Skip to main content
Journalctl

Filter journalctl Logs by Service

Learn to use -u flag, find service names, combine filters, and troubleshoot effectively by finding journal logs for specific services.

β€” Abhishek Prakash

Warp Terminal

When your Linux system is generating thousands of log entries every minute, finding information about a specific service can feel like searching for a needle in a haystack. That's where journalctl's powerful filtering capabilities come to the rescue!

To filter journalctl logs by a specific service, use the service name in the following manner:

journalctl -u servicename

The -u flag (short for "unit") is your primary tool for filtering logs by service. It tells journalctl to show only entries related to a specific systemd unit.

journalctl -u mysql

The above command shows mysql log entries:

Jun 23 07:51:39 ghost-learnubuntu systemd[1]: Starting MySQL Community Server...
Jun 23 07:51:47 ghost-learnubuntu systemd[1]: Started MySQL Community Server.
Jun 23 07:56:53 ghost-learnubuntu systemd[1]: Stopping MySQL Community Server...
Jun 23 07:56:56 ghost-learnubuntu systemd[1]: mysql.service: Succeeded.
Jun 23 07:56:56 ghost-learnubuntu systemd[1]: Stopped MySQL Community Server.
Jun 23 07:56:56 ghost-learnubuntu systemd[1]: Starting MySQL Community Server...

Here are some other real-world examples of extracting logs of certain services:

# View Apache logs
journalctl -u apache2

# View SSH daemon logs  
journalctl -u ssh

# View Docker logs
journalctl -u docker

Finding the right service name

Before you can filter, you need to know the exact service name. One way would to be to list all systemd services:

systemctl list-units --type=service

This shows all currently loaded services with their exact names.

 UNIT                     LOAD   ACTIVE SUB     DESCRIPTION                                                       
  accounts-daemon.service  loaded active running Accounts Service                                                  
  acpid.service            loaded active running ACPI event daemon                                                 
  alsa-restore.service     loaded active exited  Save/Restore Sound Card State                                     
  apparmor.service         loaded active exited  Load AppArmor profiles                                            
  apport.service           loaded active exited  LSB: automatic crash report generation

As you can see above, there are five services visible. You may omit the .service part of the unit name. Instead of apport.service, you could just use apport. However, some services may have both .service and .socket units.

The problem here is that you'll have hundreds of services running. Scrolling through all of them is a waste of time. Make use of the good old grep command.

For example, find services containing "ssh" in their name.

systemctl list-units --type=service | grep ssh

This is because some distributions use sshd for ssh service name. So getting the correct name by filtering helps to get the ssh logs correctly.

🚧
Service names are case sensitive. nginx is NOT the same as Nginx.

More tips on filtering journal logs by services

You learned to show journalctl logs for a specific service. But there could still be way too much or perhaps way too little logs. Let's see more ways of expanding or narrowing down your log filtering by services.

Multiple services at once

Monitor multiple services simultaneously - perfect for troubleshooting interconnected applications!

journalctl -u nginx -u mysql -u redis

Service patterns with wildcards

View logs from all services starting with "docker". Note the quotes around the pattern!

journalctl -u 'docker*'

Service logs with context

By default, you get all the logs of the specific service. Reduce the noise by showing the last 50 log entries only.

journalctl -u servicename -n 50

Reverse chronological order

Show newest entries first - great for finding recent issues quickly.

journalctl -u servicename -r
πŸ’‘
Some services have multiple related units. Docker, for example, has docker.service, docker.socket, and depends on containerd. While troubleshooting an issue with docker, you may want to also look at the dependent unit logs.

Combine with time filtering

Get journal logs for a specific date range instead of displaying all the possible logs for the service,

journalctl -u servicename --since "2024-01-01" --until "2024-01-02"

Add more time frames as needed:

  • --since "2023-01-01"
  • --since "yesterday"
  • --since "10 minutes ago"
  • --since "1 hour ago"

Priority-based service filtering

Show only error-level messages from a service.

journalctl -u servicename -p err

You can use other priority levels include:

  • debug (7)
  • info (6)
  • notice (5)
  • warning (4)
  • err (3)
  • crit (2)
  • alert (1)
  • emerg (0)

Logs from most recent service boot

By defaulShow only logs from the current boot session.

journalctl -u servicename -b

Follow service logs in real-time

Watch journalctl logs as they happen - perfect for live troubleshooting!

journalctl -u servicename -f
πŸ’‘
You can combine multiple filters to narrow down your search.

πŸ“‹Summary

Option Syntax Description Example
Basic Service Filter -u servicename Show logs for specific service journalctl -u mysql
Multiple Services -u service1 -u service2 Monitor multiple services simultaneously journalctl -u nginx -u mysql -u redis
Service Pattern -u 'pattern*' View logs from services matching pattern journalctl -u 'docker*'
Last N Lines -u servicename -n N Show last N log entries for service journalctl -u servicename -n 50
Reverse Order -u servicename -r Show newest entries first journalctl -u servicename -r
Time Range -u servicename --since "start" --until "end" Get logs for specific date range journalctl -u servicename --since "2024-01-01" --until "2024-01-02"
Time Since -u servicename --since "time" Show logs since specific time journalctl -u servicename --since "yesterday"
Priority Filter -u servicename -p priority Show only specific priority level messages journalctl -u servicename -p err
Current Boot -u servicename -b Show logs from current boot session only journalctl -u servicename -b
Follow Real-time -u servicename -f Watch logs in real-time as they happen journalctl -u servicename -f

Wrapping Up

Filtering journalctl logs by service is an essential skill for Linux system administration. It transforms overwhelming log output into focused, actionable information. Start with the basic -u flag, then gradually incorporate time filters, priority levels, and output formatting as your needs become more sophisticated.

Remember: the key to effective service log analysis is knowing your service names, understanding the relationships between services, and using the right combination of filters to find exactly what you're looking for.

Happy service debugging!

Abhishek Prakash