How to Check Logs Using journalctl in Linux

Logs are a crucial component of any Linux system, as they provide a record of system activity, including system events, user actions, and system processes. journalctl is a command-line utility for viewing and managing logs on Linux systems using the systemd initialization system. It provides powerful filtering and formatting capabilities to help administrators monitor system health and troubleshoot issues effectively.

Basic journalctl Commands

The journalctl command can view and filter system logs for all system services, the kernel, and specific services or users. It can display the entire journal, view logs from a specific boot, or filter logs by various criteria.

Common Usage Examples

View all logs for a specific service

journalctl -u nginx

View all logs from the current boot

journalctl -b

View logs from the last week

journalctl --since "1 week ago"

Search logs containing specific text

journalctl | grep "Error"

Filtering by Date and Time

journalctl provides flexible date and time filtering using --since and --until options. Time can be specified in various formats including ISO format, natural language, or relative times.

Time Format Examples

Using absolute timestamps

journalctl --since "2022-10-01 00:00:00"
journalctl --until "2022-10-15 23:59:59"

Using relative time expressions

journalctl --since "1 hour ago"
journalctl --since "yesterday"
journalctl --since "2 days ago"

Combining both options for specific ranges

journalctl --since "2022-11-01 00:00:00" --until "2022-11-30 23:59:59"

Filtering by Users and Processes

journalctl allows filtering by specific users, processes, and system components using various field identifiers. This is particularly useful for troubleshooting specific applications or user activities.

User and Process Filtering

Filter by user ID

journalctl _UID=1000

Filter by process ID

journalctl _PID=1234

Filter by command name

journalctl _COMM=ssh

Filter by systemd unit

journalctl _SYSTEMD_UNIT=apache2.service

Combine multiple filters

journalctl _UID=1000 _COMM=firefox

Real-Time Log Monitoring

The -f or --follow option enables real-time log monitoring, similar to the tail -f command. This streams new log entries as they are added to the journal.

Following Logs

Follow all new logs

journalctl -f

Follow logs for a specific service

journalctl -f -u nginx

Show the last 10 entries and follow

journalctl -f -n 10

Use Ctrl+C to exit follow mode and return to the shell prompt.

Output Formats and Options

journalctl supports various output formats to suit different analysis needs, from human-readable formats to machine-parseable JSON.

Output Format Options

Disabling the Pager

By default, journalctl uses a pager (like less) to display output. Use --no-pager to disable this behavior

journalctl --no-pager
journalctl --no-pager | grep "error"
journalctl --no-pager > logfile.txt

Advanced Filtering Examples

Combine multiple options for precise log analysis

journalctl --output json --since "1 hour ago" -u ssh
journalctl -p err --since "today"
journalctl _TRANSPORT=kernel --since "1 hour ago"

Conclusion

journalctl is an essential tool for Linux system administration, providing comprehensive log viewing and filtering capabilities. Its flexible date/time filtering, real-time monitoring, and various output formats make it invaluable for system troubleshooting, security monitoring, and performance analysis. Mastering journalctl commands enables efficient log management and faster problem resolution.