Use journalctl to read, filter and follow the systemd journal and find answers in logs quickly. 15.11.2025 | reading time: 3 min Logs live here: journalctl is the command-line gateway to the systemd journal and to persistent, indexed logs stored on disk; use it to search for errors, follow activity live and export structured events for analysis. SSH login failure investigation A concrete case: an admin suspects repeated SSH failures; he runs a focused search and then follows new events to confirm the attack pattern and source IP; example commands and sample output are shown below for clarity. ```sudo journalctl -u sshd.service --since "2 hours ago" -o short-iso May 15 11:23:01 host sshd[12345]: Failed password for invalid user test from 10.0.0.5 port 53422 ssh2 May 15 11:23:03 host sshd[12345]: Connection closed by 10.0.0.5 port 53422 ``` To watch live as new attempts arrive: ```sudo journalctl -f -u sshd.service ``` Narrowing, formatting and pruning Tell journalctl exactly what you want: filter by unit with `-u`, by priority with `-p err`, by boot with `-b` or index with `_PID=1234`, change output format with `-o json` or `-o short-iso` and keep a live tail with `-f`; when disk fills, trim the journal with `--vacuum-size=500M` or `--vacuum-time=2weeks` to free space while preserving recent events. When other tools are a better fit journalctl is great for structured, recent, and indexed logs, but you may integrate or complement it with syslog daemons and rotation tools; forward entries to external systems, export JSON for analytics, or use syslog adapters when legacy software expects plain text files. Practical pointers Remember: persistent journals live under `/var/log/journal`, kernel messages are available with `-k`, and `journalctl --since "2025-05-15" --until "2025-05-15 12:00"` helps create tight time windows for incident reconstruction; use `-o export` or `--disk-usage` to manage archives and space. Where to go next Mastering journalctl speeds troubleshooting and monitoring work and prepares the admin for deeper systemd and logging topics; explore exporting, ingestion to SIEMs and learn log retention policies to round out operational knowledge. Join Bits & Bytes Academy First class LINUX exam preparation. utilities troubleshooting security boot-process processes