Journalctl is used to monitor system events/errors logs. This is very useful when there are issues with an application or service.
journalctl -f -u postfix.serviceIn this example, the log file for postfix mail server is going to be displayed, but only last few lines and it will be updated in real time, meaning it will stay open and show new log entries as they are generated.
-f flag causes the output to “follow” the log. -u shows specific systemd unit.
journalctl -f -u postfix.service -p errThis will print only errors in the postfix log file as they are added.
-p err flag shows only error-level messages.
-b is for boot logs.
-n 30 to limit the number of lines displayed
Filtering by time range:
journalctl --since "2025-07-29 10:00:00" --until "2025-07-29 10:15:00"
journalctl --since "yesterday"
journalctl --since "1 hour ago"Journals (logs)
Many things are logged in Linux: system process, startup messages, systemd service status, user logs, container and applications. Here are some journalctl command examples:
- View All Logs:
journalctl(Shows everything, usually piped intolessfor easier viewing). - Logs from Current Boot:
journalctl -b(logs from the last boot to present). - Logs from Previous Boot:
journalctl -b -1(logs from the previous boot, useful after a crash). - Kernel Messages Only:
journalctl -k(logs specifically from the kernel ring buffer). - Logs for a Specific User:
journalctl _UID=1000(Find the User ID with:id -u piroman). - Check Journal Disk Usage:
journalctl --disk-usage(Shows how much space the journal is using).