journalctl: Read Linux System Logs
On every modern Linux system, services log to journald — a central, structured, searchable log database. journalctl is how you read it. Master half a dozen flags and you’ll find the cause of any service problem in seconds.
The first command
journalctl # ALL logs (huge — uses less to page)Type q to quit. By default the latest entries are at the bottom.
Logs for a specific service
journalctl -u nginx # all nginx logs ever
journalctl -u nginx -u php-fpm # multiple servicesFollow logs in real time
journalctl -f # follow ALL (like tail -f /var/log/syslog)
journalctl -fu nginx # follow only nginx
journalctl -fu nginx -u php-fpm # follow multipleFilter by time
journalctl --since "1 hour ago"
journalctl --since today
journalctl --since yesterday --until today
journalctl --since "2026-04-26 10:00:00" --until "2026-04-26 12:00:00"
journalctl -u nginx --since "10 min ago"Filter by severity
journalctl -p err # error and worse
journalctl -p warning # warning and worse
journalctl -p err -u nginx # combine with service filterPriority levels (lowest to highest severity): debug, info, notice, warning, err, crit, alert, emerg.
Last N lines
journalctl -n 50 -u nginx # last 50 lines for nginx
journalctl -e # jump to end (most recent)
journalctl -r # reverse order (newest first)Boot-specific logs
journalctl -b # since current boot
journalctl -b -1 # previous boot
journalctl -b -2 # boot before that
journalctl --list-boots # list all available bootsOutput formats
journalctl -o short # default
journalctl -o short-iso # ISO timestamps
journalctl -o cat # just messages, no metadata
journalctl -o json-pretty # JSON (for parsing)
journalctl -o verbose # all available fieldsFilter by process / user
journalctl _UID=1000 # all logs from user UID 1000
journalctl _PID=1234 # logs from a specific process
journalctl _COMM=ssh # logs from any process named "ssh"
journalctl _SYSTEMD_UNIT=nginx.service # equivalent to -u nginxKernel messages
journalctl -k # only kernel messages (like dmesg)
journalctl -k --since "5 min ago"Disk usage
journalctl --disk-usage # how much space journals take
sudo journalctl --vacuum-time=2weeks # delete entries older than 2 weeks
sudo journalctl --vacuum-size=500M # keep journals under 500MBMake journals persistent
Some distros store journals in /run (RAM) by default — they vanish on reboot. Make them persistent:
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journaldReal workflows
# A service crashed — what happened?
sudo systemctl status nginx # quick view, last few lines
sudo journalctl -xeu nginx # extended, errors-related, full unit log
sudo journalctl -u nginx --since "10 min ago"
# Watch all auth-related events live
journalctl -f _COMM=sshd
# Find all errors from any service in the last hour
journalctl -p err --since "1 hour ago"
# Export logs for sharing
journalctl -u nginx --since today > nginx-today.log
# Search for a specific term across all services
journalctl --since today | grep -i "out of memory"Where logs that AREN’T in journald live
Not everything goes to journald. Many web apps and older daemons still use plain text files in /var/log/:
/var/log/nginx/access.log,/var/log/nginx/error.log/var/log/apache2//var/log/mysql//var/log/auth.log(Debian) //var/log/secure(RHEL) — auth events/var/log/syslog(Debian) //var/log/messages(RHEL) — general
Read those with tail -f, less, or grep.
Common mistakes
- Running journalctl as a non-root user — you only see your own logs. Use
sudofor system services. - Forgetting
-u serviceand getting drowned in unrelated logs. - Reading logs with no time filter on a busy server — endless paging. Always
--sincesomething.
What to learn next
That covers monitoring services. Next big section: package management — installing, updating, and removing software the right way for your distro.