« Back to Cheat sheets for Linux

journalctl cheat sheet

Common journalctl options

Long optionShort optionWhat the option does
--disk-usageShow size of the archived and active journals
--follow-fTrack changes, like tail -f
--lines=-nShow X number of lines (most recent)
--output=-oDefine what output format should be used for journal entries
--reverse-rReverse output, newest on top
--since=-SLimit the data to a specific period (begin)
--unit-uSpecify the unit when querying the logs or taking an action
--until=-ULimit the data to a specific period (end)
--vacuum-filesTrim journal logs by number
--vacuum-sizeClear log entries from journal logs by specifying total size
--vacuum-timeClear log entries from journal logs by specifying time (age)
--verifyIntegrity check of the journals

Showing basic details of the journals

The size of the journals can displayed with --disk-usage, which may be useful when the file system is getting full.

# journalctl --disk-usage
Archived and active journals take up 160.0M in the file system.

To verify the integrity of the journals, use the --verify option.

# journalctl --verify
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000000001-00060ed90326924f.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000036b8-000611a51acdc7d0.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000004e2-00060ed9041f690a.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000014c26-000613a20f360102.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-0000000000014e03-000613d7a3bb17e3.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000003334-0006113d51794916.journal

Querying the journals

There are many ways to query the journals. One of them is simply running journalctl and start scrolling. But there are better ways!

Query by time or period

Show messages of today with the --since= option and define the period.

journalctl --since="today"

To shorten the period, we can tell it to show only very recent entries of fifteen minutes ago or newer.

journalctl --since="15 minutes ago"

We can also provide a range, with the combination of since and until.

journalctl --since="2024-02-01" --until="2024-04-01"

For troubleshooting it may help to increase the period, but include a unit name to strip out much of the unneeded entries.

journalctl --unit ssh.service --since="1 week ago"

Query by priority or facility

Journalctl allows to query by priority. Here are the available levels:

Priority levelName
0emerg
1alert
2crit
3err
4warning
5notice
6debug
7info

Use the short notation, but now include the unit name in the output, and limit messages to a priority (including the ones with lower number, meaning a higher priority).

journalctl -S "today" --output=with-unit --priority=err

Only show some levels (notice, debug, and info)

journalctl -p 5..7

When querying by facility, which are common with syslog, define the right value. To know the available facilities, use the ‘help’.

# journalctl --facility=help
Available facilities:
kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
authpriv
ftp
12
13
14
15
local0
local1
local2
local3
local4
local5
local6
local7

Query by string

Similar to the grep tool, there are a few options available to search in the journals. It shares the same name, but is an option instead.

journalctl --grep "[bB]lock"

Regular expressions are allowed, so be aware of case-sensitive filtering.

Want to search and not worry about lowercase and uppercase?

journalctl --case-sensitive=false --grep "block"

Query only by priority ERROR

Show only the entries flagged with priority ERROR.

journalctl -p err

Or since last boot:

journalctl -b -p err

Limit output and follow

Journalctl allows to limit the output to a specific number of lines. To show the last 10 lines, which is equal to --lines=10, we can use -n.

journalctl -n

We can also combine it with a unit, and show only 5 lines.

journalctl -u ssh.service -n 5

Keep track of new additions, we can use the --follow option, similar to tail -f.

journalctl --follow

Cleaning up the journals

When the journal gets too big, decrease its size by performing a vacuum action.

journalctl --vacuum-size=256M

It is also possible to set a time period instead.

journalctl --vacuum-time="4­weeks"

Another possibility is defining the number of logs.

journalctl --vacuum-files=5

Other useful options?

Did I miss something that really should be included in this cheat sheet? Let it know!

Relevant articles using journalctl command

The following articles include an example on how to use journalctl and might be worth further exploring.

Liked this cheat sheet? There are more!

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon