CoursesLinux essentialsProcesses & services

Logs with journald

Find the log you need, fast.

Beginner12 min · lesson 22 of 25

When something breaks, the answer is almost always in the logs — and on systemd systems, journald is the central log collector. Instead of hunting through many text files, you query one structured journal with journalctl, filtering by service, time, or priority. Because the journal is structured (every entry carries fields like the unit, PID, and priority), you can ask precise questions — "show me nginx errors since 2pm" — that would be painful with plain grep across files.

terminal
$ journalctl -u nginx # all logs for the nginx service
$ journalctl -u nginx --since "2 hours ago" # time-filtered
$ journalctl -u nginx -p err # only error priority and worse
$ journalctl -f # follow live (like tail -f, whole system)
$ journalctl -b # just this boot
$ journalctl _UID=1000 # everything from a specific user

The classic troubleshooting moves

A few invocations solve most problems. -u <service> scopes to one unit; --since / --until bound the time window; -p err shows only errors and worse; -f follows live so you can watch what happens as you reproduce an issue; and -b limits to the current boot (or -b -1 for the previous one, to see what happened before a crash-reboot). Combine them and you go from "the service is broken" to the exact failing line in seconds.

Plain-text logs still exist

Not everything goes to the journal. Many services also (or instead) write to files under /var/log — /var/log/auth.log or /var/log/secure for authentication and sudo, /var/log/syslog for general messages, and application-specific files like /var/log/nginx/. Auth logs especially are where you find login attempts, sudo use, and SSH activity, so they matter for security investigations. Knowing both the journal and the key /var/log files means you can always find the record you need.

Logs are evidence — protect and ship them
The auth logs and journal are exactly what you rely on to investigate an incident, which is also why an attacker’s early move is to erase or edit them. Two implications: local logs on a compromised host cannot be fully trusted, so ship important logs off the machine to a central place (the detection course covers this), and make sure your log retention is long enough to investigate an incident you might only discover weeks later. A log you never kept is a question you cannot answer.