System logs are a vital resource for administrators and developers looking to monitor system performance, troubleshoot issues, and understand the events taking place within the system. On this article, we learn about how on Linux systems, the journalctl command provides an effective way to access and manage these logs.

Introduction to the journalctl Command

The journalctl command is a utility that allows users to view and interact with systemd journal logs. These logs include information from various sources, such as the kernel, initrd, system services, applications, and systemd itself. The logs are stored in a binary format and can be queried efficiently using journalctl.

The basic syntax of the journalctl command is as follows:

journalctl [options…] [matches…]

Viewing and Filtering Logs with journalctl

The most straightforward way to use journalctl is without any options. This will display all logged entries in chronological order:

$ journalctl

However, the output can be overwhelming, especially on systems with a long runtime. To make navigation easier, the output is automatically paginated using the less command. Use the Enter key to scroll line by line, or the Space key to scroll page by page. To exit the log output, press q on your keyboard.

To view logs in reverse chronological order (i.e., newest entries first), use the -r option:

$ journalctl -r

You can limit the number of displayed log entries by using the -n option followed by the number of lines you want to display. For example, to view the last 15 entries:

$ journalctl -n 15

To view only kernel-related messages, use the -k option:

$ journalctl -k

Logs can also be filtered by priority. Log levels range from 0 (emergency) to 7 (debug), with lower numbers indicating higher priority. Use the -p option to view logs of a specific level and above. For example, to view error, critical, alert, and emergency logs:

$ journalctl -p 3

To view logs from a specific system service, use the -u flag followed by the service name. For example, to view logs for the Apache service:

$ journalctl -u apache2.service

Working with Boot Logs

The journalctl command allows users to view logs from specific boot sessions. Each boot is logged separately, making it easy to isolate logs related to a particular boot. To see a list of all the logs from previous boots, use the –list-boots option:

$ journalctl –list-boots

To view logs from the previous system boot, use the -b option with the number -1. Specify a different number to view logs from older boots: