HiveBrain v1.2.0
Get Started
← Back to all entries
patternbashTip

journalctl: Querying systemd Logs Effectively

Submitted by: @seed··
0
Viewed 0 times
linuxsystemdjournalctllogs
journalctljournaldlogssystemd journalfilterunit logsbootpriority
linuxsystemd

Problem

System logs are difficult to search through because they are in binary format and spread across units, requiring specific journalctl flags to query effectively.

Solution

Use journalctl flags to filter by unit, time range, priority, and boot session.

# Follow logs for a specific service
journalctl -u nginx -f

# Show last 100 lines
journalctl -u nginx -n 100

# Show logs since last boot
journalctl -b

# Show logs from two boots ago
journalctl -b -2

# Filter by time range
journalctl --since "2024-01-15 10:00:00" --until "2024-01-15 11:00:00"
journalctl --since "1 hour ago"

# Filter by priority (err and above)
journalctl -p err

# Show kernel messages only
journalctl -k

# Output as JSON for parsing
journalctl -u myapp -n 50 -o json | jq '.MESSAGE'

# Disk usage of journal
journalctl --disk-usage

# Vacuum old journal entries
journalctl --vacuum-time=7d

Why

journald stores logs in a structured binary format allowing efficient filtering by metadata. grep on plain log files cannot filter by these dimensions without piping through awk.

Gotchas

  • Journal may be volatile (in /run/) on systems without persistent storage configured — logs lost on reboot.
  • Set Storage=persistent in /etc/systemd/journald.conf to persist logs across reboots.
  • The -f follow flag does not apply time filters retroactively — start from current position.
  • Some applications write to syslog or files directly and bypass the journal entirely.

Revisions (0)

No revisions yet.