How to Use journalctl to View and Manipulate Systemd Logs?

In Linux, a bunch of services run in the background such as systemd logs, these logs can be viewed by the “journalctl” command. It facilitates the user to look for particular information such as view logs according to the time-specific, most recent logs, run-time logs, service-specific information, etc.

This article will signify the various uses of the journalctl to view and manipulate the systemd logs:

journalctl to View systemd Logs

First, let’s explore the working of the “journalctl” command following its syntax:


$ journalctl [Options] [Service]

Use the “journalctl” keyword, “options” along with the journalctl, and give the service name.

Example 1: View All Journalctl Logs

To retrieve all systemd logs using journalctl, type the “journalctl” in the terminal with “a” flag:

$ journalctl -a

All systemd logs will be printed.

Example 2: View Journalctl Logs For Particular Unit/Service/Daemons

To display “journalctl” logs for the particular unit or service, utilize the “u” flag with the service name, as we are using “mysql.service”:

$ journalctl -u mysql.service

The logs for the service “mysql” service have been listed.

Example 3: View Recent Journalctl Logs

To display the most recent logs (newly created) of the system, use the “n” option with “journalctl”:

$ journalctl -n

The most recent log will be listed.

Example 4: View Run-time Journalctl Logs

To display the real/run-time logs of the system, use the “f” flag which means follow:

$ journalctl -f

After running the above command the log will be printed as the system receives it.

Example 5: View Disk Usage Journalctl Logs

To display the logs related to the disk usage, use the following command in the terminal:

$ journalctl --disk-usage

The logs related to the disk usage will be listed.

Example 6: View Journalctl Logs For Particular Time

You can also display the logs according to the time-specific such as yesterday, using the following command:

$ journalctl --since yesterday

All the logs created yesterday will be listed.

The user can use the time accruing to the choice in minutes, hours, and days, 

Example 7: View Journalctl Logs For System Boots

To display the boot time logs of the system, use the “b” flag in the command:

$ journalctl -b

The boot time logs have been printed.

You can also list down when your system booted in the previous times. To do so, the following command will be used:

$ journalctl --list-boots

The above image shows the last boot of the systems

Example 8: View Kernel-Related Journalctl Logs

To view the Kernel-related logs of the system, utilize the “k” flag in the command:

$ journalctl -k

The logs related to the Kernel have been listed.

Example 9: Change Journalctl Logs Output in Formats 

The user can display any of the above outputs in various formats such as JSON. To do so, modify the command with the “o” flag and specify the format name:

$ journalctl -k -o json

The logs will be printed in the “JSON” format.

You can view it in the “json-pretty” (human-readable) format for easy understanding:

$ journalctl -k -o json-pretty

The logs have been listed in the human-readable format now.

How to Manipulate the systemd Logs Using journalctl?

Manipulation refers to altering the logs as per the requirement of the system/administrator. Some of the examples of manipulation are listed below: 

Example 1: Limit and Delete the Journalcrl logs

To delete the journalctl logs, limit the size of the journalctl such as 10M. You can use the “vacuum-size” flag for limiting the size. Limiting the size of journalctl logs to 10M will stop more using the space but will not delete the existing files:

$ sudo journalctl --vacuum-size=10M

The log size has been reduced to “10M”.

Now, delete the old journalctl logs using the “vacuum-time” flag and specify the time in days, months, or years. As we are deleting the old of 1 month:

$ sudo journalctl --vacuum-time=1month

The old logs will be deleted.


The journalctl is the built-in utility to retrieve systemd logs with respect to time, service, boot-time, Kernel-related tasks, etc. Users can delete the logs by limiting the journal log size and deleting the old logs.

This write-up has illustrated the use of the journalctl to view and manipulate systemd logs.