Viewing system logs with journalctl exposes detailed information about boots, services, hardware, and application events, which is essential for diagnosing failures and confirming that background processes behave as expected.

The systemd journal collects log messages from the kernel, init system, services, and user processes into a binary store, which journalctl then queries and presents in a readable format. Filters based on time, priority, units, or fields make it possible to focus on only the events that matter.

Access to the full journal typically requires elevated privileges, and persistent storage may need configuration under /var/log/journal depending on distro defaults, so commands often run through sudo and storage settings should be monitored to avoid excessive disk use.

Related: How to tail and follow logs in Linux
Related: How to view Linux service logs with journalctl

Steps to view system logs using journalctl:

  1. Open a terminal on a systemd-based Linux system with a user that can run sudo. 
    $ whoami
user

    Membership in the systemd-journal group on some systems allows reading logs without sudo.

  2. Display recent journal entries in chronological order. 
    $ sudo journalctl --no-pager -n 5
Jan 11 21:21:44 host.example.net root[1518]: tail-follow demo: multi-file
Jan 11 21:21:44 host.example.net root[1517]: tail-follow demo: auth log
Jan 11 21:21:45 host.example.net root[1529]: tail-follow demo: live follow
Jan 11 21:22:09 host.example.net sudo[1532]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/journalctl --no-pager -n 5
Jan 11 21:22:09 host.example.net sudo[1532]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)

    The default pager is usually less, so navigation keys like Space, b, and q apply.

  3. Show only the most recent messages first for quicker inspection of current issues. 
    $ sudo journalctl -r --no-pager | head -n 5
Jan 11 21:22:09 host.example.net sudo[1549]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jan 11 21:22:09 host.example.net sudo[1549]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/journalctl -r --no-pager
Jan 11 21:22:09 host.example.net sudo[1532]: pam_unix(sudo:session): session closed for user root
Jan 11 21:22:09 host.example.net sudo[1532]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jan 11 21:22:09 host.example.net sudo[1532]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/journalctl --no-pager -n 5

    Option -r reverses the output order so the latest events appear at the top.

  4. Follow logs in real time to watch events as they occur. 
    $ sudo journalctl -f
Jan 11 21:22:09 host.example.net root[1560]: journalctl follow demo: ssh start

    Real-time streaming with -f resembles tail -f on text logs.

  5. Limit the view to the current boot to avoid noise from older sessions. 
    $ sudo journalctl -b --no-pager -n 5
Jan 11 21:22:09 host.example.net sudo[1561]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/journalctl -f --lines 3
Jan 11 21:22:09 host.example.net sudo[1561]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jan 11 21:22:12 host.example.net sudo[1561]: pam_unix(sudo:session): session closed for user root
Jan 11 21:22:12 host.example.net sudo[1563]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/journalctl -b --no-pager -n 5
Jan 11 21:22:12 host.example.net sudo[1563]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)

    Use -b -1 for the previous boot, -b -2 for two boots ago, and so on.

  6. Show logs only for a specific systemd service unit such as ssh.service. 
    $ sudo journalctl -u ssh.service --no-pager -n 5
Jan 11 21:17:34 5fbe1fd9880b systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Jan 11 21:17:34 5fbe1fd9880b sshd[1351]: Server listening on 0.0.0.0 port 22.
Jan 11 21:17:34 5fbe1fd9880b sshd[1351]: Server listening on :: port 22.
Jan 11 21:17:34 5fbe1fd9880b systemd[1]: Started ssh.service - OpenBSD Secure Shell server.

    Any unit name accepted by systemctl, such as nginx.service or cron.service, can be used with -u.

  7. Filter messages by severity level to focus on errors or warnings. 
    $ sudo journalctl -p err --no-pager -n 3
Jan 11 21:17:07 5fbe1fd9880b (sd-exec-[831]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 1.
Jan 11 21:17:07 5fbe1fd9880b (sd-exec-[1018]: /usr/lib/systemd/system-generators/sshd-socket-generator failed with exit status 1.
Jan 11 21:17:44 5fbe1fd9880b systemd-hostnamed[1364]: Failed to write static hostname: Device or resource busy

    Valid priorities include emerg, alert, crit, err, warning, notice, info, and debug, and ranges such as -p warning..alert are supported.

  8. Restrict logs to a specific time window for targeted debugging. 
    $ sudo journalctl --since \"5 minutes ago\" --until \"now\" --no-pager -n 5
Jan 11 21:22:12 host.example.net sudo[1581]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/journalctl -p err --no-pager -n 3
Jan 11 21:22:12 host.example.net sudo[1581]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jan 11 21:22:12 host.example.net sudo[1581]: pam_unix(sudo:session): session closed for user root
Jan 11 21:22:12 host.example.net sudo[1590]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/journalctl --since '5 minutes ago' --until now --no-pager -n 5
Jan 11 21:22:12 host.example.net sudo[1590]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)

    Dates like “yesterday” or “2 hours ago” are accepted in –since and –until for relative ranges.

  9. Show only kernel messages to inspect boot-time and driver-related logs. 
    $ sudo journalctl -k --no-pager | head -n 5
Jan 11 21:16:42 5fbe1fd9880b kernel: Booting Linux on physical CPU 0x0000000000 [0x610f0000]
Jan 11 21:16:42 5fbe1fd9880b kernel: Linux version 6.12.54-linuxkit (root@buildkitsandbox) (gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, GNU ld (GNU Binutils) 2.42) #1 SMP Tue Nov  4 21:21:47 UTC 2025
Jan 11 21:16:42 5fbe1fd9880b kernel: OF: reserved mem: Reserved memory: No reserved-memory node in the DT
Jan 11 21:16:42 5fbe1fd9880b kernel: Zone ranges:
Jan 11 21:16:42 5fbe1fd9880b kernel:   DMA      [mem 0x0000000070000000-0x00000000ffffffff]

    Kernel messages recorded by dmesg also flow into the journal on most modern systems.

  10. Filter by process identifier when a specific PID is known. 
    $ sudo journalctl _PID=1 --no-pager | head -n 5
Jan 11 21:16:42 5fbe1fd9880b systemd[1]: Starting systemd-tmpfiles-setup.service - Create Volatile Files and Directories...
Jan 11 21:16:42 5fbe1fd9880b systemd[1]: Finished systemd-tmpfiles-setup.service - Create Volatile Files and Directories.
Jan 11 21:16:42 5fbe1fd9880b systemd[1]: Reached target sysinit.target - System Initialization.
Jan 11 21:16:42 5fbe1fd9880b systemd[1]: Started systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories.
Jan 11 21:16:42 5fbe1fd9880b systemd[1]: Reached target basic.target - Basic System.

    Additional fields such as _SYSTEMD_UNIT= or _COMM= allow fine-grained selection of messages.

  11. Export a subset of logs in standard format for sharing or archiving. 
    $ sudo journalctl -u ssh.service -b --since \"5 minutes ago\" --until \"now\" > ssh-boot.log

    Exported logs may contain sensitive data such as IP addresses, usernames, or internal hostnames, so files like ssh-boot.log should be handled and shared carefully.

  12. Confirm journal integrity and available disk usage for the persistent store. 
    $ sudo journalctl --disk-usage
Archived and active journals take up 8.0M in the file system.

    Configuration options such as SystemMaxUse and SystemMaxFileSize in /etc/systemd/journald.conf control growth of the log store.