Most of my muscle memory still types tail -f /var/log/syslog first, then realises three seconds later that the box is on Ubuntu 22 and syslog is sparse — most of the actual log content lives in journald. I had spent years dodging journalctl because it felt heavier than tail; learning seven of its flags changed my mind.
This is the cheat sheet I now reference whenever I’m debugging anything on a systemd box.
1. --since — by far the most useful
journalctl --since "10 min ago"
journalctl --since "yesterday"
journalctl --since "2026-05-04 14:00" --until "2026-05-04 15:30"
Natural-language relative times work: “10 min ago”, “1 hour ago”, “yesterday”, “today”, “monday”. Combined with --until, you can pull a precise window without grep-against-timestamps gymnastics. This alone replaces 80% of my old “grep DATETIME /var/log/syslog” muscle memory.
2. -u — filter by systemd unit
journalctl -u nginx
journalctl -u nginx --since "1 hour ago"
journalctl -u nginx -u php8.2-fpm # multiple units at once
Filtering by the unit that produced the log is the killer feature of journald over plain text logs. No more grep nginx /var/log/syslog, no more chasing a service across multiple log files. -u nginx shows you exactly that unit’s output, including its standard out and stderr, regardless of where syslog would have routed them.
3. -p — priority filter
journalctl -p err # err and worse
journalctl -p warning # warning and worse
journalctl -p notice..err # range
Priority levels: emerg, alert, crit, err, warning, notice, info, debug. -p err shows everything at err level or higher. The range syntax is fantastic for when you want “warnings but not info noise”:
# What's gone wrong on this box recently?
journalctl --since today -p warning
That’s a one-liner I run every morning on long-uptime servers.
4. --grep — regex over the journal
journalctl --grep "out of memory"
journalctl -u nginx --grep "5\d\d" # 5xx response codes
Built-in regex match against the message field. The win over piping through grep is that journalctl’s filter runs before formatting, so it’s significantly faster on large journals — and combines cleanly with --since, -u, and -p.
Use --case-sensitive=true to make matches strict; default is smart-case (case-insensitive unless your pattern has uppercase letters).
5. -k — kernel ring buffer
journalctl -k # equivalent to dmesg
journalctl -k --since today
journalctl -k -p err # kernel errors specifically
journald captures kernel messages too. journalctl -k is a journal-aware dmesg: same content, but with proper timestamps (instead of dmesg‘s “seconds since boot” default), filterable by date, and persistent across reboots. Find a kernel oops from three days ago: journalctl -k --since "3 days ago" -p err.
6. -b — by boot
journalctl -b # current boot only
journalctl -b -1 # previous boot
journalctl -b -2 -k # kernel msgs from two boots ago
journalctl --list-boots # list all retained boots with IDs
-b with no argument is “since the last boot” — useful for “what happened since I rebooted.” -b -1 is the boot before that, -b -2 the one before that. Combined with -p err: “what crashed last time the system was running?”
Note: journald only keeps as many boots as fits in your retention budget (SystemMaxUse). On a chatty server with default retention, you might only have the current and previous boot. Bump retention if you need more history.
7. --no-pager — for scripts
journalctl -u nginx --since "5 min ago" --no-pager | head -50
journalctl -p err -b --no-pager > /tmp/today-errors.txt
By default, journalctl pipes to less when stdout is a terminal — annoying when you want to pipe further. --no-pager disables that. -n N additionally caps the output to N most recent lines, the journalctl equivalent of tail -N.
The tail -f replacement
# Live-follow a single unit
journalctl -u nginx -f
# Live-follow with grep filter
journalctl -u nginx -f --grep "5\d\d"
# Live-follow only warnings/errors across the whole system
journalctl -p warning -f
The -f flag is exactly tail -f semantics: stream new entries as they arrive. Combined with -u, --grep, or -p, it’s strictly more powerful than tail -f on a flat log.
The combo I run most
journalctl --since today -p warning --no-pager | tail -100
“Show me anything notable on this box today, capped at the last 100 lines.” It’s the morning health-check on every server I’m responsible for. If it’s empty or boring, I move on. If it’s surprising, I dig in. The combination of --since today + -p warning filters out the noise floor that flat logs drown you in.
Once you have these seven flags in muscle memory, going back to tail -f /var/log/syslog feels like reading text files in cat. Worth the week of retraining.
Cover photo: Pixabay on Pexels.