hour ago"
journalctl --since "yesterday"
journalctl --since "2026-01-25"

Short option

journalctl -S "1 hour ago"

-S is the short form of --since.

Filtering by Service (Unit)

Logs for a specific systemd service

journalctl -u nginx

Follow logs for a service (like tail -f)

journalctl -u php-fpm -f

Logs for multiple services


journalctl -u nginx -u php-fpm

Kernel Logs

View kernel messages

journalctl -k

Kernel messages for current boot

journalctl -k -b

Useful for diagnosing hardware issues, kernel panics, or driver failures.

Output Formats

Default output

journalctl

Short, concise output

journalctl -o short

Verbose output with metadata

journalctl -o verbose

JSON output (machine-readable)


journalctl -o json
journalctl -o json-pretty

JSON output is ideal for automation, parsing, or forwarding logs to other systems.

Priority and Severity Levels

journalctl supports standard syslog priority levels:

  • 0 — Emergency
  • 1 — Alert
  • 2 — Critical
  • 3 — Error
  • 4 — Warning
  • 5 — Notice
  • 6 — Info
  • 7 — Debug

Show only errors and above

journalctl -p err

Show warnings and errors

journalctl -p warning

Priority range

journalctl -p err..alert

Following Logs in Real Time

Live log stream

journalctl -f

Follow logs for a specific service

journalctl -u mysql -f

This behaves similarly to tail -f, but with structured filtering.

Disk Usage and Log Size

Check journal disk usage

journalctl --disk-usage

Limit journal size

journalctl --vacuum-size=500M

Remove logs older than a time period

journalctl --vacuum-time=7d

These commands help manage disk space on VPS and production servers.

Persistent vs Volatile Journals

By default, some systems store logs only in memory.
To enable persistent logging:


mkdir -p /var/log/journal
systemctl restart systemd-journald

This ensures logs survive reboots.

Common Troubleshooting Examples

Why did a service fail to start?

journalctl -u nginx -b

Investigate a crash after reboot

journalctl -b -1

Find errors in the last 10 minutes

journalctl -p err --since "10 minutes ago"

Debug PHP-FPM issues

journalctl -u php-fpm -f

Best Practices for Production Servers

  • Use -b when troubleshooting recent issues
  • Combine -u, -p, and --since for focused queries
  • Enable persistent journaling on VPS and production systems
  • Regularly monitor journal disk usage
  • Avoid piping raw journal output into scripts without filtering

Quick Command Cheat Sheet


journalctl
journalctl -b
journalctl -b -1
journalctl -u nginx
journalctl -u php-fpm -f
journalctl -k
journalctl -p err
journalctl -S "1 hour ago"
journalctl --disk-usage
journalctl --vacuum-size=500M

Final Thoughts

journalctl replaces years of fragmented logging practices with a powerful,
structured, and queryable system. Once you understand its filtering options and output formats,
it becomes one of the most valuable tools for Linux system administration.

For anyone running VPS or production workloads, mastering journalctl is not optional —
it is essential.

Smart reads for curious minds

We don’t spam! Read more in our privacy policy