====== Locate And Interpret System Log Files And Journals ======

**General Information**

Systemd introduces the journalctl command which interacts with the journald service. It is a method of viewing all log files at once and is not persistent across reboots by default. (In order to preserve traditional logging)

----

===== Locate and interpret system log files and journals =====

==== Traditional Log Files ====

Log file directory: /var/log/

\\
Common Log Files
^  Log File  ^ Description ^
|  /var/log/audit/audit.log  | SELinux writes here; audit messages |
|  /var/log/boot.log  | System startup logs |
|  /var/log/cron  | Cron jobs log file |
|  /var/log/cups  | Print service CUPS |
|  /var/log/dmesg  | Kernel log messages |
|  /var/log/httpd/  | Apache web server |
|  /var/log/maillog  | Mail related messages |
|  /var/log/messages  | Most system messages written here. Generic log file. |
|  /var/log/secure  | Authentication related messages |
|  /var/log/sssd  | Authentication messages related to sssd service |

\\
Common tools often used to view log files:
  * less
  * tail
  * head
  * cat
  * zcat (for gzipped log files)
  * grep

----

==== Boot Process ====

Show bootup process summary
<code bash>
systemd-analyze
</code>

\\
Details of time each process took during boot
<code bash>
systemd-analyze blame
</code>

----

==== The Journal ====

New Systemd Logging
  * journald => systemd's service that collects and stores log data.
  * journalctl => query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/

\\
Show last 10 lines of log files
<code bash>
journalctl -n
</code>
  * -n => shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10)

\\
Show last 10 lines with further explanation
<code bash>
journalctl -xn
</code>
  * -x => augment log lines with additional explanation lines

\\
Show most recent messages and continue to follow log file
<code bash>
journalctl -f
</code>
  * equivalent to "tail -f <logfile>"

\\
Show all logs with a priority of "info"
<code bash>
journalctl -p info
</code>

\\
Show all logs since yesterday
<code bash>
journalctl --since=yesterday
</code>

----

==== Turn Journal Persistent ====

On CentOS 7, by default, journald writes to /run/log/journal.

\\
To make the journal persistent:

  * Create a journal directory in /var/log<code bash>mkdir /var/log/journal</code>
  * Make systemd-journal the group owner and set GID permissions
    * Option 1:<code bash>systemd-tmpfiles --create --prefix /var/log/journal</code>
    * Option 2:<code bash>chown :systemd-journal /var/log/journal
chmod 2750 /var/log/journal</code>
    * **Hint**: Check the /run/log/journal directory ownership and permissions. Make /var/log/journal the same.

  * Restart the journal service<code bash>systemctl restart systemd-journald</code>

----