Skip to Content
Bash & LinuxLog Querying

Log Querying

On systemd-based Linux systems, journalctl is the primary tool for reading logs collected by the systemd journal. It aggregates logs from the kernel, services, and applications into one place. For distros or services that still write to flat files, the traditional logs under /var/log remain the source of truth.

View All Logs (Most Recent First)

By default journalctl pages from oldest to newest. The -r flag reverses that so you see the latest entries immediately.

journalctl -r

Follow Logs in Real Time

-f tails the journal and streams new entries as they arrive, similar to tail -f on a file.

journalctl -f

Filter by Service (Unit)

Use -u to scope the output to a single systemd unit. This is the most common way to debug a specific service.

journalctl -u nginx
journalctl -u nginx -f   # follow in real time

Filter by Time Range

Narrow output to a specific window using --since and --until. Timestamps can be absolute or relative.

journalctl --since "2024-01-01 00:00:00" --until "2024-01-02 00:00:00"
 
# Relative shortcuts
journalctl --since "1 hour ago"
journalctl --since today

Filter by Priority

Logs have a severity level inherited from syslog. Use -p to filter by level — only entries at that level or more severe will be shown.

# Levels (most to least severe): emerg, alert, crit, err, warning, notice, info, debug
journalctl -p err           # errors and above
journalctl -p warning..err  # warnings through errors only

Show Logs for Current Boot

Limits output to entries from the current boot session — useful for diagnosing startup issues.

journalctl -b

Show Logs from a Previous Boot

If the system has crashed or rebooted unexpectedly, you can inspect logs from earlier sessions.

# List available boots with their timestamps
journalctl --list-boots
 
# View by index (0 = current, -1 = previous, etc.)
journalctl -b -1
journalctl -b -2

Search Log Content

Pipe journalctl output into grep to find specific strings. Combining this with a time filter keeps it fast.

journalctl | grep "Failed password"
 
# Limit to recent logs to avoid scanning everything
journalctl --since "1 hour ago" | grep -i error

View Kernel Messages

-k filters to kernel ring buffer messages only — equivalent to dmesg but with journalctl’s filtering options available.

journalctl -k

Query Raw Log Files

Some services (and older distros) still write directly to /var/log rather than the systemd journal. The paths differ slightly between distro families.

# Auth/SSH logs — failed logins, sudo usage, etc.
tail -n 100 /var/log/auth.log        # Debian/Ubuntu
tail -n 100 /var/log/secure          # RHEL/CentOS
 
# General system messages
tail -n 100 /var/log/syslog          # Debian/Ubuntu
tail -n 100 /var/log/messages        # RHEL/CentOS
 
# Application-specific — follow in real time
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log

Export Logs to a File

Redirect journalctl output to a file for sharing or offline analysis.

journalctl -u nginx --since today > /tmp/nginx-today.log
Last updated on
DigGroup Management