This is an old revision of the document!
Locate And Interpret System Log Files And Journals
General Information
Systemd introduces the journalctl command which interacts with the journald service. It is a method of viewing all log files at once and is not persistent across reboots by default. (In order to preserve traditional logging)
Locate and interpret system log files and journals
Traditional Log Files
Log file directory: /var/log/
Common Log Files
Log File | Description |
---|---|
/var/log/audit/audit.log | SELinux writes here; audit messages |
/var/log/boot.log | System startup logs |
/var/log/cron | Cron jobs log file |
/var/log/cups | Print service CUPS |
/var/log/dmesg | Kernel log messages |
/var/log/httpd/ | Apache web server |
/var/log/maillog | Mail related messages |
/var/log/messages | Most system messages written here. Generic log file. |
/var/log/secure | Authentication related messages |
/var/log/sssd | Authentication messages related to sssd service |
Common tools often used to view log files:
- less
- tail
- head
- cat
- zcat (for gzipped log files)
- grep
Boot Process
Show bootup process summary
systemd-analyze
Details of time each process took during boot
systemd-analyze blame
The Journal
New Systemd Logging
- journald ⇒ systemd's service that collects and stores log data.
- journalctl ⇒ query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/
Show last 10 lines of log files
journalctl -n
- -n ⇒ shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10)
Show last 10 lines with further explanation
journalctl -xn
- -x ⇒ augment log lines with additional explanation lines
Show most recent messages and continue to follow log file
journalctl -f
- equivalent to “tail -f <logfile>”
Show all logs with a priority of “info”
journalctl -p info
Show all logs since yesterday
journalctl --since=yesterday
Turn Journal Persistent
On CentOS 7, by default, journald writes to /run/log/journal.
To make the journal persistent:
- Create a journal directory in /var/log
mkdir /var/log/journal
- Make systemd-journal the group owner and set GID permissions
- Option 1:
systemd-tmpfiles --create --prefix /var/log/journal
- Option 2:
chown :systemd-journal /var/log/journal chmod 2750 /var/log/journal
- Restart the journal service
systemctl restart systemd-journald