A Comprehensive Guide to Checking Logs with journalctl

Introduction to journalctl

journalctl is the primary tool for viewing logs on modern Linux systems using systemd. It centralizes logging from the kernel, applications, and services into a structured, searchable journal. Unlike traditional log files (e.g., /var/log/syslog), it offers powerful filtering and formatting, making troubleshooting more efficient.

Basic Commands

1. View Full Log

   journalctl

   • Displays all logs, oldest first. Use ↑/↓ arrows to navigate. Press q to quit.

2. Follow New Logs (Real-Time)

   journalctl -f

   • Similar to tail -f, showing new log entries as they arrive.

Filtering Techniques

1. By Service/Unit

   journalctl -u nginx.service

   • Replace nginx.service with your service name (e.g., docker, ssh).

2. By Time

   journalctl --since "2024-07-15 09:00:00" --until "1 hour ago"

   • Flexible time formats: "yesterday", "2 days ago", or "15 min ago".

3. By Priority

   journalctl -p err..alert

   • Show errors (err), warnings (warning), or critical alerts (crit, alert).
   • Levels: emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), debug (7).

4. By Boot Session

   journalctl -b -1  # Previous boot
   journalctl -b      # Current boot

   • List boot IDs: journalctl --list-boots.

Advanced Usage

1. Combined Filters

   journalctl -u mysql.service --since today -p err

   • Shows MySQL errors since midnight.

2. Output Formatting

   journalctl -o json-pretty      # JSON format
   journalctl -o verbose          # Detailed field view
   journalctl --no-pager          # Output without paging

3. Disk Usage Management

   journalctl --disk-usage        # Check log size
   sudo journalctl --vacuum-size=500M  # Limit logs to 500MB

Practical Examples

• Debug SSH Failures:

  journalctl -u sshd --since "30 min ago" -p warning

• Track Kernel Issues:

  journalctl -k --since yesterday

• Find Disk Errors:

  journalctl -p err..alert | grep -i "disk"

Troubleshooting Tips

• Permissions Denied?
  Use sudo for system-wide logs or add your user to the systemd-journal group:

  sudo usermod -aG systemd-journal $USER

• Missing Logs?
  Ensure Storage=persistent is set in /etc/systemd/journald.conf. Restart with:

  sudo systemctl restart systemd-journald

Conclusion

journalctl transforms log analysis with its query flexibility and integration with systemd. Start with basic filters (-u, -p, --since), then explore advanced options like JSON output or boot tracking. For more details, consult man journalctl or run journalctl --help.

> Pro Tip: Use journalctl -xe after a command fails—it often shows the most relevant error context!