journalctl Queries Every Sysadmin Needs

Your server is on fire. Logs are everywhere. Systemd’s journalctl is your flashlight in the dark, but you can never remember the right flags.

Here are the queries you actually use at 2 AM when things are breaking.

The Basics

See all logs:

journalctl
# Pages through in less, newest first

Follow logs live (like tail -f):

journalctl -f

Don’t paginate (output all at once):

journalctl --no-pager
# Output is too long? Pipe to less manually:
journalctl | less

By Service: -u

Show logs for a specific systemd unit:

journalctl -u nginx
journalctl -u docker
journalctl -u ssh

Follow a service in real-time:

journalctl -u nginx -f

Multiple services:

journalctl -u nginx -u docker -u ssh

By Time: —since, —until

Last hour:

journalctl --since "1 hour ago"

Last 30 minutes:

journalctl --since "30 minutes ago"

Since a specific time:

journalctl --since "2025-04-16 14:30:00"

Between two times:

journalctl --since "2025-04-16 14:00:00" --until "2025-04-16 15:00:00"

Today:

journalctl --since today

Yesterday:

journalctl --since yesterday --until today

By Priority: -p

Show only errors:

journalctl -p err

Priority levels (high to low severity):

emerg — System is unusable
alert — Action must be taken immediately
crit — Critical conditions
err — Error conditions
warning — Warning conditions
notice — Normal but significant condition
info — Informational
debug — Debug-level messages

Show warnings and higher:

journalctl -p warning
# Shows: emerg, alert, crit, err, warning

Show everything from info and up:

journalctl -p info

Combine with service:

journalctl -u nginx -p err
# Only errors from nginx

Kernel Logs: -k

Kernel messages only:

journalctl -k

Kernel errors in the last hour:

journalctl -k -p err --since "1 hour ago"

Great for finding out-of-memory kills or hardware issues:

journalctl -k -p crit

By Boot: -b

Current boot:

journalctl -b

Last boot:

journalctl -b -1

Two boots ago:

journalctl -b -2

All available boots:

journalctl --list-boots
# Lists boot numbers and timestamps

Search and Filter

Search for a string:

journalctl | grep "error"

Better: use grep internally (journalctl’s grepping is faster):

journalctl -e
# Show last 10 lines (end of journal)

journalctl -n 50
# Show last 50 lines

Search in a specific field:

# Find all logs from a specific process ID
journalctl PID=1234

# Find all logs for a specific executable
journalctl /usr/bin/docker

JSON Output: -o json

Output as JSON (great for parsing):

journalctl -u nginx -o json

Pretty-printed JSON:

journalctl -u nginx -o json-pretty

Parse with jq:

journalctl -u nginx -o json | jq -r '.MESSAGE' | head -20

Practical Queries

Find crashed services

journalctl -p err --since today

Check why a service failed to start

journalctl -u myservice -n 100

Monitor a deployment

journalctl -u nginx -u docker -f --since "5 minutes ago"

Find disk-related errors

journalctl -k | grep -i disk

Check for OOM kills

journalctl -k | grep -i "out of memory"

# Or:
journalctl -k -p crit | grep -i kill

See all systemd unit changes

journalctl /lib/systemd/systemd --since "30 minutes ago"

Find what crashed in the last hour

journalctl -p err --since "1 hour ago"

Log for a service over multiple boots

journalctl -u myservice -b -5..-1
# Show logs for service from 5 boots ago to the last boot

Get logs since the last reboot

journalctl -b

Real-time monitoring of systemd startup

journalctl -u systemd-logind -u systemd-journald -f

The 2 AM Checklist

Server’s down. What do you check?

# 1. What just happened?
journalctl -p err --since "30 minutes ago" --no-pager

# 2. Check the service that's failing
journalctl -u myservice -n 50 --no-pager

# 3. Check system-level issues
journalctl -k -p crit --since "1 hour ago" --no-pager

# 4. Follow it live while you fix
journalctl -u myservice -f

Output Formats

Besides JSON, journalctl supports:

journalctl -o short       # Default (concise)
journalctl -o short-iso   # ISO timestamp format
journalctl -o verbose     # Full details
journalctl -o cat         # Message only, no metadata
journalctl -o json        # JSON (one object per line)
journalctl -o json-pretty # Pretty JSON

-o cat is great for piping to grep or other tools:

journalctl -u nginx -o cat | grep "error"

Disk Usage

Journalctl can take up significant disk space. Check:

journalctl --disk-usage

Prune old logs:

# Keep only logs from the last 30 days
journalctl --vacuum-time=30d

# Keep only 1GB of logs
journalctl --vacuum-size=1G

The Real Power

Combine everything:

# Get all errors from the nginx service in the last 2 hours,
# output as JSON, and count them
journalctl -u nginx -p err --since "2 hours ago" -o json | jq -r '.MESSAGE' | sort | uniq -c | sort -rn

Or monitor multiple services for errors:

# Watch for any errors in critical services
journalctl -u docker -u nginx -u postgresql -p err -f --since "5 minutes ago"

journalctl is systemd’s superpower. Learn these commands and you’ll never be blind when things break. Your 2 AM self will absolutely thank you.