How to View and Manage System Logs Using journalctl in Linux

In today’s Linux-based environments, efficient log management is essential for system administrators to monitor performance, troubleshoot issues, and support system stability. Most modern Linux distributions rely on systemd as the default init system, which includes a built-in logging component known as the journal. Unlike traditional plain-text logs, the journal stores data in a structured binary format, allowing faster and more flexible access using the journalctl command.

To interact with these logs, Linux provides a powerful command-line tool called ‘journalctl‘. This utility allows administrators to view, filter, and analyze logs across the entire system, including kernel events, service logs, and user-generated messages,  all from a single interface. Whether you’re debugging a service failure, tracking down a security event, or monitoring logs in real time, `journalctl` offers the precision and control needed to get the job done.

This guide will show you how to use `journalctl`, from viewing logs to advanced filtering and cleanup techniques, helping you confidently manage system logs on any Linux system using systemd.

What Is `journalctl` and Why It Matters

`journalctl` is a command-line utility for interacting with the systemd journal. systemd replaces older init systems and manages various system tasks, including logging. The systemd journal is a centralized log storage system, storing logs for all services, the kernel, and user programs in a binary format.

Unlike traditional text-based log files, the binary format allows for more advanced querying and filtering. This feature makes `journalctl` an essential tool for administrators who need to troubleshoot problems, monitor system performance, or audit events in real-time.

Some advantages of using `journalctl` include:

• Real-time log viewing: `journalctl` allows you to stream logs as they occur.
• Powerful filtering: You can filter logs by service, time, priority, and many other criteria.
• Persistent logging: System logs can be preserved across reboots if configured.
• Unified log format: All system logs are stored in a single journal, making it straightforward to find relevant entries.

Basic Syntax of the `journalctl` Command

Before diving into advanced features, let’s go over the basic syntax of the `journalctl` command. The basic syntax is:

journalctl [options]

journalctl [options]

Some common options you’ll encounter include:

• `-u` for specifying a unit (for example, a service)
• `-p` for specifying log priority
• `–since` and `–until` for filtering logs by time
• `-f` for following logs in real-time
• `–no-pager` to disable pagination when viewing logs

Let’s explore some practical examples using these options.

View All System Logs

To view all logs in the system journal, run:

journalctl

journalctl

By default, this will show logs from the most recent boot. Logs are displayed in reverse chronological order, with the most recent entries appearing at the top.

If you want to see logs for a specific time frame, you can filter them by date using the `–since` and `–until` options (this will be covered later).

View Logs for a Specific Service

Often, you’ll need to view logs related to a specific service, such as Apache, Nginx, or MySQL. `journalctl` allows you to filter logs by service unit using the `-u` option.

To view logs for a service, run:

journalctl -u <service_name>

journalctl -u <service_name>

For example, to view the logs for the Apache web server (assuming the service name is `apache2`), run:

journalctl -u apache2

journalctl -u apache2

You can also view logs for services across reboots by using the `–no-pager` flag to prevent pagination:

journalctl -u apache2 --no-pager

journalctl -u apache2 --no-pager

This is useful when you need to check logs after the service has restarted.

Filter Logs by Date and Time

`journalctl` offers powerful time-based filtering, allowing you to specify logs from specific dates or time ranges. The `–since` and `–until` options allow you to specify start and end times for the logs you want to view.

For example, to view logs from today:

journalctl --since today

journalctl --since today

You can also specify a custom date or time range. For instance, to view logs from the last two days:

journalctl --since "2 days ago"

journalctl --since "2 days ago"

To specify an exact time range, you can use both `–since` and `–until` together:

journalctl --since "2025-04-01 00:00:00" --until "2025-04-02 00:00:00"

journalctl --since "2025-04-01 00:00:00" --until "2025-04-02 00:00:00"

To specify an exact time range, you can use both `–since` and `–until` together:

journalctl --since "2025-04-01 00:00:00" --until "2025-04-02 00:00:00"

journalctl --since "2025-04-01 00:00:00" --until "2025-04-02 00:00:00"

This allows you to view logs between two specific dates or times.

Monitor Logs in Real-Time

Sometimes, it’s essential to monitor logs as events happen. `journalctl` provides a way to follow logs in real-time, similar to the `tail -f` command used for text files. Use the `-f` option to continuously output new log entries as they occur.

For example, to monitor the logs of a specific service (for example, Apache) in real-time:

journalctl -u apache2 -f

journalctl -u apache2 -f

This will show new log entries for the Apache service as they happen. To stop monitoring, press `Ctrl + C`.

View Logs by Priority Level (Errors Only)

`journalctl` allows you to filter logs by priority level, which is helpful when you only want to see critical errors or warnings. Log entries are categorized into different priority levels, such as:

• `emerg` (0) – System is unusable
• `alert` (1) – Immediate action required
• `crit` (2) – Critical conditions
• `err` (3) – Error conditions
• `warning` (4) – Warning conditions
• `notice` (5) – Normal but significant conditions
• `info` (6) – Informational messages
• `debug` (7) – Debugging messages

To view only error-level logs (`err` and above), use the `-p` option followed by the priority level. For example:

journalctl -p err

journalctl -p err

You can also use numerical values instead of the log level name. For example, to show logs with a priority level of `warning` or higher (that is, `4` or above):

journalctl -p 4

journalctl -p 4

View Logs from Previous Boots

`journalctl` can be used to view logs from previous boots. This is useful when troubleshooting issues that occurred during past sessions.

To view logs from the previous boot, use the `-b` option:

journalctl -b -1

journalctl -b -1

This will show logs from the last boot. You can use `-b -2`, `-b -3`, and so on, to view logs from older boots.

Save or Export Logs to a File

Sometimes, you may need to save logs for later analysis or sharing. `journalctl` allows you to export logs to a file using redirection.

For example, to save logs for the Apache service to a file:

journalctl -u apache2 --no-pager > apache2_logs.txt

journalctl -u apache2 --no-pager > apache2_logs.txt

You can also specify a time range and save those logs to a file:

journalctl --since "2025-04-01" --until "2025-04-02" > april_logs.txt

journalctl --since "2025-04-01" --until "2025-04-02" > april_logs.txt

This will export logs from the specified time period to `april_logs.txt`.

Check Log Storage Size

Over time, logs can accumulate and consume disk space. To ensure that log storage doesn’t grow uncontrollably, you can check the size of the systemd journal.

Use the following command to check the size of the journal:

journalctl --disk-usage

journalctl --disk-usage

This will display the disk usage of the journal. You can then act if the size is too large, such as configuring log rotation or cleaning up old logs.

Clean Up Old Logs

If your system is running out of disk space due to large journal logs, you can clean up old logs by adjusting systemd’s journal settings. You can limit the size of logs by setting the `SystemMaxUse` parameter in `/etc/systemd/journald.conf`.

To clean up old logs manually, use the `journalctl –vacuum-size` command to reduce the log size. For example, to limit the logs to 1GB, run:

journalctl --vacuum-size=1G

journalctl --vacuum-size=1G

You can also remove logs older than a specific number of days with the `–vacuum-time` option:

journalctl --vacuum-time=7d

journalctl --vacuum-time=7d

This will remove logs older than 7 days.

Best Practices for Using `journalctl`

When using `journalctl` for real-time monitoring, troubleshooting, or auditing, consider the following best practices:

• Limit the output: Use filters like `-u`, `-p`, and `–since` to narrow down the logs you’re viewing. This prevents overwhelming amounts of information from being displayed.
• Use `-f` for monitoring: For real-time log monitoring, use the `-f` option to follow logs as they occur.
• Regular log cleanup: Periodically clean up old logs using the `–vacuum-size` or `–vacuum-time` options to free up disk space.
• Export logs for analysis: Save logs to a file for later review or to share 

Conclusion

`journalctl` is a versatile and powerful tool for viewing, managing, and auditing system logs on Linux systems using systemd. By mastering the essential commands and options, you can efficiently monitor system behavior, troubleshoot issues, and keep system performance. Whether you’re managing a development or production environment, `journalctl` will be an indispensable tool in your system administration toolkit.

By following the practices outlined in this guide, you’ll ensure that your system logs are effectively managed and that you’re always prepared to address any issues that arise.