journalctl — CySA+ Tools — Thiago Teixeira

journalctl

systemd journal query tool — filtered, structured access to Linux logs.

Logging & SIEM Built-in OS CLI Learning Linux

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

journalctl is the query CLI for the systemd journal, the binary, indexed log store used by modern Linux distributions. It supplements (and on many distros replaces) classic /var/log/* files for kernel, service, and authentication events.

Why it matters:

Structured fields make filtering precise (_SYSTEMD_UNIT, _UID, PRIORITY).
Time windows (--since, --until) for incident scoping.
Tail mode (-f) for live monitoring.
Boot navigation (--list-boots, -b -1) for crash analysis.

Use cases

Pulling SSH login activity during an incident
Following a service in real time
Recovering logs from the previous boot after a crash

Example

sudo journalctl _SYSTEMD_UNIT=ssh.service --since "1 hour ago" -o json
sudo journalctl -k -b -1     # kernel ring buffer from previous boot