Skip to main content

journalctl (systemd logs) Cheat Sheet 2026 — Quick CLI Command Reference

2 min read

journalctl (systemd logs) Cheat Sheet 2026 — Quick Command Reference

journalctl (systemd logs) Cheat Sheet is the complete quick-reference of journalctl (systemd logs) commands grouped by function. Copy any command with one click and find what you need with Ctrl+F in under 3 seconds.

journald Log Queries

Action Command Useful flags
Show the latest `n` lines and follow new messages (like `tail –follow` for trad 
journalctl --lines <n> --follow
 --lines --follow
Show all messages with priority level 3 (errors) from the boot before last shutd 
journalctl --boot -1 --priority 3
 --boot --priority
Show all messages by a specific unit 
journalctl --unit <unit>
 --unit
Show logs for a given unit since the last time it started 
journalctl _SYSTEMD_INVOCATION_ID=$(systemctl show --value --property=InvocationID <unit>)
 --value --property
Filter messages within a time range (either timestamp or placeholders like "yest 
journalctl --since <now|today|yesterday|tomorrow|...> --until "<YYYY-MM-DD HH:MM:SS>"
 --since --until
Show all messages by a specific process 
journalctl _PID=<pid>
Show all messages by a specific executable 
journalctl <path/to/executable>
Delete journal logs which are older than 2 days 
journalctl --vacuum-time 2d
 --vacuum-time

⚠️ Dangerous / Destructive Commands

These commands are irreversible. Verify your environment (dev/staging vs prod) before running them.

Action Command Warning
⚠️ Destroy ⚠️ 
terraform destroy -auto-approve
 Irreversible — verify the target before running
⚠️ Delete 
kubectl delete namespace production
 Irreversible — verify the target before running
⚠️ Prune ⚠️ 
docker system prune -af --volumes
 Irreversible — verify the target before running
⚠️ Delete 
pvesh delete /nodes/{node}/qemu/{vmid}
 Irreversible — verify the target before running
⚠️ Delete 
az group delete --name MyResourceGroup --yes
 Irreversible — verify the target before running

FAQ — Frequently Asked Questions

What is the difference between journald Log Queries and the other groups?

Each group in this journalctl (systemd logs) cheat sheet covers a distinct area. journald Log Queries focuses on its specific scope, while the other groups and the remaining groups cover networking, storage, security and diagnostics respectively.

How do I check the installed journalctl (systemd logs) version?

Run the version command (usually journalctl version or journalctl --version). The output shows the client and, when applicable, the server version.

Why does journalctl (systemd logs) return ‘permission denied’?

A ‘permission denied’ error in journalctl (systemd logs) usually means the current user lacks sufficient privileges or credentials are not configured. Check: (1) assigned IAM/RBAC roles, (2) an active authentication context via the corresponding login command.

How do I filter journalctl (systemd logs) output by status or name?

Use flags such as --filter, --selector or --query depending on the tool. You can also pipe into grep or jq to process JSON: 

journalctl list | grep RUNNING

What is the fastest way to debug a journalctl (systemd logs) error?

Add the verbose flag (--verbose, -v or --debug) to the failing command. This reveals the underlying HTTP/API calls and the full error response body.

Official sources & references

Commands cross-checked against vendor documentation and high-authority repositories: