journalctl and systemd Logging Cheat Sheet

Updated 2026-05-21

Next Topic: jq Command-Line JSON Processor Cheat Sheet

systemd-journald is the kernel-integrated logging daemon that collects structured binary log entries from every process, the kernel, syslog socket, native API callers, and the audit subsystem into a single, indexed, compressed journal. journalctl is the primary query tool: it supports powerful filtering by time, unit, user, PID, priority, transport, and arbitrary journal fields, and outputs results in human-readable or machine-parseable formats. This cheat sheet covers architecture, configuration, all major journalctl options, field schema, remote forwarding, namespaces, the sd_journal API, modern integrations (OpenTelemetry, Vector, Loki, Fluent Bit), and operational best practices.

What This Cheat Sheet Covers

This topic spans 21 focused tables and 188 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Architecture and Data FlowTable 2: journald.conf Storage ConfigurationTable 3: journald.conf Retention and RotationTable 4: journald.conf Forwarding and Rate LimitingTable 5: Basic journalctl UsageTable 6: Time-Range FilteringTable 7: Filtering by SourceTable 8: Priority FilteringTable 9: Kernel and Boot Log ViewingTable 10: Output FormatsTable 11: Journal Fields ReferenceTable 12: Live Tailing, Search, and PipelinesTable 13: Storage Management and VacuumTable 14: Journal Integrity and Forward Secure Sealing (FSS)Table 15: Remote Logging and ForwardingTable 16: Journal NamespacesTable 17: Structured Logging and the sd_journal APITable 18: Access ControlTable 19: Troubleshooting PatternsTable 20: Common Pitfalls and Operational NotesTable 21: Modern Log Integrations

Table 1: Architecture and Data Flow

Core components of the systemd journal ecosystem — the daemon, its storage locations, and the sources that feed it.

Architecture	Example	Description
systemd-journald	`systemctl status systemd-journald`	• Kernel service collecting logs from kernel, user processes, syslog socket, native protocol, audit subsystem • Stores data in binary `.journal` files; supports indexed, compressed, optionally sealed storage
Persistent journal storage	`/var/log/journal/<machine-id>/`	• Created automatically when directory exists; survives reboots • Contains `system.journal`, `system@*.journal`, and per-user `user-UID.journal` files
Volatile journal storage	`/run/log/journal/<machine-id>/`	• Stored in tmpfs; lost on reboot • Default when `/var/log/journal/` does not exist
Binary journal format	`file -b /var/log/journal/*/system.journal`	• Structured binary format with hash tables, object arrays, field index • Not human-readable directly — always use `journalctl` to query

Table 1: Architecture and Data Flow

Core components of the systemd journal ecosystem — the daemon, its storage locations, and the sources that feed it.

Architecture	Example	Description
systemd-journald	`systemctl status systemd-journald`	• Kernel service collecting logs from kernel, user processes, syslog socket, native protocol, audit subsystem • Stores data in binary `.journal` files; supports indexed, compressed, optionally sealed storage
Persistent journal storage	`/var/log/journal/<machine-id>/`	• Created automatically when directory exists; survives reboots • Contains `system.journal`, `system@*.journal`, and per-user `user-UID.journal` files
Volatile journal storage	`/run/log/journal/<machine-id>/`	• Stored in tmpfs; lost on reboot • Default when `/var/log/journal/` does not exist
Binary journal format	`file -b /var/log/journal/*/system.journal`	• Structured binary format with hash tables, object arrays, field index • Not human-readable directly — always use `journalctl` to query