Journald CheatSheet
Because text files are so 2010. Journald brings metadata, structure, and a touch of futuristic glamour to your system logs.
– A very gentle breeze of humor blows through this document
First steps with journalctl
| Command | What it does (with personality) |
|---|---|
| journalctl | Everything. Really, everything. Since system start. Have fun scrolling. |
| journalctl -e | Jumps to the end – for those who only care about the latest drama. |
| journalctl -r | Reverse order: newest first, like Instagram. |
| journalctl -f | Follows the log in real time – better than any livestream. |
| journalctl --no-pager | No pager (no less). Dumps directly to the terminal. |
💡 Pager tips (when less annoys you):
/ search forward, ? search backward, n / Shift+N next/previous, q escape.
Filter like a pro
By boot
journalctl --list-boots # Show all boot IDs with index journalctl -b 0 # Current boot journalctl -b -1 # Previous boot (basically the day before yesterday)
By time
journalctl --since "2026-05-10 23:00" --until "2026-05-11 01:00" journalctl --since "20 min ago" journalctl --since "yesterday" --until "today"
By systemd unit (service)
journalctl -u NetworkManager # Only NetworkManager journalctl -u sshd -u bluetooth # Multiple units at once
By priority (log level)
journalctl -p err # Error and worse (0-3) journalctl -p 3 # Same meaning journalctl -p notice..warning # Range: notice through warning
| Level | Name | Description (dramatic version) |
|---|---|---|
| 0 | emerg | System is on fire |
| 1 | alert | Act now! Immediately! |
| 2 | crit | Critical, but don't panic |
| 3 | err | Error – hurts, but we continue |
| 4 | warning | Caution, something's brewing |
| 5 | notice | Normal but important message |
| 6 | info | Informational, like a recipe |
| 7 | debug | Chatty Cathy mode |
By keyword (faster than grep!)
journalctl -g "Failed password"
journalctl --grep '192\.168\.[0-9]{1,3}\.[0-9]{1,3}' # Perl‑style regex
By executable
journalctl /usr/bin/sshd # Or explicitly: journalctl _EXE=/usr/sbin/sshd
By arbitrary metadata fields
journalctl _UID=1000 # Only user 1000 journalctl _TRANSPORT=kernel # Only kernel logs (also: -k) journalctl _SYSTEMD_UNIT=sshd.service
Metadata – the hidden stars
All fields starting with _ (underscore) are trusted fields – set by the system, cannot be tampered with by the program.
Perfect for forensics or catching malware in a lie.
journalctl -o verbose # Show ALL metadata of an entry journalctl -o json # JSON format for scripts journalctl -o json-pretty # Pretty‑printed JSON
Example output (shortened):
_TRANSPORT=syslog
PRIORITY=6
_PID=1973
_EXE=/usr/sbin/smartd
MESSAGE=Device: /dev/sda [...]
Useful fields:
- _SYSTEMD_INVOCATION_ID – All logs of a single service run
- __CURSOR – Unique ID to resume exactly at that point later
- _SELINUX_CONTEXT – When you want to feel secure
Use --output-fields to fetch only what you need:
journalctl -o json --output-fields="MESSAGE,_EXE" _EXE=/usr/bin/sshd
Configuring Journald (tinkering allowed)
Where config lives
- /etc/systemd/journald.conf – Main file (commented defaults)
- /etc/systemd/journald.conf.d/my.conf – Your own snippets
Important options (to dream about and tweak)
| Option | Meaning | Default |
|---|---|---|
| SystemMaxUse= | Max disk space for the journal | 10% of partition, max 4 GB |
| SystemKeepFree= | How much space must stay free | 15% |
| MaxRetentionSec= | Max age of logs (e.g. 30 days) | disabled |
| Compress= | Compress logs? | yes |
After changes:
systemctl reload systemd-journald # Reload without restart systemctl status systemd-journald # Check for errors
Cleaning up ("vacuuming")
journalctl --disk-usage # How much space are logs using? journalctl --vacuum-size=500M # Delete oldest logs until 500 MB left journalctl --vacuum-time=7d # Delete everything older than 7 days
Journald cleans up automatically when limits are reached. No more cron jobs to write.
Final words of wisdom
- journalctl -k – Kernel logs only (formerly dmesg in a suit)
- journalctl -x – Explanations for entries (--catalog)
- journalctl -n 50 – Only the last 50 lines
- Combine everything:
journalctl -u sshd -b 0 -p 3 -n 20
→ SSH service, current boot, error or worse, max 20 lines.
And when you want to impress an old‑school sysadmin:
"Journald isn't a text file – it's an indexed, binary‑logging, self‑rotating, metadata‑rich database with trusted fields."
Then take a sip of coffee and enjoy the awe.
Copy me – ready for your blog
Just select the entire block above, copy it, and paste it as .md into your blog editor.
No fear of the humor – it's very gentle. Promise. 😊
Source: This cheat sheet is based on the c't guide „Linux-Protokolldienst Journald verstehen und sinnvoll nutzen“ – https://www.heise.de/ratgeber/Linux-Protokolldienst-Journald-verstehen-und-sinnvoll-nutzen-11290995.html?seite=all