Analyze logs with journalctl Use journald and journalctl on a HolyCloud VPS: filter by service, priority, time range, and log persistence. ~8 min read Beginner #journalctl #logs #systemd #diagnostic Analyze logs with journalctl On systemd (Ubuntu/Debian on HolyCloud VPS), application and kernel logs are centralized by journald and queried with journalctl. This guide covers essential queries to diagnose Apache, SSH, MariaDB, or a custom service after an incident. Prerequisites HolyCloud VPS with systemd (Ubuntu 22.04+, Debian 12) sudo access (some system journals are restricted) Target service identified (e.g. ssh, apache2, mariadb) Server timezone set for correct timestamps Tip: Combine journalctl with classic files /var/log/apache2/, /var/log/nginx/ when the app still writes to disk. Step 1: First commands journalctl --version journalctl -n 30 --no-pager Latest entries in real time (Ctrl+C to quit): sudo journalctl -f Current boot only: sudo journalctl -b Previous boot (useful after crash): sudo journalctl -b -1 Step 2: Filter by systemd unit SSH: sudo journalctl -u ssh -n 50 --no-pager sudo journalctl -u ssh --since "1 hour ago" Apache: sudo journalctl -u apache2 -p err -n 100 --no-pager MariaDB: sudo journalctl -u mariadb --since today PHP-FPM (adapt version): sudo journalctl -u php8.2-fpm -n 40 --no-pager Step 3: Priority and error messages Levels: emerg, alert, crit, err, warning, notice, info, debug. Errors and above since yesterday: sudo journalctl -p err --since yesterday --no-pager Critical on current boot: sudo journalctl -b -p crit..emerg --no-pager Step 4: Time ranges sudo journalctl --since "2026-06-20 14:00:00" --until "2026-06-20 15:00:00" sudo journalctl --since "2 hours ago" sudo journalctl --since today --until "16:00" Relative format useful during deployment: sudo journalctl -u apache2 --since "10 min ago" -f Step 5: Kernel and boot Kernel messages: sudo journalctl -k -b sudo journalctl -k -p err -n 30 Boot chain (boot time): systemd-analyze systemd-analyze blame | head -20 systemd-analyze critical-chain Step 6: Export and search JSON export for support ticket: sudo journalctl -u mariadb --since "24 hours ago" -o json-pretty > /tmp/mariadb-logs.json Text search (grep on short output): sudo journalctl -u ssh --since today | grep -i "Failed password" sudo journalctl | grep -i "out of memory" | tail -20 Raw output without pager: sudo journalctl -u nginx -n 200 --no-pager Step 7: Persistence and disk space Space used: journalctl --disk-usage Limit size (persistent): sudo mkdir -p /etc/systemd/journald.conf.d sudo nano /etc/systemd/journald.conf.d/size.conf [Journal] SystemMaxUse=500M MaxRetentionSec=30day sudo systemctl restart systemd-journald sudo journalctl --vacuum-size=200M Verification sudo journalctl -u ssh -n 1 -o short-iso sudo journalctl -p err -b --no-pager | wc -l systemctl status ssh --no-pager You should see consistent timestamps and be able to trace a known incident time. HolyCloud support Empty journal for a service: wrong unit name (systemctl list-units --type=service | grep -i apache) Wrong timestamps: timedatectl status Disk full from logs: journalctl --disk-usage, --vacuum-size HolyCloud support: journalctl -u SERVICE_NAME --since "…" -n 200 --no-pager (no sensitive data) Continue reading Next article Backups with rsync Read
FR