journalctl cheat sheet

Common journalctl options

Showing basic details of the journals

The size of the journals can displayed with --disk-usage, which may be useful when the file system is getting full.

# journalctl --disk-usage
Archived and active journals take up 160.0M in the file system.

To verify the integrity of the journals, use the --verify option.

# journalctl --verify
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000000001-00060ed90326924f.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000036b8-000611a51acdc7d0.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000004e2-00060ed9041f690a.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000014c26-000613a20f360102.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-0000000000014e03-000613d7a3bb17e3.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000003334-0006113d51794916.journal

Querying the journals

There are many ways to query the journals. One of them is simply running journalctl and start scrolling. But there are better ways!

Query by time or period

Show messages of today with the --since= option and define the period.

journalctl --since="today"

To shorten the period, we can tell it to show only very recent entries of fifteen minutes ago or newer.

journalctl --since="15 minutes ago"

We can also provide a range, with the combination of since and until.

journalctl --since="2024-02-01" --until="2024-04-01"

For troubleshooting it may help to increase the period, but include a unit name to strip out much of the unneeded entries.

journalctl --unit ssh.service --since="1 week ago"

Query by priority or facility

Journalctl allows to query by priority. Here are the available levels:

Use the short notation, but now include the unit name in the ouput, and limit messages to a priority (including the ones with lower number, meaning a higher priority).

journalctl -S "today" --output=with-unit --priority=err

Only show some levels (notice, debug, and info)

journalctl -p 5..7

When querying by facility, which are common with syslog, define the right value. To know the available facilities, use the ‘help’.

# journalctl --facility=help
Available facilities:
kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
authpriv
ftp
12
13
14
15
local0
local1
local2
local3
local4
local5
local6
local7

Query by string

Similar to the grep tool, there are a few options available to search in the journals. It shares the same name, but is an option instead.

journalctl --grep "[bB]lock"

Regular expressions are allowed, so be aware of case-sensitive filtering.

Want to search and not worry about lowercase and uppercase?

journalctl --case-sensitive=false --grep "block"

Query only by priority ERROR

Show only the entries flagged with priority ERROR.

journalctl -p err

Or since last boot:

journalctl -b -p err

Limit output and follow

Journalctl allows to limit the output to a specific number of lines. To show the last 10 lines, which is equal to --lines=10, we can use -n.

journalctl -n

We can also combine it with a unit, and show only 5 lines.

journalctl -u ssh.service -n 5

Keep track of new additions, we can use the --follow option, similar to tail -f.

journalctl --follow

Cleaning up the journals

When the journal gets too big, decrease its size by performing a vacuum action.

journalctl --vacuum-size=100M

It is also possible to set a time period instead.

journalctl --vacuum-time="4­weeks"

Other useful options?

Did I miss something that really should be included in this cheat sheet? Let it know!