How to Use journalctl to Read and Filter System Logs in Linux

August 13, 2025

Cheap Linux Server

➥

Introduction

System logs are essential for diagnosing issues, auditing activity, and monitoring system health on Linux. The journalctl command, part of systemd, provides a powerful and flexible way to access these logs. Unlike older tools like syslog, journalctl can filter logs by service, time, priority, boot, and more — making it a modern go-to for log management.

Basic Usage of `journalctl`

To display all logs:

journalctl

This command lists logs in chronological order, starting from the oldest. You can scroll through the output or use a pager like less.

Real-Time Log Monitoring

To monitor logs in real time (like tail -f):

journalctl -f

This is useful when you’re troubleshooting a service or tracking changes live.

Filtering by Time

Show logs from the last boot:

journalctl -b

Specify a date/time range:
Specify a date time range

journalctl --since "2025-07-01 10:00" --until "2025-07-01 12:00"

Or use relative times:

journalctl --since "1 hour ago"

Filtering by Service or Unit

Check logs for a specific service:

journalctl -u nginx.service

Combine with -f for live output:

journalctl -u sshd -f

You can also view failed units:

systemctl --failed

Filtering by Priority

View only errors and critical logs:

journalctl -p err

Show warnings and higher:

journalctl -p warning

Priority levels range from 0 (emergency) to 7 (debug).

Filtering by User or PID

Show logs for a specific user:

journalctl _UID=1000

Show logs from a specific process:

journalctl _PID=1234

Persistent Logs

By default, logs might be stored only in memory. To enable persistent logs:

sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journald

Exporting Logs

Save logs to a text file:

journalctl > logs.txt

Save logs from a specific unit:

journalctl -u apache2 > apache-logs.txt

Conclusion

journalctl is a powerful tool every Linux user and admin should master. With options to filter by time, service, priority, and user, it provides precise control over log access and analysis. Whether you’re debugging an issue or setting up monitoring, journalctl makes your job easier.

How to Use journalctl to Read and Filter System Logs in Linux (F.A.Q)

How do I clear journalctl logs?

Use sudo journalctl --vacuum-time=7d to keep only the last 7 days of logs.

How can I limit log size?

Edit /etc/systemd/journald.conf and set SystemMaxUse to limit log space usage.

What’s the difference between -u and _SYSTEMD_UNIT?

-u is a user-friendly shortcut for filtering by _SYSTEMD_UNIT.

Can I combine filters in journalctl?

Yes, you can combine multiple options like -u with --since, -p, etc.

Patch and Update Windows Server Safely

by Saju | Sep 9, 2025 | RDP Fix

How to Patch and Update Windows Server Safely Keeping your Windows Server environment secure and stable is a top priority for any IT administrator. Regular patching and updates are essential to protect against vulnerabilities, improve performance, and maintain...

How to Monitor Server Performance with Performance Monitor

by Saju | Sep 8, 2025 | RDP Fix

How to Monitor Server Performance with Performance Monitor Keeping your servers healthy is crucial for ensuring smooth business operations. Windows Server comes with a powerful built-in tool called Performance Monitor (PerfMon), which allows administrators to track...

0 Comments