systemd-journald is the kernel-integrated logging daemon that collects structured binary log entries from every process, the kernel, syslog socket, native API callers, and the audit subsystem into a single, indexed, compressed journal. journalctl is the primary query tool: it supports powerful filtering by time, unit, user, PID, priority, transport, and arbitrary journal fields, and outputs results in human-readable or machine-parseable formats. This cheat sheet covers architecture, configuration, all major journalctl options, field schema, remote forwarding, namespaces, the sd_journal API, modern integrations (OpenTelemetry, Vector, Loki, Fluent Bit), and operational best practices.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 188 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Architecture and Data Flow
Core components of the systemd journal ecosystem — the daemon, its storage locations, and the sources that feed it.
| Architecture | Example | Description |
|---|---|---|
systemctl status systemd-journald | • Kernel service collecting logs from kernel, user processes, syslog socket, native protocol, audit subsystem • Stores data in binary .journal files; supports indexed, compressed, optionally sealed storage | |
/var/log/journal/<machine-id>/ | • Created automatically when directory exists; survives reboots • Contains system.journal, system@*.journal, and per-user user-UID.journal files | |
/run/log/journal/<machine-id>/ | • Stored in tmpfs; lost on reboot • Default when /var/log/journal/ does not exist | |
file -b /var/log/journal/*/system.journal | • Structured binary format with hash tables, object arrays, field index • Not human-readable directly — always use journalctl to query |