Locate And Interpret System Log Files And Journals

General Information

Systemd introduces the journalctl command which interacts with the journald service. It is a method of viewing all log files at once and is not persistent across reboots by default. (In order to preserve traditional logging)

Log file directory: /var/log/

Common Log Files

Log File Description
/var/log/audit/audit.log SELinux writes here; audit messages
/var/log/boot.log System startup logs
/var/log/cron Cron jobs log file
/var/log/cups Print service CUPS
/var/log/dmesg Kernel log messages
/var/log/httpd/ Apache web server
/var/log/maillog Mail related messages
/var/log/messages Most system messages written here. Generic log file.
/var/log/secure Authentication related messages
/var/log/sssd Authentication messages related to sssd service

Common tools often used to view log files:

  • less
  • tail
  • head
  • cat
  • zcat (for gzipped log files)
  • grep

Show bootup process summary


Details of time each process took during boot

systemd-analyze blame

New Systemd Logging

  • journald ⇒ systemd's service that collects and stores log data.
  • journalctl ⇒ query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/

Show last 10 lines of log files

journalctl -n
  • -n ⇒ shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10)

Show last 10 lines with further explanation

journalctl -xn
  • -x ⇒ augment log lines with additional explanation lines

Show most recent messages and continue to follow log file

journalctl -f
  • equivalent to “tail -f <logfile>”

Show all logs with a priority of “info”

journalctl -p info

Show all logs since yesterday

journalctl --since=yesterday

On CentOS 7, by default, journald writes to /run/log/journal.

To make the journal persistent:

  • Create a journal directory in /var/log
    mkdir /var/log/journal
  • Make systemd-journal the group owner and set GID permissions
    • Option 1:
      systemd-tmpfiles --create --prefix /var/log/journal
    • Option 2:
      chown :systemd-journal /var/log/journal
      chmod 2750 /var/log/journal
    • Hint: Check the /run/log/journal directory ownership and permissions. Make /var/log/journal the same.
  • Restart the journal service
    systemctl restart systemd-journald

  • linux_wiki/locate_and_interpret_system_log_files_and_journals.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)