Your /home for Linux-related Fun and Learning!

journalctl Basics: How to Easily Check Your Linux Logs

With the Linux Crash Course series, you’ll learn valuable Linux skills – one video at a time. In this episode, you’ll learn the basics of the journalctl command – which is the standard for viewing log files going forward.

YouTube player

What is journalctl?

First, I want to talk a bit more about what journalctl is, as well as how it fits in within the Linux ecosystem.

The journalctl command is most used by system administrators, as well as anyone else that uses Linux for anything beyond the basics.

Within each Linux system, is a ton of background processes that do various things. These services range from those that enable you to playback audio, to those that enable server-related services such as OpenSSH and Apache.

Every Linux installation has services that run and perform various tasks, and while they do their thing they output important information into log files. Administrators can inspect these log files to ensure that something is running properly, and logs can be indispensible when dealing with a breach and trying to figure out what’s been changed on the system. Sometimes, we’ll need to interact with services to restart them, such as restarting an apache web server when we change configuration.

The journalctl command can be used to view the log files that services produce, and it also gives us some additional flexibility, such as being able to follow logs to see the latest information as its written. We can view system logs, logs for services, and we can even hone in on logs that are produced by a particular user.

Before we go any further, I wanted to bring up the fact that not every distribution has the journalctl command available. Most do nowadays, but journalctl is a command that’s only useful if you’re using a distribution that features systemd. For distributions that do support it, the journalctl command will be available by default.

command -v journalctl

For those of you that have no idea what I’m talking about when I mentioned systemd, it’s a special process that’s known as an init system. To keep the explanation simple, an init system is a special process that controls all other processes. Most distributions nowadays have switched to systemd, and by association also include the journalctl command. If your distribution doesn’t use systemd, then this entire article won’t apply to you. Still, I recommend you learn the basics, because even if the journalctl command isn’t available, it’s only a matter of time before you end up using a distro that includes it. When it comes to the more popular distributions such as Arch Linux, Ubuntu, Debian, Linux Mint, Fedora, Rocky, AlmaLinux OS, openSUSE and many others all use systemd as their init system, which means the journalctl command applies.

For those of you that are just starting out, to summarize this, journalctl is a part of systemd, and most distributions use systemd to control processes. On any system that uses systemd, which is most distributions, the journalctl command is automatically available to you without you needing to install anything, and it’s the primary method for viewing log files going forward.

Also, I’d like to define the term “Unit” as it pertains to Systemd. Systemd works with units, and each unit is a type of resource. One type of unit is known as a service, which is another name for a process that runs in the background. For example, if you install NGINX, a systemd service, for it automatically gets installed too. A service in systemd defines how something should run.

However, to keep things simple, I’m going to use the term service to refer to any process we’re inspecting with journalctl. I could go into much more detail about Systemd, but I won’t – because I already created a video that does exactly that. So if you want to learn more about Systemd, check out that video.

The basics of journalctl

With all of that out of the way, let’s get started with journalctl.

The most basic usage is to run journalctl by itself with no options:

journalctl

This isn’t the most useful example, but it’s a great place to start. If we enter journalctl by itself, we’ll see log output for just about anything. Without providing options, we’re not instructing journalctl to narrow the output down to anything, so it gives us everything. We can use the up and down arrows to scroll through the output, and the page up and page down buttons also work here. When we’re finished, we can press Q to return back to the command prompt.

Next, let’s look at our first option. If we add the -f option, we enable follow mode:

journalctl -f

With follow mode active, we don’t have to scroll through the output, it’ll scroll automatically as new log entries are created. Again, this isn’t all that useful either, because unless we narrow down what we want to look at, we’re just going to see a bunch of information that’s not relevant to whatever it is we’re looking for. Let’s press CTRL+C to break out of follow mode.

So, let’s make this a bit more interesting, and by doing so if you’re confused about anything from my earlier description, it’ll probably clear up shortly. Anyway, what we want to do now is focus on a specific service. It doesn’t matter which one, but what I’ll do is install Apache so that way we’ll have something specific to look at.

And randomly, I’ll install apache:

sudo apt install apache2

I’m using a Debian system, but I’ll leave some commands on the screen for installing Apache on other distros. After we install Apache, the remainder of the commands in this video will be universal.

Now that we have Apache installed, let’s make sure that it’s running:

systemctl status apache2

In the output here, we can see that apache is running. This command in particular doesn’t have anything to do with journalctl, but we need to make sure a service is actually running before log entries will even occur in the first place.

If for some reason it’s not, we can start it with the following command:

sudo systemctl start apache2

Anyway, let’s bring this back to journalctl. Earlier, we were using journalctl without specifying anything we want to look at. Now that we’ve installed Apache, we have something we can focus on.

So, we can view log output specific to apache with the following command:

journalctl -u apache2

Now, we see a lot less output. That’s because we added the -u option, which means we want to watch log output for a specific unit, in this case the Apache service.

Just like earlier, we can use the up and down arrows to view scroll through the output, and then press q to quit when we’re done looking at it.

In addition, we can also use follow mode as well:

journalctl -u apache2 -f

Just like before, we’ll follow new logging output as it happens. Not much is happening right now though, so another example I’ll give you is watching output from OpenSSH.

journalctl -u ssh -f

In another window, what I’ll do is attempt to access the same server via SSH.

In this case, I typed the password incorrectly a few times on purpose. Each time I attempted, you can see output was shown while watching the output of SSH. And this is a common example actually, suppose you have someone that asks you why they can’t access the server via SSH. You can then watch the SSH log and have them try again, and as you’re watching the log you’ll see output that might explain what the person is doing wrong. In this case, the wrong password was being entered.

Let’s see some other useful options we can use with journalctl. And the first of these that I’ll show you is several methods of viewing log entries from a particular point in time. Here’s an example of viewing log output starting from a specific date:

journalctl --since "2025-03-01 12:00:00"

In this case, we’re viewing log output since March 1st. This might be useful if you’re investigating an issue that happened within a particular window of time, so that way you can avoid looking at log entries that are older than the event you’re investigating.

You can also use other keywords, such as these:

journalctl -u ssh --since "yesterday"

And another example:

journalctl -u ssh --since "1 hour ago"

Continuing, let’s see an example of viewing log output generated by a particular user. Perhaps you see a user account on your system that you’re not familiar with, and you want to find out what it’s doing.

First, we’ll need to find the User ID (UID) of the user we’re curious about. I’ll use mine as an example.

id -u jay

My UID is UID 1000, as you can see. So, if I wanted to limit the output of journalctl to just the entries this user generated, I can do so with the following command”

journalctl _UID=1000

Before I end this article, I wanted to show you a trick that can come in handy if logging it taking up too much space. Over time, depending on how your distribution is configured, Systemd journals can take up quite a bit of space. Luckily for us, we can choose an arbitrary size and crunch journal entries down to just that size:

journalctl --vacuum-size=500M

If you find the journal is taking up a lot of space, that can help you out. Just be careful before removing logs, as you might lose important information or possibly be in violation of retention requirements. For that reason, I only recommend you clear logs if you absolutely have to.

New Book Coming Soon!

Linux is one of the best decisions you can make for your computer — but knowing where to start is the hard part. This guide walks you through everything: choosing a distribution, installing it, and using it confidently every day. It’ll be released very soon!

Join the Announcement List
Get Some Awesome Stuff!
Members-only Perks

Becoming a member gives you access to exclusive perks:

  • Ad-free Content
  • Early access to select videos
  • Discord access

And more!

Join on YouTube
Become a Patron
Join on Fourthwall