journalctl Configuration for Log Analysis
Introduction
journalctl is the powerful command-line utility for querying and analyzing logs collected by systemd's journald logging service. Unlike traditional text-based logging systems, journald stores logs in a binary format with rich metadata, enabling sophisticated filtering, searching, and analysis capabilities that far exceed what's possible with simple text logs.
Modern Linux distributions using systemd have replaced traditional syslog with journald as the primary logging mechanism. journald captures everything from kernel messages and system services to user applications, storing all logs in a structured, indexed format that journalctl makes accessible. This unified logging approach simplifies log management and provides powerful analysis tools directly from the command line.
This comprehensive guide teaches you how to master journalctl for effective log analysis, from basic queries to advanced filtering, troubleshooting techniques, performance optimization, and integration with monitoring systems. Whether you're diagnosing service failures, investigating security incidents, or analyzing system performance, journalctl provides the tools needed for deep operational insights.
Prerequisites
Before mastering journalctl, ensure you have:
- A Linux distribution using systemd (Ubuntu 16.04+, Debian 8+, CentOS 7+, Rocky Linux 8+)
- Root or sudo access to read protected logs
- Basic understanding of systemd and services
- Familiarity with Linux command line
- Understanding of log levels and facilities
Verify journald is running:
# Check systemd-journald status
sudo systemctl status systemd-journald
# Verify journalctl is available
which journalctl
journalctl --version
# Check journal disk usage
journalctl --disk-usage
Understanding journald Architecture
journald vs Traditional Syslog
journald advantages:
- Binary, indexed storage for fast searching
- Rich metadata (timestamps, PIDs, UIDs, etc.)
- Automatic log rotation and cleanup
- Boot-based log organization
- Structured logging support
- Integrated with systemd services
Log storage locations:
- Runtime logs:
/run/log/journal/(volatile, cleared on reboot) - Persistent logs:
/var/log/journal/(survives reboots)
Check current configuration:
# View journald configuration
cat /etc/systemd/journald.conf
# Check if persistence is enabled
ls -ld /var/log/journal
Basic journalctl Usage
Viewing Logs
Basic log viewing:
# View all logs (oldest first)
journalctl
# View with pager (default)
journalctl
# View without pager
journalctl --no-pager
# Follow logs (like tail -f)
journalctl -f
# Reverse order (newest first)
journalctl -r
# Last N lines
journalctl -n 50
# Last 100 lines in reverse
journalctl -r -n 100
Output formatting:
# Short format (default)
journalctl -o short
# Verbose format (all metadata)
journalctl -o verbose
# JSON format
journalctl -o json
# Pretty JSON
journalctl -o json-pretty
# Export format (binary)
journalctl -o export
# Cat format (no metadata)
journalctl -o cat
Time-Based Filtering
Filter by time:
# Logs since specific date/time
journalctl --since "2024-01-11 10:00:00"
# Logs until specific date/time
journalctl --until "2024-01-11 15:00:00"
# Date range
journalctl --since "2024-01-11 10:00:00" --until "2024-01-11 15:00:00"
# Relative times
journalctl --since "1 hour ago"
journalctl --since "2 hours ago"
journalctl --since "30 minutes ago"
journalctl --since today
journalctl --since yesterday
journalctl --since "2 days ago"
# Combine with until
journalctl --since yesterday --until today
Time format examples:
# Different time formats supported
journalctl --since "2024-01-11"
journalctl --since "2024-01-11 10:00"
journalctl --since "2024-01-11 10:00:00"
journalctl --since "10:00"
journalctl --since "yesterday 10:00"
journalctl --since "3 days ago" --until "2 days ago"
Unit-Based Filtering
Filter by service/unit:
# Logs for specific service
journalctl -u nginx
# Multiple services
journalctl -u nginx -u mysql
# Follow service logs
journalctl -u nginx -f
# Service logs since boot
journalctl -u nginx -b
# Service logs for specific boot
journalctl -u nginx -b -1 # Previous boot
journalctl -u nginx -b 0 # Current boot
System units:
# Kernel messages
journalctl -k
# User session
journalctl --user
# Specific user
journalctl _UID=1000
# System slice (all system services)
journalctl _SYSTEMD_SLICE=system.slice
Advanced Filtering
Priority Filtering
Filter by log level:
# Emergency (0)
journalctl -p emerg
# Alert (1)
journalctl -p alert
# Critical (2)
journalctl -p crit
# Error (3)
journalctl -p err
# Warning (4)
journalctl -p warning
# Notice (5)
journalctl -p notice
# Info (6)
journalctl -p info
# Debug (7)
journalctl -p debug
# Range: warning and above (0-4)
journalctl -p warning
# Range: error and above (0-3)
journalctl -p err
Combine priority with service:
# Nginx errors only
journalctl -u nginx -p err
# MySQL warnings and above
journalctl -u mysql -p warning
# System critical messages
journalctl -p crit -b
Field-Based Filtering
Filter by specific fields:
# By process ID
journalctl _PID=1234
# By executable
journalctl _COMM=nginx
# By executable path
journalctl _EXE=/usr/sbin/nginx
# By command line
journalctl _CMDLINE=/usr/sbin/nginx
# By systemd unit
journalctl _SYSTEMD_UNIT=nginx.service
# By hostname
journalctl _HOSTNAME=server1
# By syslog identifier
journalctl SYSLOG_IDENTIFIER=nginx
# By user ID
journalctl _UID=1000
# By group ID
journalctl _GID=33
Combine multiple fields:
# Nginx logs for specific PID
journalctl _COMM=nginx _PID=1234
# Apache errors from today
journalctl -u apache2 -p err --since today
# SSH logs for specific user
journalctl -u sshd SYSLOG_IDENTIFIER=sshd | grep "user@"
Pattern Matching
Search for specific text:
# Grep-like search
journalctl -g "error"
# Case-insensitive
journalctl -g "(?i)error"
# Regular expression
journalctl -g "error|warning|critical"
# Combine with unit
journalctl -u nginx -g "404"
# Search since specific time
journalctl --since today -g "Failed password"
Boot-Based Analysis
Managing Boot Logs
View boot logs:
# List all boots
journalctl --list-boots
# Current boot logs
journalctl -b
journalctl -b 0
# Previous boot
journalctl -b -1
# Specific boot (use ID from --list-boots)
journalctl -b 2a3b4c5d
# Boot logs with timestamp
journalctl -b --since "2024-01-11"
Analyze boot issues:
# Show boot messages
journalctl -b -p err
# Failed services during boot
journalctl -b -u systemd | grep -i failed
# Boot time analysis
journalctl -b | head -50
# Kernel messages during boot
journalctl -b -k
Boot Statistics
#!/bin/bash
# boot-analysis.sh - Analyze boot logs
BOOT_ID=$(journalctl --list-boots | head -n 2 | tail -n 1 | awk '{print $2}')
echo "Boot Analysis for Boot ID: $BOOT_ID"
echo "===================================="
# Boot time
BOOT_TIME=$(journalctl -b "$BOOT_ID" --no-pager | head -n 1 | awk '{print $1, $2, $3}')
echo "Boot Time: $BOOT_TIME"
# Error count
ERROR_COUNT=$(journalctl -b "$BOOT_ID" -p err --no-pager | wc -l)
echo "Errors: $ERROR_COUNT"
# Warning count
WARNING_COUNT=$(journalctl -b "$BOOT_ID" -p warning --no-pager | wc -l)
echo "Warnings: $WARNING_COUNT"
# Failed services
echo ""
echo "Failed Services:"
journalctl -b "$BOOT_ID" -p err --no-pager | grep -i "failed" | awk '{print $5}' | sort -u
# Boot messages timeline
echo ""
echo "Boot Timeline (First 20 events):"
journalctl -b "$BOOT_ID" --no-pager | head -20
Practical Log Analysis Examples
Security Analysis
Failed login attempts:
# All failed SSH logins
journalctl -u sshd | grep "Failed password"
# Failed logins since yesterday
journalctl -u sshd --since yesterday | grep "Failed password"
# Count by IP address
journalctl -u sshd --since today | grep "Failed password" | \
grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort | uniq -c | sort -rn
# Failed sudo attempts
journalctl | grep "sudo.*incorrect password"
# Authentication failures
journalctl -u systemd-logind | grep "authentication failure"
Security events monitoring:
#!/bin/bash
# security-analysis.sh - Analyze security logs
echo "Security Log Analysis"
echo "===================="
echo "Period: Last 24 hours"
echo ""
# Failed SSH logins
echo "Failed SSH Login Attempts:"
FAILED_SSH=$(journalctl -u sshd --since "24 hours ago" | grep -c "Failed password")
echo " Total: $FAILED_SSH"
if [ "$FAILED_SSH" -gt 0 ]; then
echo " Top source IPs:"
journalctl -u sshd --since "24 hours ago" | grep "Failed password" | \
grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort | uniq -c | sort -rn | head -5 | \
awk '{print " " $2 ": " $1 " attempts"}'
fi
echo ""
# Sudo usage
echo "Sudo Command Usage:"
SUDO_COUNT=$(journalctl --since "24 hours ago" | grep -c "sudo.*COMMAND")
echo " Total sudo commands: $SUDO_COUNT"
echo ""
# Firewall blocks
echo "Firewall Blocks:"
FW_BLOCKS=$(journalctl -k --since "24 hours ago" | grep -c "BLOCK\|DROP\|REJECT")
echo " Total: $FW_BLOCKS"
Application Error Analysis
Find application errors:
# All errors for nginx
journalctl -u nginx -p err
# Errors with context
journalctl -u nginx -p err -n 100
# Errors in last hour
journalctl -u nginx -p err --since "1 hour ago"
# Count errors by message
journalctl -u nginx -p err --since today --no-pager | \
awk -F']: ' '{print $2}' | sort | uniq -c | sort -rn
# Extract error messages only
journalctl -u nginx -p err -o cat
Database errors:
# MySQL errors
journalctl -u mysql -p err
# Connection errors
journalctl -u mysql | grep -i "connection"
# Deadlock detection
journalctl -u mysql | grep -i "deadlock"
# Slow queries
journalctl -u mysql | grep -i "slow"
Performance Analysis
Resource-related logs:
# Out of memory events
journalctl -k | grep -i "out of memory"
# OOM killer events
journalctl -k | grep "oom-killer"
# Disk I/O issues
journalctl -k | grep -i "I/O error"
# High load warnings
journalctl | grep -i "high load"
Service performance:
#!/bin/bash
# service-performance-logs.sh
SERVICE="$1"
if [ -z "$SERVICE" ]; then
echo "Usage: $0 <service-name>"
exit 1
fi
echo "Performance Analysis for $SERVICE"
echo "================================="
# Restart count
RESTART_COUNT=$(journalctl -u "$SERVICE" --since today | grep -c "Started")
echo "Restarts today: $RESTART_COUNT"
# Error count
ERROR_COUNT=$(journalctl -u "$SERVICE" --since today -p err --no-pager | wc -l)
echo "Errors today: $ERROR_COUNT"
# Warning count
WARN_COUNT=$(journalctl -u "$SERVICE" --since today -p warning --no-pager | wc -l)
echo "Warnings today: $WARN_COUNT"
# Average startup time (if logged)
echo ""
echo "Recent starts:"
journalctl -u "$SERVICE" --since "1 week ago" | grep "Started" | tail -5
# Recent errors
if [ "$ERROR_COUNT" -gt 0 ]; then
echo ""
echo "Recent errors:"
journalctl -u "$SERVICE" --since today -p err --no-pager | tail -10
fi
journald Configuration
Configure Persistent Storage
Enable persistent logging:
# Create journal directory
sudo mkdir -p /var/log/journal
# Set permissions
sudo systemd-tmpfiles --create --prefix /var/log/journal
# Edit journald configuration
sudo nano /etc/systemd/journald.conf
[Journal]
Storage=persistent
Compress=yes
Seal=yes
SplitMode=uid
Restart journald:
sudo systemctl restart systemd-journald
# Verify persistent storage
ls -l /var/log/journal/
Configure Log Retention
Storage limits:
sudo nano /etc/systemd/journald.conf
[Journal]
# Maximum disk space for all journal files
SystemMaxUse=1G
# Keep at least this much free
SystemKeepFree=2G
# Maximum size of single journal file
SystemMaxFileSize=100M
# Maximum number of journal files
SystemMaxFiles=100
# How long to keep old entries
MaxRetentionSec=1month
# Maximum age of volatile logs
RuntimeMaxUse=100M
Apply changes:
sudo systemctl restart systemd-journald
# Verify settings
journalctl --disk-usage
journalctl --vacuum-size=500M
journalctl --vacuum-time=2weeks
Forwarding to Syslog
Configure forwarding:
sudo nano /etc/systemd/journald.conf
[Journal]
ForwardToSyslog=yes
ForwardToKMsg=no
ForwardToConsole=no
ForwardToWall=yes
sudo systemctl restart systemd-journald
Log Maintenance
Manual Log Management
Check disk usage:
# View disk usage
journalctl --disk-usage
# Detailed usage per journal file
sudo du -sh /var/log/journal/*/
# Verify journal files
journalctl --verify
Clean up logs:
# Remove logs older than 2 weeks
sudo journalctl --vacuum-time=2w
# Keep only 500MB of logs
sudo journalctl --vacuum-size=500M
# Keep only 100 journal files
sudo journalctl --vacuum-files=100
# Rotate journal files
sudo journalctl --rotate
# Force synchronization to disk
sudo journalctl --sync
Automated Cleanup Script
#!/bin/bash
# journal-cleanup.sh - Automated journal maintenance
LOG_FILE="/var/log/journal-cleanup.log"
{
echo "========================================="
echo "Journal Cleanup - $(date)"
echo "========================================="
echo "Disk usage before cleanup:"
journalctl --disk-usage
echo ""
echo "Performing cleanup..."
# Vacuum old logs (keep 2 weeks)
journalctl --vacuum-time=2weeks
echo ""
echo "Disk usage after cleanup:"
journalctl --disk-usage
echo ""
echo "Verifying journal integrity..."
if journalctl --verify; then
echo "Journal verification: PASSED"
else
echo "Journal verification: FAILED - Manual check required"
fi
echo ""
echo "Cleanup completed - $(date)"
echo "========================================="
} >> "$LOG_FILE"
# Send alert if usage is still high
USAGE=$(journalctl --disk-usage | grep -oE '[0-9]+\.[0-9]+G' | cut -d. -f1)
if [ "${USAGE%G}" -gt 2 ]; then
echo "WARNING: Journal disk usage is ${USAGE}" | \
mail -s "Journal Disk Usage Alert" [email protected]
fi
Schedule with cron:
# Add to crontab
sudo crontab -e
# Run weekly on Sunday at 2 AM
0 2 * * 0 /usr/local/bin/journal-cleanup.sh
Exporting and Analysis
Export Logs
Export to files:
# Export all logs to text
journalctl > all-logs.txt
# Export specific service
journalctl -u nginx > nginx-logs.txt
# Export specific time range
journalctl --since "2024-01-11" --until "2024-01-12" > daily-logs.txt
# Export in JSON format
journalctl -o json > logs.json
# Export binary format
journalctl -o export > logs.journal
Filter and export:
# Export only errors
journalctl -p err > errors.log
# Export security logs
journalctl -u sshd > sshd.log
# Export with specific fields
journalctl -o json | jq -r '[.MESSAGE, .SYSLOG_IDENTIFIER, .PRIORITY] | @tsv' > parsed-logs.tsv
Integration with Log Analysis Tools
Send to Elasticsearch:
#!/bin/bash
# journalctl-to-elasticsearch.sh
ES_HOST="localhost:9200"
INDEX="systemlogs-$(date +%Y.%m.%d)"
journalctl -o json --since "1 hour ago" | while read line; do
curl -X POST "http://${ES_HOST}/${INDEX}/_doc" \
-H 'Content-Type: application/json' \
-d "$line"
done
Integration with Logstash:
# Logstash configuration
input {
exec {
command => "journalctl -o json -f"
codec => json
}
}
filter {
date {
match => ["__REALTIME_TIMESTAMP", "UNIX_US"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "systemlogs-%{+YYYY.MM.dd}"
}
}
Troubleshooting
Common Issues
Issue 1: Logs not persisting across reboots
# Check if persistent storage is enabled
cat /etc/systemd/journald.conf | grep Storage
# Create journal directory if missing
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
# Restart journald
sudo systemctl restart systemd-journald
# Verify
ls -l /var/log/journal/
Issue 2: Journal disk space issues
# Check current usage
journalctl --disk-usage
# Clean up immediately
sudo journalctl --vacuum-size=500M
sudo journalctl --vacuum-time=1week
# Configure limits
sudo nano /etc/systemd/journald.conf
# Set SystemMaxUse and SystemKeepFree
sudo systemctl restart systemd-journald
Issue 3: Corrupted journal files
# Verify journal integrity
sudo journalctl --verify
# If corruption found, rotate and start fresh
sudo journalctl --rotate
sudo journalctl --vacuum-time=1s
# Restart journald
sudo systemctl restart systemd-journald
Issue 4: Slow journal queries
# Rotate to start new journal file
sudo journalctl --rotate
# Vacuum old logs
sudo journalctl --vacuum-time=2weeks
# Check index status
sudo journalctl --header
# Consider rate limiting logging if too verbose
sudo nano /etc/systemd/journald.conf
# Set RateLimitIntervalSec and RateLimitBurst
Conclusion
journalctl provides powerful, flexible log analysis capabilities that leverage systemd's structured logging system. By mastering journalctl, you gain rapid access to comprehensive system and application logs with sophisticated filtering, searching, and analysis capabilities directly from the command line.
Key takeaways:
- Structured logging - Binary format with rich metadata enables advanced queries
- Powerful filtering - Filter by time, service, priority, fields, and patterns
- Boot management - Organize and analyze logs across system reboots
- Integration - Export to external log analysis platforms
- Maintenance - Configure retention, rotation, and automatic cleanup
Best practices:
- Enable persistent storage for log retention across reboots
- Configure appropriate disk usage limits
- Regularly clean up old logs with vacuum commands
- Use specific filters to narrow search scope
- Export critical logs for long-term storage
- Verify journal integrity periodically
- Integrate with centralized logging for multi-server environments
- Document common query patterns for your infrastructure
While journalctl excels for local log analysis and troubleshooting, consider complementing it with centralized logging solutions like Elasticsearch/Logstash/Kibana or Splunk for comprehensive log management across distributed infrastructure, long-term retention, advanced analytics, and team collaboration.