Logs & journalctl — Reading System Logs
Read and filter system logs using journalctl for systemd journals and traditional log files in /var/log.
March 27, 20255 min read
linuxsysadminlogsjournalctldebugging
journalctl — systemd Logs
journalctl # All logs (huge output)
journalctl -f # Follow live (like tail -f)
journalctl -n 50 # Last 50 lines
journalctl -p err # Errors only
journalctl -u nginx # Specific service logs
journalctl -u nginx --since today # Today's nginx logs
journalctl --since "2025-03-01" # Since a specific date
journalctl --since "1 hour ago" # Last hour
journalctl -b # Current boot only
journalctl -b -1 # Previous boot
journalctl --disk-usage # Space used by logsLog Priority Levels
| Level | Keyword | Description |
|---|---|---|
| 0 | emerg | System unusable |
| 1 | alert | Immediate action needed |
| 2 | crit | Critical condition |
| 3 | err | Error |
| 4 | warning | Warning |
| 5 | notice | Normal but significant |
| 6 | info | Informational |
| 7 | debug | Debug messages |
journalctl -p warning # Warning level and above
journalctl -p 0..3 # Emergency through errors onlyTraditional Log Files
# Common log locations
/var/log/syslog # System log (Debian/Ubuntu)
/var/log/messages # System log (RHEL/Fedora)
/var/log/auth.log # Authentication attempts
/var/log/kern.log # Kernel messages
/var/log/nginx/access.log # Nginx access log
/var/log/nginx/error.log # Nginx error log
# Monitor in real-time
tail -f /var/log/syslog
tail -f /var/log/auth.logdmesg — Kernel Messages
dmesg # All kernel ring buffer messages
dmesg | tail -20 # Most recent entries
dmesg -T # Human-readable timestamps
dmesg | grep -i usb # USB-related messages
dmesg | grep -i error # Kernel errors onlyWhen debugging a service crash, combine: journalctl -u service-name -p err --since '10 minutes ago' for a focused error view.
Quick Check
Which journalctl flag follows logs in real time?
Exercise
View all error-level messages from the current boot session.