Linux Comm Journalctl
[ Linux Command Encyclopaedia](#)
* * *
## What is journalctl?
journalctl is a powerful tool in Linux systems for querying and displaying systemd logs. As part of the systemd ecosystem, it provides centralized log management functionality, replacing the traditional syslog service.
### Core Features
1. **Binary Log Storage**: Logs are stored in binary format for improved retrieval efficiency
2. **Structured Logging**: Supports additional metadata and structured log fields
3. **Real-time Monitoring**: Can track log changes in real-time
4. **Multiple Filtering Methods**: Supports filtering by time, service, priority, and other conditions
* * *
## Basic Syntax
The basic command format for journalctl is as follows:
journalctl [Matching conditions...]
### Common Options Overview
| Option | Description |
| --- | --- |
| `-b` | Display logs from the current boot |
| `-f` | Follow logs (similar to tail -f) |
| `-k` | Display only kernel messages |
| `-u` | Display logs for the specified unit |
| `-n` | Display the last n lines of logs |
| `--since` | Display logs after the specified time |
| `--until` | Display logs before the specified time |
* * *
## Common Operation Examples
### 1. View Complete System Logs
## Example
journalctl
### 2. View Logs from Current Boot
## Example
journalctl -b
### 3. Real-time Monitoring of New Logs
## Example
journalctl -f
### 4. View Logs for Specific Service
## Example
journalctl -u nginx.service
### 5. Query by Time Range
## Example
journalctl --since"2023-01-01 00:00:00"--until"2023-01-02 12:00:00"
### 6. View Logs at Error Level
## Example
journalctl -p err
* * *
## Log Priority Filtering
journalctl supports filtering by log priority. The priorities are defined as follows:
| Priority | Value | Description |
| --- | --- | --- |
| emerg | 0 | Emergency |
| alert | 1 | Alert |
| crit | 2 | Critical |
| err | 3 | Error |
| warning | 4 | Warning |
| notice | 5 | Notice |
| info | 6 | Info |
| debug | 7 | Debug |
Usage examples:
## Example
# Display logs at error level and above
journalctl -p err
# Display logs at warning level and above
journalctl -p warning
* * *
## Advanced Usage
### 1. Display Disk Space Used by Logs
## Example
journalctl --disk-usage
### 2. Clean Up Old Logs
## Example
# Keep only logs from the last 2 days
journalctl --vacuum-time=2d
# Limit maximum log size to 500MB
journalctl --vacuum-size=500M
### 3. Output in JSON Format
## Example
journalctl -o json
### 4. Display Complete Field Information
## Example
journalctl -o verbose
### 5. Filter by Specific Field
## Example
# Display logs for specific process ID
journalctl _PID=1234
# Display logs for specific user
journalctl _UID=1000
* * *
## Practical Tips
### 1. Combined Queries
## Example
# Query error logs for nginx service since yesterday
journalctl -u nginx.service --since yesterday -p err
### 2. Paginated Viewing
## Example
journalctl |less
### 3. Export Logs to File
## Example
journalctl --since"2023-01-01"> journal.log
### 4. View Kernel Ring Buffer Messages
## Example
journalctl -k
### 5. View System Boot Process Logs
## Example
journalctl -b0|grep"Starting"
* * *
## Troubleshooting
### Problem 1: Log Display Incomplete
**Solution**:
## Example
# Increase output line limit
journalctl --no-pager
### Problem 2: How to View Rotated Old Logs?
**Solution**:
## Example
# View all logs (including archived)
journalctl -a
### Problem 3: How to View Logs at Specific Time Point?
**Solution**:
## Example
# Query with precision to the second
journalctl --since"2023-01-01 12:00:00"--until"2023-01-01 12:05:00"
* * *
## Summary Flowchart
!(#)
[ Linux Command Encyclopaedia](#)
YouTip