journalctl Cheatsheet

Top commands.

Overview

journalctl is the systemd journal viewer. Modern Linux services all log to the journal; fluency with journalctl is the difference between “the service is broken” and specific log lines pinpointed to a window.

• Unified log access. Every systemd-managed service logs to the journal. One place to look across services on the host.
• Time-bound queries. --since and --until bracket the incident window. The signal becomes searchable instead of overwhelming.
• Service filtering. -u nginx limits to a specific service. Cuts the noise from every other systemd unit.
• Priority filtering plus follow. -p err shows only errors; -f follows logs in real time for live investigation.

The approach

Three habits separate fluent journalctl from beginner journalctl: filter by service, bracket the time window, and combine flags rather than running them serially.

• journalctl -u nginx --since "1h ago". Last hour of nginx logs. The standard incident-window starting point.
• journalctl -u app -f. Follow service logs in real time. Useful when reproducing a flaky issue.
• journalctl -u app -p err. Error-level events only. Cuts the routine info logs.
• journalctl --boot and --vacuum-time=7d. Logs since boot for startup investigations; vacuum trims old data when disk pressure hits.

Why this compounds

journalctl fluency compounds across every systemd Linux host the team operates. Each investigation teaches a little more about the systemd unit graph and the journal.

• Faster log investigation. Fluent journalctl produces fast root cause on systemd-host incidents. MTTR drops measurably.
• Better systemd understanding. journalctl teaches the systemd unit model. The unit graph stops being a black box.
• Universal applicability. Modern Linux runs systemd. The fluency applies everywhere.
• Year-one investment, year-two habit. The first year establishes fluency under pressure. Subsequent years extend it.