journalctl is the query tool for systemd-journald, the logging daemon that collects and stores logs from the kernel, systemd itself, and every service systemd supervises. Unlike classical Unix logging (plain text in /var/log/), the journal is a structured binary log indexed by time, unit, priority, process, and many other fields, which makes it fast to query and filter.
journalctl # everything, paged
journalctl -f # follow new entries (like tail -f)
journalctl -u sshd # just sshd
journalctl -u sshd -f # follow sshd
journalctl -b # this boot
journalctl -b -1 # previous boot
journalctl --since today
journalctl --since "1 hour ago" --until "5 min ago"
journalctl -p err # priority err or higher
journalctl -k # kernel messages (like dmesg)
journalctl _PID=1234 # by PID
journalctl /usr/bin/sshd # by executable
Storage location is /var/run/log/journal/ (volatile, lost on reboot) or /var/log/journal/ (persistent). Persistence is enabled by creating /var/log/journal/ or setting Storage=persistent in /etc/systemd/journald.conf.
Systems that need compatibility with plaintext-log consumers (log aggregators, older tools) typically run rsyslog or syslog-ng alongside journald, which reads from the journal and writes classical /var/log/* files.
Related terms: systemd, syslog, log
Discussed in:
- Chapter 13: System Services and systemd — journalctl: The Logs
Also defined in: Textbook of Linux