====== Locate And Interpret System Log Files And Journals ======
**General Information**
Systemd introduces the journalctl command which interacts with the journald service. It is a method of viewing all log files at once and is not persistent across reboots by default. (In order to preserve traditional logging)
----
===== Locate and interpret system log files and journals =====
==== Traditional Log Files ====
Log file directory: /var/log/
\\
Common Log Files
^ Log File ^ Description ^
| /var/log/audit/audit.log | SELinux writes here; audit messages |
| /var/log/boot.log | System startup logs |
| /var/log/cron | Cron jobs log file |
| /var/log/cups | Print service CUPS |
| /var/log/dmesg | Kernel log messages |
| /var/log/httpd/ | Apache web server |
| /var/log/maillog | Mail related messages |
| /var/log/messages | Most system messages written here. Generic log file. |
| /var/log/secure | Authentication related messages |
| /var/log/sssd | Authentication messages related to sssd service |
\\
Common tools often used to view log files:
* less
* tail
* head
* cat
* zcat (for gzipped log files)
* grep
----
==== Boot Process ====
Show bootup process summary
systemd-analyze
\\
Details of time each process took during boot
systemd-analyze blame
----
==== The Journal ====
New Systemd Logging
* journald => systemd's service that collects and stores log data.
* journalctl => query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/
\\
Show last 10 lines of log files
journalctl -n
* -n => shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10)
\\
Show last 10 lines with further explanation
journalctl -xn
* -x => augment log lines with additional explanation lines
\\
Show most recent messages and continue to follow log file
journalctl -f
* equivalent to "tail -f "
\\
Show all logs with a priority of "info"
journalctl -p info
\\
Show all logs since yesterday
journalctl --since=yesterday
----
==== Turn Journal Persistent ====
On CentOS 7, by default, journald writes to /run/log/journal.
\\
To make the journal persistent:
* Create a journal directory in /var/logmkdir /var/log/journal
* Make systemd-journal the group owner and set GID permissions
* Option 1:systemd-tmpfiles --create --prefix /var/log/journal
* Option 2:chown :systemd-journal /var/log/journal
chmod 2750 /var/log/journal
* **Hint**: Check the /run/log/journal directory ownership and permissions. Make /var/log/journal the same.
* Restart the journal servicesystemctl restart systemd-journald
----