journalctl Workflow (Filters + Time)

journalctl lets you read logs stored in the systemd journal. This is usually the best option for a no-sudo course because you can filter logs without needing to open restricted files directly.

Simulate journal filtering with practice files

In addition to running journalctl on your system, this course includes simulated journal text so you can practice filtering logic with diff and sed.

# Go to the practice folder
cd ~/playground/chapter9

# See what changed between "before" and "after"
diff -u journal_before.txt journal_after.txt

# Mimic a "show only errors" filter
sed -n '/ERROR/p' journal_after.txt

# Filter by a unit/service keyword (e.g., sshd)
sed -n '/sshd/p' journal_after.txt

# Filter by HTTP service keyword (e.g., httpd)
sed -n '/httpd/p' journal_after.txt

Quick Reference

1) Start Broad, Then Narrow

# Current boot (often long)
journalctl -b --no-pager

# Only the last 50 messages
journalctl -n 50 --no-pager

# Since a recent time window
journalctl --since "2 hours ago" --no-pager

2) Filter by Service (unit)

Pick a unit that exists on your system. Common examples: sshd, NetworkManager, or a web service like nginx/httpd.

# Logs for SSH daemon (common on many servers)
journalctl -u sshd --since "today" --no-pager

# Focus on error-level messages for a service
journalctl -u sshd -p err..alert --since "1 hour ago" --no-pager

3) Search by text with -g (optional)

If you remember what the message contains, use -g to search the journal efficiently.

# Search journal for a keyword
journalctl -g "fail" --since "today" --no-pager

# Combine keyword + priority
journalctl -g "error" -p err..alert --since "6 hours ago" --no-pager

Interpreting Output

• Look for the first error in the time window (it’s often the root cause).
• Warnings that appear once may be less important than repeated errors.
• If you see “no space left on device” that matches the disk-full workflow from the previous page.