The journalctl command is the primary interface for querying and browsing logs collected by systemd-journald on RHEL 8. Unlike traditional syslog files, the systemd journal stores structured, binary log data that can be filtered by unit, priority, time range, PID, and more. Mastering journalctl allows administrators to diagnose service failures, track kernel events, and export log data for external analysis. This tutorial covers the most useful journalctl options available on RHEL 8.
Prerequisites
- A running RHEL 8 system with a non-root sudo user or root access
- Basic familiarity with the terminal and
systemdservice management systemd-journaldrunning (enabled by default on RHEL 8)
Step 1 — Viewing Recent and Full Journal Logs
Without any options, journalctl outputs the entire journal, oldest entries first, piped through a pager. The most practical starting point is viewing recent boot logs with verbose error context.
# Show all logs for the current boot
journalctl -b
# Show the last 50 lines of the journal
journalctl -n 50
# Show logs with full metadata and error context
journalctl -xeThe -x flag augments entries with explanatory catalog text where available. -e jumps to the end of the journal immediately.
Step 2 — Filtering Logs by Unit and Following in Real Time
To narrow output to a specific service, use the -u flag. Combine it with -f to tail the journal live, which is invaluable during service restarts or active debugging.
# Show logs for the sshd service
journalctl -u sshd
# Follow logs for the httpd service in real time
journalctl -f -u httpd
# Show logs for multiple units
journalctl -u sshd -u firewalldStep 3 — Filtering by Time Range and Priority
The --since and --until options accept human-readable timestamps or relative expressions. Priority filtering with -p limits output to messages at or above a given severity level.
# Show logs from the past hour
journalctl --since "1 hour ago"
# Show logs between two timestamps
journalctl --since "2026-05-17 08:00:00" --until "2026-05-17 09:00:00"
# Show only error-level and above messages (emerg, alert, crit, err)
journalctl -p err
# Combine time range with priority
journalctl --since yesterday -p warningStep 4 — Viewing Kernel and Boot-Specific Logs
The -k flag filters the journal to kernel messages only, equivalent to dmesg. The -b flag with an offset lets you inspect logs from previous boots when persistent logging is enabled.
# Show only kernel (dmesg-equivalent) messages
journalctl -k
# List available boots
journalctl --list-boots
# Show logs from the previous boot (offset -1)
journalctl -b -1
# Show kernel messages from the previous boot
journalctl -k -b -1Step 5 — Enabling Persistent Logging
By default, RHEL 8 may store journal logs only in memory (/run/log/journal), losing them on reboot. To enable persistence, configure /etc/systemd/journald.conf and create the storage directory.
# Edit the journal configuration
vi /etc/systemd/journald.conf
# Set these values under [Journal]:
# Storage=persistent
# SystemMaxUse=500M
# Create the persistent storage directory
mkdir -p /var/log/journal
# Restart journald to apply changes
systemctl restart systemd-journald
# Verify the storage location
ls /var/log/journal/Step 6 — Exporting Logs and Filtering by PID
For integration with external log analysis tools, journalctl can export entries in JSON, short, or cat formats. You can also filter by process ID using _PID.
# Export last 100 entries in JSON format
journalctl -n 100 --output=json > /tmp/journal_export.json
# Export in JSON-pretty format for readability
journalctl -n 20 --output=json-pretty
# Filter by a specific PID
journalctl _PID=1234
# Filter sshd logs and export to a text file
journalctl -u sshd --since today --output=cat > /tmp/sshd_today.logConclusion
journalctl is a powerful, flexible tool for log analysis on RHEL 8. By combining filters for unit, time, priority, PID, and boot, you can rapidly isolate the exact log entries relevant to any system event or service failure. Enabling persistent storage ensures that logs survive reboots, giving you a historical record for audits and post-incident review.
Next steps: How to Perform a System Security Audit with auditd on RHEL 8, How to Configure Network Interface Settings with nmcli on RHEL 8, and How to Manage System Packages with dnf on RHEL 8.
