errorlogs.net /systemd Journal
journalctl journald
// System · systemd Journal

systemd Journal

Modern Linux systems using systemd store logs in a binary journal (/var/log/journal/) accessible via journalctl. The journal aggregates kernel messages, service logs, and boot information in a single searchable store with rich structured metadata.

journalctljournaldstructured loggingJSON output
journalctl Command Reference
bash 
## ── BASIC NAVIGATION ──────────────────────────────────
journalctl                        # all logs, oldest first
journalctl -r                     # reverse — newest first
journalctl -f                     # follow live (like tail -f)
journalctl -n 100                 # last 100 lines
journalctl --no-pager             # don't use pager (useful in scripts)

## ── FILTER BY SERVICE UNIT ────────────────────────────
journalctl -u nginx.service
journalctl -u nginx -u php8.1-fpm # multiple units
journalctl -u 'apache*'           # glob pattern
journalctl -f -u mysql            # live follow for mysql

## ── FILTER BY TIME ────────────────────────────────────
journalctl --since "2025-04-10 15:00:00" --until "2025-04-10 16:00:00"
journalctl --since "1 hour ago"
journalctl --since today
journalctl --since yesterday

## ── FILTER BY PRIORITY ────────────────────────────────
journalctl -p err                 # errors and above (0-3)
journalctl -p warning             # warnings and above (0-4)
journalctl -p 0..3                # numeric range

## ── FILTER BY PROCESS / USER ──────────────────────────
journalctl _PID=1234
journalctl _UID=0                 # all root-owned processes
journalctl _COMM=nginx            # by command name
journalctl _EXE=/usr/sbin/nginx

## ── KERNEL MESSAGES ───────────────────────────────────
journalctl -k                     # kernel messages only (like dmesg)
journalctl -k --since "1 hour ago"

## ── BOOT LOGS ─────────────────────────────────────────
journalctl -b                     # current boot
journalctl -b -1                  # previous boot
journalctl -b -2                  # two boots ago
journalctl --list-boots           # list all stored boots with IDs

## ── OUTPUT FORMATS ────────────────────────────────────
journalctl -o json                # JSON, one object per line (NDJSON)
journalctl -o json-pretty         # pretty-printed JSON
journalctl -o verbose             # all metadata fields visible
journalctl -o short-iso           # ISO 8601 timestamps
journalctl -o short-monotonic     # monotonic clock timestamps
journalctl -o cat                 # message text only, no metadata
journalctl -o export              # binary export format for archiving

## ── DISK USAGE & MAINTENANCE ──────────────────────────
journalctl --disk-usage           # how much disk the journal uses
journalctl --vacuum-size=500M     # reduce journal to 500MB
journalctl --vacuum-time=30d      # remove entries older than 30 days

## ── EXPORT FOR ANALYSIS ───────────────────────────────
journalctl -u nginx --since today -o json > /tmp/nginx_today.jsonl
journalctl -p err --since "7 days ago" -o json | jq '.MESSAGE' | sort | uniq -c | sort -rn
Journal Structured Field Reference

Each journal entry is a set of key=value pairs. Use journalctl -o verbose to see all fields for an entry. Fields starting with _ (underscore) are trusted — set by journald, not the logging process.

FieldTrustedMeaning
MESSAGEHuman-readable log message text. The primary log content.
MESSAGE_ID128-bit UUID identifying the message type. Consistent across machines for the same event.
PRIORITYSyslog priority integer: 0=emergency, 1=alert, 2=crit, 3=error, 4=warning, 5=notice, 6=info, 7=debug.
_PIDPID of the process that generated this message. Set by journald — cannot be spoofed.
_UIDUID of the logging process. 0 = root.
_GIDGID of the logging process.
_COMMCommand name (executable basename) of the logging process.
_EXEFull path to the executable.
_CMDLINEFull command line including arguments.
_SYSTEMD_UNITsystemd service unit name. E.g. nginx.service, sshd.service.
_SYSTEMD_CGROUPControl group path for the process.
__REALTIME_TIMESTAMPUnix timestamp in microseconds (wall clock). Authoritative — set by journald on receipt.
__MONOTONIC_TIMESTAMPMonotonic clock since boot in microseconds. For precise event ordering within one boot.
_HOSTNAMEHostname of the machine. Critical when aggregating logs from multiple servers centrally.
_TRANSPORTHow message arrived: syslog, kernel, journal, stdout, stderr, audit.
SYSLOG_FACILITYSyslog facility number: 0=kern, 3=daemon, 4=auth, 7=lpr, 16-23=local0-7.
SYSLOG_IDENTIFIERApplication identifier passed to syslog(). E.g. sshd, nginx.
SYSLOG_PIDPID as reported by the application via syslog. May differ from _PID.
_BOOT_ID128-bit UUID identifying the boot session. Changes on reboot. Use with journalctl -b.
_MACHINE_IDPersistent machine identifier from /etc/machine-id. Stable across reboots.
_KERNEL_DEVICEKernel device path for kernel log messages.
_KERNEL_SUBSYSTEMKernel subsystem that generated the message (e.g., net, block).
CODE_FILE / CODE_LINE / CODE_FUNCSource location (file, line number, function) when logged via sd_journal_send().
_AUDIT_SESSIONLinux audit session number (for audit-subsystem entries).
💡 Persist Journals Across Reboots
By default on some distros, journals are stored in memory only (/run/log/journal/) and lost on reboot. To persist: mkdir -p /var/log/journal && systemd-tmpfiles --create --prefix /var/log/journal then systemctl restart systemd-journald.