How to view system logs using journalctl

Viewing system logs with journalctl exposes detailed information about boots, services, hardware, and application events, which is essential for diagnosing failures and confirming that background processes behave as expected.

The systemd journal collects log messages from the kernel, init system, services, and user processes into a binary store, which journalctl then queries and presents in a readable format. Filters based on time, priority, units, or fields make it possible to focus on only the events that matter.

Access to the full journal typically requires elevated privileges, and persistent storage may need configuration under /var/log/journal depending on distro defaults, so commands often run through sudo and storage settings should be monitored to avoid excessive disk use.

Steps to view system logs using journalctl:

Open a terminal on a systemd-based Linux system with a user that can run sudo.
```
$ whoami
user
```
Membership in the systemd-journal group on some systems allows reading logs without sudo.

Display the entire journal in chronological order from oldest to newest.

$ sudo journalctl
-- Logs begin at Mon 2025-02-03 09:01:23 UTC, end at Mon 2025-02-03 10:15:47 UTC. --
Feb 03 09:01:23 host-name kernel: Linux version 6.5.0-14-generic (buildd@lcy02-amd64-027) ##### snipped #####

The default pager is usually less, so navigation keys like Space, b, and q apply.

Show only the most recent messages first for quicker inspection of current issues.

$ sudo journalctl -r
-- Logs begin at Mon 2025-02-03 09:01:23 UTC, end at Mon 2025-02-03 10:15:47 UTC. --
Feb 03 10:15:47 host-name systemd[1]: Finished Daily apt download activities.
Feb 03 10:15:45 host-name CRON[21345]: (root) CMD (test -x /usr/sbin/anacron ##### snipped #####

Option -r reverses the output order so the latest events appear at the top.

Follow logs in real time to watch events as they occur.

$ sudo journalctl -f
-- Logs begin at Mon 2025-02-03 09:01:23 UTC, end at Mon 2025-02-03 10:16:01 UTC. --
Feb 03 10:16:01 host-name CRON[21402]: (root) CMD (/usr/local/bin/backup-job)
Feb 03 10:16:02 host-name backup-job[21405]: Backup completed successfully
##### snipped #####

Real-time streaming with -f resembles tail -f on text logs.

Limit the view to the current boot to avoid noise from older sessions.

$ sudo journalctl -b
-- Logs begin at Mon 2025-02-03 09:01:23 UTC, end at Mon 2025-02-03 10:16:40 UTC. --
Feb 03 09:01:23 host-name kernel: Booting Linux on physical CPU 0x0000000000 ##### snipped #####

Use -b -1 for the previous boot, -b -2 for two boots ago, and so on.

Show logs only for a specific systemd service unit such as ssh.service.

$ sudo journalctl -u ssh.service
-- Logs begin at Mon 2025-02-03 09:01:23 UTC, end at Mon 2025-02-03 10:17:03 UTC. --
Feb 03 09:01:24 host-name systemd[1]: Starting OpenBSD Secure Shell server...
Feb 03 09:01:24 host-name sshd[1024]: Server listening on 0.0.0.0 port 22.
Feb 03 09:01:24 host-name sshd[1024]: Server listening on :: port 22.
##### snipped #####

Any unit name accepted by systemctl, such as nginx.service or cron.service, can be used with -u.

Filter messages by severity level to focus on errors or warnings.

$ sudo journalctl -p err
-- Logs begin at Mon 2025-02-03 09:01:23 UTC, end at Mon 2025-02-03 10:18:22 UTC. --
Feb 03 09:05:31 host-name NetworkManager[950]: &lt;error&gt; [1706957131.3145] device (wlp3s0): Activation failed: DHCP failed
Feb 03 09:10:02 host-name sshd[1503]: error: maximum authentication attempts exceeded for invalid user admin ##### snipped #####

Valid priorities include emerg, alert, crit, err, warning, notice, info, and debug, and ranges such as -p warning..alert are supported.

Restrict logs to a specific time window for targeted debugging.

$ sudo journalctl --since "2025-02-03 09:30" --until "2025-02-03 10:00"
-- Logs begin at Mon 2025-02-03 09:30:00 UTC, end at Mon 2025-02-03 10:00:00 UTC. --
Feb 03 09:32:11 host-name systemd[1]: Started Cleanup of Temporary Directories.
Feb 03 09:45:03 host-name CRON[17500]: (root) CMD (/usr/local/bin/rotate-logs)
##### snipped #####

Dates like “yesterday” or “2 hours ago” are accepted in –since and –until for relative ranges.

Show only kernel messages to inspect boot-time and driver-related logs.

$ sudo journalctl -k
-- Logs begin at Mon 2025-02-03 09:01:23 UTC, end at Mon 2025-02-03 10:19:10 UTC. --
Feb 03 09:01:23 host-name kernel: ACPI: IRQ9 used by override.
Feb 03 09:01:23 host-name kernel: pci 0000:00:1c.0: ASPM: current common clock configuration is inconsistent, reconfiguring
##### snipped #####

Kernel messages recorded by dmesg also flow into the journal on most modern systems.

Filter by process identifier when a specific PID is known.

$ sudo journalctl _PID=21405
-- Logs begin at Mon 2025-02-03 10:16:02 UTC, end at Mon 2025-02-03 10:16:02 UTC. --
Feb 03 10:16:02 host-name backup-job[21405]: Backup completed successfully

Additional fields such as _SYSTEMD_UNIT= or _COMM= allow fine-grained selection of messages.

Export a subset of logs in standard format for sharing or archiving.
```
$ sudo journalctl -u ssh.service -b --since "2025-02-03 09:00" --until "2025-02-03 11:00" &gt; ssh-boot.log
```
Exported logs may contain sensitive data such as IP addresses, usernames, or internal hostnames, so files like ssh-boot.log should be handled and shared carefully.
Confirm journal integrity and available disk usage for the persistent store.
```
$ sudo journalctl --disk-usage
Archived and active journals take up 128.0M on disk.
```
Configuration options such as SystemMaxUse and SystemMaxFileSize in /etc/systemd/journald.conf control growth of the log store.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.