Quick take: The journalctl command reads the systemd journal. Use -u service to filter by service, -f to follow new logs live, -b for the current boot, and --since to limit by time.
Introduction
On systemd-based distributions, logs are collected in a central binary journal that you read with journalctl. Instead of hunting through files in /var/log, you query one structured journal — by service, time, boot, or priority — which makes troubleshooting far quicker.
This guide covers filtering by service, following logs in real time, scoping to a boot or time window, and filtering by severity.
Syntax
The basic syntax of the journalctl command is:
journalctl [OPTIONS]Common Options and Parameters
The most useful options and parameters for the journalctl command:
| Option | Description |
|---|---|
| -u SERVICE | Show logs for a specific service unit. |
| -f | Follow — stream new log entries live (like tail -f). |
| -b | Show logs from the current boot (-b -1 for the previous boot). |
| --since / --until | Limit by time, e.g. --since '1 hour ago'. |
| -n N | Show the last N lines. |
| -p LEVEL | Filter by priority (err, warning, crit). |
| -r | Show newest entries first (reverse). |
| --no-pager | Print directly without the pager. |
| -k | Show only kernel messages (like dmesg). |
Practical Examples
Real journalctl commands you can run today:
# Follow a service's logs live
journalctl -u nginx -f
# Show the last 100 lines for a service
journalctl -u ssh -n 100
# Logs since the last boot
journalctl -b
# Errors from the last hour
journalctl -p err --since '1 hour ago'
# Logs between two times
journalctl --since '2026-06-13 08:00' --until '2026-06-13 09:00'
# Kernel messages only
journalctl -kManaging Journal Size and Persistence
On some systems the journal is stored only in memory and is lost on reboot; on others it persists to disk under /var/log/journal. To keep logs across reboots, ensure that directory exists and that Storage=persistent is set in /etc/systemd/journald.conf.
A growing journal can consume significant disk space, so it is worth knowing how to inspect and trim it:
# How much space is the journal using?
journalctl --disk-usage
# Keep only the last 7 days
sudo journalctl --vacuum-time=7d
# Cap the journal at 500 MB
sudo journalctl --vacuum-size=500MTips and Best Practices
- Combine filters freely:
journalctl -u nginx -p err --since todaynarrows to today's nginx errors. - Use
-fwhile reproducing a problem to watch errors appear in real time. - If the journal grows large, check its size with
journalctl --disk-usageand trim it withjournalctl --vacuum-time=7d.
Final Thoughts
journalctl turns scattered log files into a single, queryable journal. Learn to filter by service with -u, follow live with -f, and scope by boot and time, and you can diagnose service failures quickly. It is the natural partner to systemctl — manage the service with one, read its logs with the other.
FAQ: journalctl Command in Linux
How do I view logs for a specific service?+
Use journalctl -u servicename, for example journalctl -u nginx. Add -f to follow new entries live or -n 100 to see the last 100 lines.
How do I follow logs in real time?+
Use the -f flag: journalctl -f streams all new logs, and journalctl -u ssh -f follows just one service, similar to tail -f.
How do I see logs since the last boot?+
Use journalctl -b for the current boot. journalctl -b -1 shows the previous boot, which is useful after an unexpected reboot or crash.
How do I filter logs by time?+
Use --since and --until with natural times: journalctl --since '1 hour ago' or journalctl --since '2026-06-13 08:00' --until '09:00'.
How do I show only errors?+
Filter by priority with -p: journalctl -p err shows error-level and worse messages. Combine with -u and --since to narrow further.
Need help with Linux servers or infrastructure?
Work directly with Muhammad Irfan Aslam for Linux, Ubuntu, Docker, DevOps, cloud, CI/CD, or infrastructure support.
Hire Me for Support