journalctl
Systemd journal querying, filtering by unit/priority/time, and log maintenance operations.
Basic Usage
Show all journal entries (newest last)
journalctlShow most recent entries first — reverse chronological
journalctl -rShow last 50 lines
journalctl -n 50Follow in real-time — like tail -f for the journal
journalctl -fNo pager — output straight to stdout for piping
journalctl --no-pager | awk '/error/i'Filtering by Unit
Show logs for a specific service
journalctl -u sshd.serviceFollow a service’s logs in real-time
journalctl -u nginx.service -fMultiple units — combine with separate -u flags
journalctl -u sshd.service -u nginx.serviceFiltering by Priority
Show only errors and above — cuts through the noise
journalctl -p errPriority levels (0-7, lower = more severe)
0 emerg System is unusable 1 alert Immediate action required 2 crit Critical conditions 3 err Error conditions 4 warning Warning conditions 5 notice Normal but significant 6 info Informational 7 debug Debug-level messages
Show warnings and above for a specific service
journalctl -u nginx.service -p warningPriority range — show only err through crit
journalctl -p crit..errFiltering by Time
Since a specific time
journalctl --since "2026-04-10 08:00:00"Since and until — bounded time window
journalctl --since "2026-04-09 22:00" --until "2026-04-10 06:00"Relative time — last hour, last 30 minutes
journalctl --since "1 hour ago"
journalctl --since "30 min ago"Today’s logs only
journalctl --since todayYesterday’s logs
journalctl --since yesterday --until todayBoot Filtering
Show logs from current boot
journalctl -bShow logs from previous boot — critical for diagnosing crash/reboot
journalctl -b -1List all recorded boots
journalctl --list-bootsOutput
-2 abc123... Thu 2026-04-08 08:15:00 PDT—Thu 2026-04-08 23:59:59 PDT -1 def456... Fri 2026-04-09 08:00:00 PDT—Fri 2026-04-09 23:59:59 PDT 0 ghi789... Sat 2026-04-10 07:45:00 PDT—Sat 2026-04-10 10:30:00 PDT
| Previous boot logs require persistent journal storage. See the Storage section below. |
Kernel Messages
Show kernel messages — equivalent to dmesg but with journal features
journalctl -kKernel messages from current boot only
journalctl -k -bFollow kernel messages — watch for hardware events
journalctl -k -fOutput Formats
JSON output — for parsing with jq
journalctl -u sshd -n 5 -o json-prettyShort output with microsecond timestamps
journalctl -o short-preciseVerbose — all metadata fields
journalctl -u sshd -n 1 -o verboseAvailable output formats
short Default, syslog-like short-precise Microsecond timestamps short-iso ISO 8601 timestamps json One JSON object per line json-pretty Human-readable JSON verbose All fields, one per line cat Message text only, no metadata
Storage & Maintenance
Check journal disk usage
journalctl --disk-usageShrink journal to a maximum size
sudo journalctl --vacuum-size=500MRemove journal entries older than 2 weeks
sudo journalctl --vacuum-time=2weeksEnable persistent journal storage — survives reboot
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journaldWithout /var/log/journal/, the journal is stored in /run/log/journal/ (tmpfs) and lost on reboot. RHCSA expects you to know this.
Configure journal size limits in /etc/systemd/journald.conf
[Journal] Storage=persistent SystemMaxUse=1G SystemKeepFree=2G MaxRetentionSec=1month
After editing, restart the journal:
sudo systemctl restart systemd-journaldCombined Filters — Real-World Scenarios
SSH authentication failures in the last hour
journalctl -u sshd -p err --since "1 hour ago" --no-pagerAll errors this boot for any service
journalctl -b -p err -o short-preciseGrep within journal output — find specific patterns
journalctl -u sshd --since today --no-pager | grep "Failed password"Count failed SSH logins per IP today
journalctl -u sshd --since today --no-pager | grep "Failed password" | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn