How to read and filter journald logs

Topic: Servers linux

Use journalctl to view systemd journal logs by unit, time, priority, or boot. Follow logs in real time, filter by service name, and export for debugging. Use this when diagnosing service failures, boot issues, or security events.

Intent: How-to

Quick answer

  • journalctl -u nginx -f follows the nginx unit; journalctl -b shows current boot; journalctl -b -1 shows previous boot; journalctl -p err shows priority err and above.
  • Filter by time: journalctl --since '2024-01-15' --until '2024-01-16'; by exe: journalctl /usr/sbin/sshd. Export with journalctl -u nginx -o short-iso > nginx.log.
  • Journal lives in /var/log/journal (persistent) or /run/log/journal (volatile); ensure Storage=persistent in /etc/systemd/journald.conf if you need logs across reboots.

Prerequisites

Steps

  1. View by unit and follow

    journalctl -u nginx -f to follow nginx logs; -n 100 for last 100 lines; --no-pager for pipe. Combine: journalctl -u nginx -p err -n 50.

  2. Filter by boot and time

    journalctl -b for this boot; -b -1 for previous boot; --since '1 hour ago' or --until '2024-01-15 12:00'. Use -e to jump to end of output.

  3. Export and persist

    journalctl -u nginx -o short-iso > nginx.log. For persistent storage across reboots, set Storage=persistent in /etc/systemd/journald.conf and restart journald; logs go to /var/log/journal.

Summary

Use journalctl to read and filter systemd logs by unit, boot, time, or priority. Follow logs in real time and export when needed. Use this to debug services and boot issues.

Prerequisites

Steps

Step 1: View by unit and follow

journalctl -u nginx -f
journalctl -u nginx -n 100 --no-pager
journalctl -u nginx -p err

Step 2: Filter by boot and time

journalctl -b
journalctl -b -1
journalctl --since "1 hour ago"

Step 3: Export and persist

journalctl -u nginx -o short-iso > nginx.log

Set Storage=persistent in /etc/systemd/journald.conf if logs must survive reboot.

Verification

  • You can show logs for a unit, a boot, or a time range; output matches the filters you set.

Troubleshooting

No logs for unit — Unit may not exist or never started; check systemctl status. Previous boot empty — Volatile journal; set Storage=persistent and restart journald. Disk full — Reduce journal size with journald.conf or vacuum; see Disk usage and cleanup.

Next steps

Continue to