Frequently Asked Question

What is journald and how do I use journalctl?

systemd-journald is the logging daemon. It captures the stdout, stderr, and syslog output of every unit, plus the kernel ring buffer and structured events from the rest of systemd, and stores them in an indexed binary file under /var/log/journal/ (or in a ring buffer in RAM under /run/log/journal/ if persistent journaling is disabled). Because the format is binary, every log entry carries rich metadata: the unit it came from, the executable, the user, the priority, a microsecond timestamp, the boot ID, and so on.

journalctl is the client. The most useful invocations are journalctl -u nginx (only one unit's logs), journalctl -f (follow, like tail -f), journalctl -e (jump to the end), journalctl -p err (errors and worse only), journalctl -k (kernel messages, dmesg equivalent), and journalctl --since "1 hour ago". Adding -b restricts the output to the current boot, -b -1 to the previous one. The binary format is sometimes criticised because cat cannot read it, but in return you get fast, structured queries that the old plain-text syslog could not offer.