systemd-journald stores its logs in /var/log/journal/<machine-id>/ when persistent storage is enabled, or in /run/log/journal/<machine-id>/ when storage is volatile (a tmpfs cleared on every reboot — the default when /var/log/journal doesn't exist). The files are binary *.journal files that you read with journalctl, never with cat or tail directly.
Quick Reference: journald Log Paths and Settings
| Item | Location / Value |
|---|---|
| Persistent journal directory | /var/log/journal/<machine-id>/ |
| Volatile (RAM) journal directory | /run/log/journal/<machine-id>/ |
| Active system journal file | .../system.journal |
| Per-user journals | .../user-<UID>.journal |
| Main config file | /etc/systemd/journald.conf |
| Drop-in overrides | /etc/systemd/journald.conf.d/*.conf |
| Machine ID source | /etc/machine-id |
| Storage mode setting | Storage= (auto / persistent / volatile / none) |
| Max disk for persistent journal | SystemMaxUse= |
| Max RAM for volatile journal | RuntimeMaxUse= |
| Forward to rsyslog | ForwardToSyslog=yes |
The <machine-id> subdirectory matches the contents of /etc/machine-id, so paths look like /var/log/journal/9f8c.../system.journal.
How to View and Tail journald Logs
journalctl # all logs, oldest first
journalctl -e # jump to the end (most recent)
journalctl -f # follow live, like tail -f
journalctl -r # reverse: newest first
journalctl -n 100 # last 100 lines
# Scope by boot
journalctl -b # current boot
journalctl -b -1 # previous boot
journalctl --list-boots # list available boots
# Scope by unit, priority, time
journalctl -u sshd # one service
journalctl -u nginx --since today
journalctl -p err # priority error and above (0-7 / emerg-debug)
journalctl --since "2026-06-01 09:00" --until "2026-06-01 10:00"
journalctl -k # kernel messages (dmesg equivalent)
# Output formats
journalctl -o json-pretty
journalctl -o cat # message text only, no metadata
To read journal files from another machine (e.g. recovered from a dead server):
journalctl --file /mnt/recover/var/log/journal/<machine-id>/system.journal
journalctl --directory /mnt/recover/var/log/journal/<machine-id>/
Persistent vs. Volatile Storage
The behavior is controlled by Storage= in /etc/systemd/journald.conf:
auto(default on most distros) — persistent only if/var/log/journal/exists; otherwise volatile in/run/log/journal/.persistent— always write to/var/log/journal/, creating it if needed.volatile— always write to/run/log/journal/(RAM); lost on reboot.none— keep nothing on disk (logs can still be forwarded to syslog or read live).
To switch a machine from volatile to persistent:
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journald
Or set it explicitly and restart:
# in /etc/systemd/journald.conf
[Journal]
Storage=persistent
sudo systemctl restart systemd-journald
Verify which mode is active:
journalctl --header | grep -i path # shows the active journal file path
If the active file lives under /run/log/journal, you're volatile; under /var/log/journal, you're persistent.
Log Rotation and Disk Limits
journald does not use logrotate. It rotates and prunes its own files based on the limits in journald.conf:
| Setting | Default-ish behavior |
|---|---|
SystemMaxUse= | Cap on total persistent journal size (defaults to 10% of the filesystem, max 4 GB) |
SystemKeepFree= | Always leave this much free space (defaults to 15% of the filesystem) |
SystemMaxFileSize= | Max size of a single journal file before rotation |
MaxRetentionSec= | Delete entries older than this |
MaxFileSec= | Force a new journal file after this much time |
RuntimeMaxUse= | Same as SystemMaxUse but for the volatile /run journal |
Check and trim usage on demand:
journalctl --disk-usage # current total size
sudo journalctl --vacuum-size=500M # keep at most 500 MB
sudo journalctl --vacuum-time=2weeks # delete entries older than 2 weeks
sudo journalctl --vacuum-files=5 # keep at most 5 archived files
After editing limits, apply them with sudo systemctl restart systemd-journald.
Common Errors You'll Find in journald Logs
Failed to start <unit>.service.— a unit failed; follow withjournalctl -u <unit> -bfor the root cause.Journal file /var/log/journal/.../system.journal corrupted, ignoring file.— a journal was truncated (often an unclean shutdown); journald rotates past it automatically but you lose those entries.Suspending input on /dev/kmsg...orSuppressed N messages from ...— rate limiting kicked in (RateLimitIntervalSec/RateLimitBurst); a noisy unit is flooding the journal.Time has been changed— the system clock jumped, which can scramble chronological ordering injournalctloutput.No space left on devicewith journald failing to write — the filesystem holding/var/log/journalis full; vacuum the journal or lowerSystemMaxUse.Permission deniedfromjournalctlfor a normal user — add the user to thesystemd-journalgroup to read system logs without sudo.
Troubleshooting: Logs Missing or Empty
- Logs disappear after every reboot — You're in volatile mode. Create
/var/log/journaland restart journald, or setStorage=persistent. journalctlshows "No journal files were found" — Either journald has written nothing yet (fresh boot, volatile mode) or your user lacks access. Try withsudo, and checksystemctl status systemd-journald.journalctl -b -1says "Specifying boot ID has no effect, no persistent journal was found" — Without persistent storage there is only the current boot. Enable persistence to retain previous boots.- A service produces no journal entries — Confirm the unit actually writes to stdout/stderr (journald captures those). Services that daemonize and write only to their own file won't appear unless configured to log to the journal.
- Permission denied reading another user's journal — Per-user journals (
user-<UID>.journal) are restricted; root or membership insystemd-journalis required to read across users. - Disk usage keeps growing —
SystemMaxUsemay be unset or too high. Set an explicit cap and runjournalctl --vacuum-size.