Build journalctl commands for the systemd journal by service, priority, time range, and pattern — then turn the query into an Alert24 continuous-monitoring config.
journalctl
Click any example to load it into the builder above.
A one-off journalctl command only tells you what happened when you run it. Drop this log_searches block into your Alert24 server agentconfig and the agent re-runs the same journald query every interval, reporting the match count so you get paged the moment it spikes (e.g. >10 SSH failures in a minute).
{
"log_searches": [
{
"name": "journal_events",
"source": "journald",
"unit": null,
"pattern": null,
"min_priority": null
}
]
}This search matches every journal line (pure volume tracking). Add a unit, pattern, or priority to make it specific.
Log-search monitoring is an Alert24 Pro/Enterprise feature. Every plan includes server agents (3 free; 5 per unit on paid plans), and the journald source runs on Linux hosts only.
Alert24’s lightweight agent watches your log files where they live and alerts on error spikes, pattern matches, log floods, and sudden silence — no log shipping, no SIEM bill, no per-GB ingest pricing.
Try Alert24 log monitoringOur team can help implement enterprise-grade solutions. Get personalized recommendations in a free 30-minute consultation.
journalctl is the query tool for the systemd journal, the binary, indexed log store that systemd-journald maintains on modern Linux distributions. Instead of grepping scattered text files in /var/log, you ask the journal structured questions: logs for one service, at a given priority, within a time range, matching a pattern, or from a specific boot. This builder assembles a correct command from those choices so you never have to memorize the flags.
Priorities follow the classic syslog severity scale. Passing a single level to -p matches that level and everything more severe, so -p warning includes warning, err, crit, alert, and emerg.
| Number | Name | Meaning |
|---|---|---|
| 0 | emerg | System is unusable |
| 1 | alert | Action must be taken immediately |
| 2 | crit | Critical conditions |
| 3 | err | Error conditions |
| 4 | warning | Warning conditions |
| 5 | notice | Normal but significant |
| 6 | info | Informational |
| 7 | debug | Debug-level messages |
systemd accepts friendly time expressions in addition to absolute timestamps. Useful values include today, yesterday, now, relative phrases like "1 hour ago" or "2 days ago", and absolute stamps such as "2026-06-01 09:00:00". Quote any value that contains a space.
Running journalctlby hand answers "what happened?" but only at the moment you look. To know the instant a pattern spikes — failed SSH logins, OOM kills, service crashes — you need something watching the journal on every host. The Alert24 server agent does exactly that: it re-runs your journald query each interval and reports the match count back as a metric, which you can threshold with alert rules (for example, page on call when failures exceed 10 in a minute). This builder generates the matching log_searches config block alongside the command, so the jump from investigation to monitoring is copy-and-paste.
Plan notes: Alert24 server agents are free for up to 3 hosts, and 5 per subscription unit on paid plans. Log-search monitoring (the journald/file/Windows-Event source feature) is included on Pro and Enterprise plans. The journald source runs on Linux hosts only.
Common questions about the journalctl Command Builder
Use the -u (or --unit) flag with the unit name, for example "journalctl -u sshd". You can repeat -u to match several units, and combine it with -p for priority or --since for a time window. This builder adds -u automatically when you fill in the Unit / service field.
Pass a human-friendly time expression to --since, such as "journalctl --since yesterday" or "journalctl --since '1 hour ago'". systemd understands "today", "yesterday", relative phrases like "2 days ago", and absolute timestamps in "YYYY-MM-DD HH:MM:SS" form. Add --until to cap the upper bound.
-p filters by syslog priority (emerg through debug); specifying a single level shows that level and everything more severe. -g filters the message text with a Perl-compatible regular expression. They are independent, so "journalctl -p err -g timeout" shows error-or-worse entries whose message matches "timeout".
Add the -f (follow) flag, e.g. "journalctl -u nginx -f". It behaves like tail -f, printing new entries as they are written. Combine it with -n 50 to show the last 50 lines first, then keep streaming.
Use -k (or --dmesg) to restrict output to kernel messages, equivalent to the dmesg ring buffer. Combine with --since today or -p err to narrow further, for example "journalctl -k -p err --since today".
-b limits output to a single boot. "journalctl -b" shows the current boot, "journalctl -b -1" the previous boot, "-b -2" the one before that, and so on. Run "journalctl --list-boots" to see all recorded boot IDs.
Use -o json for one JSON object per line (ideal for piping into jq or a log shipper) or -o json-pretty for human-readable formatting. Other useful modes are -o cat (message only) and -o verbose (every field).
Yes. A journalctl command is a point-in-time query — it only reports what you see when you run it. This tool also emits an Alert24 server-agent log_searches config block for the same unit, pattern, and priority. The agent re-runs the journald query every interval and reports the match count, so you can alert when, say, SSH failures spike. Log-search monitoring is an Alert24 Pro/Enterprise feature; server agents are free for up to 3 hosts (5 per unit on paid plans).
Continue with these related tools
Summarize any text with AI that runs entirely in your browser — paste an article, contract, or report and get bullet points or a TL;DR. Unlike cloud summarizers, your text is never uploaded.
Chat with an AI model that runs entirely in your browser — free, no signup, no API key. Pick a model like Llama 3.2 or Qwen 2.5, load your own GGUF file, and conversations never leave your device.
Analyze Terraform plans for security risks, blast radius, and dependencies. Reduce production incidents by understanding infrastructure changes before applying them.
Official systemd documentation for every journalctl flag and field.
freedesktop.orgReference for journal fields such as _UID, _PID, and _COMM used in filters.
freedesktop.orgTurn journald queries into continuous, alertable metrics.
Alert24This tool is provided for informational and educational purposes only. All processing happens entirely in your browser — no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results.