Top 10 journalctl Commands Every RHCSA Candidate Should Practice

Published On: 8 July 2025

Objective

When you are preparing for the RHCSA exam, log management might not be the flashiest topic but it is one of the most important. Whether you are troubleshooting a failed service or tracking down system reboots, journalctl is your gateway to understanding what the system has been trying to tell you. The objective of this blog is to equip RHCSA candidates with essential knowledge and hands-on skills for using the journalctl command effectively. Since journalctl is a key utility for viewing and analyzing system logs on RHEL systems, mastering it can significantly improve troubleshooting capabilities—especially during time-sensitive exam scenarios. By exploring the top 10 practical commands, this guide aims to build confidence in real-world system log analysis.

Many RHCSA candidates underestimate how powerful and essential journalctl really is. Red Hat uses systemd for service and log management and journalctl is the primary command to access system logs stored in the binary journal format. In this blog, we will explore the top 10 journalctl commands that every RHCSA candidate should master not just to pass the exam, but to become a smarter, more efficient Linux admin.

Why Logs Matter in RHCSA

Before we dive into commands, let’s understand why are logs important?

Logs are the first place to look when something goes wrong. Did sshd fail? Why did the firewalld not start? Why did the system reboot? All of these answers can be found with journalctl. And unlike traditional tools like cat /var/log/messages, journalctl offers powerful filtering options, live logs, timestamps, and even colored output.

 1. View the Entire System Journal


journalctl    # Displays all logs from the system journal in chronological order

This command displays the entire system journal in chronological order. It includes logs from all services, kernel messages, user sessions and more. While this may be too much info to scroll through manually, it is a great starting point when you want to get a feel for recent system activity.

Pro Tip: Use the arrow keys to scroll and q to quit. 

2. Show Logs Since Boot


journalctl -b     # Shows logs from the current boot only 

This is one of the most exam-relevant journalctl commands. It shows all logs from the current boot. If you are troubleshooting a service that failed after a restart, this command filters out all the noise from previous boots.

To view logs from the previous boot use:


journalctl -b -1    # Displays logs from the previous boot session  

3. Filter Logs by Date and Time


journalctl --since "2025-05-30 10:00" --until "2025-05-30 11:00"  # Filters logs between specified time range 

This command filters logs to a specific time window. It is useful when you know something broke around a certain hour and want to isolate those events.

You can also use relative time:


journalctl --since "2 hours ago"     # Shows logs from the past 2 hours

This flexibility is a lifesaver when you're under pressure during the exam. 

4. View Logs for a Specific Service


journalctl -u sshd    # Shows logs for the sshd service only 

Want to know why a service failed? Or whether it restarted unexpectedly? Use the -u option followed by the service name to view logs related only to that unit.

You can also view logs from previous boots for that service:


journalctl -u sshd -b -1     # Logs from sshd during the previous boot 

RHCSA Tip: Services like sshd, firewalld, and network often appear in practical exam tasks. Know how to debug them fast! 

5. View Logs in Real Time (Follow Mode)


journalctl -f      # Shows live logs as they are written, like 'tail -f' 

This is like tail -f for the system journal. It shows new log entries in real time as they happen. It is ideal for monitoring a service as you restart or troubleshoot it.

You can even follow logs for a specific unit:


journalctl -u httpd -f      # Live logs only for httpd service  

6. Show Kernel Messages Only


journalctl -k  # Displays kernel messages such as boot, hardware, and driver events 

This command shows messages from the kernel ring buffer, such as hardware events, driver info and boot messages. These logs are particularly useful when dealing with startup issues or diagnosing hardware-related problems. 

7. View Logs by User or Group


journalctl _UID=1000         # Filters logs generated by user with UID 1000 

This filters logs generated by a specific user. Replace 1000 with the UID of the user in question (often 1000 is the first non-root user). Useful when tracking activities like failed login attempts or cron jobs.

You can find a user's UID using:


id -u username          # Retrieves the UID of a specific user  

8. Display Logs with Priority Levels


journalctl -p err          # Shows logs with 'error' priority and above 

This shows logs with a severity of "error" or higher (e.g., err, crit, alert, emerg). Perfect for zeroing in on real problems instead of info messages and benign logs.

Use -p with other levels too:

  • emerg (0)

  • alert (1)

  • crit (2)

  • err (3)

  • warning (4)

  • notice (5)

  • info (6)

  • debug (7) 

9. Limit Logs by Storage Size


journalctl --disk-usage   # Displays how much disk space logs are using 

Want to check how much space your system journal is using? This command displays the total disk usage of the journal logs. Useful for managing storage or troubleshooting why logs are not rotating.

If needed, clean up old logs with:


journalctl --vacuum-size=100M    # Removes oldest logs until journal is under 100MB 

This deletes old logs until only 100MB remain. 

10. Search Logs for Specific Keywords


journalctl | grep "Failed password"       # Searches logs for matching text 

This searches the journal for specific strings which is perfect for investigating failed login attempts, service errors, or specific application issues. While journalctl does not have native --grep, piping into grep works just as well.

Combine it with -u or -b for more targeted searches.

Bonus

For more pleasant output:


journalctl --no-pager --output=short-iso --no-hostname     # Cleaner, more readable log output 

Or simply use:


journalctl -xe          # Shows context-rich logs and recent errors — perfect for troubleshooting 

This shows logs with explanatory context and recent errors, a favorite for debugging failed services quickly. 

Practice journalctl in Realistic RHCSA Scenarios

  • A Service Fails to Start:  During the exam, you may be asked to troubleshoot why a service like httpd, sshd, or firewalld isn’t running. Use journalctl -u service-name to view logs specifically related to that service. It will give you precise error messages and warnings, helping you quickly pinpoint and fix the issue.

  • SSH Doesn’t Work After Reboot:  If SSH access fails after restarting the system, it's crucial to understand whether the problem is with networking, firewall settings, or the sshd service itself. Combine journalctl -b (for current boot) with journalctl -u sshd to narrow down recent logs and troubleshoot connection issues efficiently.

  • System Crash or Unexpected Reboot:  You might encounter a scenario where the system rebooted unexpectedly or crashed overnight. To investigate this, use journalctl --since "yesterday" or journalctl -b -1 to access logs from the previous boot session. This can help you trace shutdown signals, kernel panics, or failed units that caused instability.

  • High Disk Usage from Log Files:  Log files can consume significant disk space over time, especially in high-activity systems. Use journalctl --disk-usage to check how much space your logs are occupying. If storage is low, clean up with journalctl --vacuum-size=100M to remove old logs and free up space without deleting recent critical entries.

  • Performing Under Exam Pressure:  RHCSA exams are time-sensitive, and efficient use of journalctl can save precious minutes. Practicing these commands in real or virtual RHEL 9 environments will help you develop muscle memory for filtering logs, identifying issues, and taking corrective actions — all without wasting time searching manually. 

Conclusion

At the end of the day, mastering journalctl isn't just about passing the RHCSA exam, it's about truly understanding your system. Logs tell the real story of what’s happening under the hood, and being able to quickly find, filter, and interpret them is what separates a good admin from a great one. Don’t just memorize the commands, actually use them in different scenarios, break things on purpose, and see how the system responds. The more time you spend exploring logs, the more confident and capable you'll become when something goes wrong and that’s exactly what the exam (and real-world sysadmin life) is all about. And if you want a structured, hands-on way to do that, platforms like RHCSA.GURU can be a great resource to sharpen your skills the right way.