Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Locate And Interpret System Log Files And Journals ====== **General Information** Systemd introduces the journalctl command which interacts with the journald service. It is a method of viewing all log files at once and is not persistent across reboots by default. (In order to preserve traditional logging) ---- ===== Locate and interpret system log files and journals ===== ==== Traditional Log Files ==== Log file directory: /var/log/ \\ Common Log Files ^ Log File ^ Description ^ | /var/log/audit/audit.log | SELinux writes here; audit messages | | /var/log/boot.log | System startup logs | | /var/log/cron | Cron jobs log file | | /var/log/cups | Print service CUPS | | /var/log/dmesg | Kernel log messages | | /var/log/httpd/ | Apache web server | | /var/log/maillog | Mail related messages | | /var/log/messages | Most system messages written here. Generic log file. | | /var/log/secure | Authentication related messages | | /var/log/sssd | Authentication messages related to sssd service | \\ Common tools often used to view log files: * less * tail * head * cat * zcat (for gzipped log files) * grep ---- ==== Boot Process ==== Show bootup process summary <code bash> systemd-analyze </code> \\ Details of time each process took during boot <code bash> systemd-analyze blame </code> ---- ==== The Journal ==== New Systemd Logging * journald => systemd's service that collects and stores log data. * journalctl => query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/ \\ Show last 10 lines of log files <code bash> journalctl -n </code> * -n => shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10) \\ Show last 10 lines with further explanation <code bash> journalctl -xn </code> * -x => augment log lines with additional explanation lines \\ Show most recent messages and continue to follow log file <code bash> journalctl -f </code> * equivalent to "tail -f <logfile>" \\ Show all logs with a priority of "info" <code bash> journalctl -p info </code> \\ Show all logs since yesterday <code bash> journalctl --since=yesterday </code> ---- ==== Turn Journal Persistent ==== On CentOS 7, by default, journald writes to /run/log/journal. \\ To make the journal persistent: * Create a journal directory in /var/log<code bash>mkdir /var/log/journal</code> * Make systemd-journal the group owner and set GID permissions * Option 1:<code bash>systemd-tmpfiles --create --prefix /var/log/journal</code> * Option 2:<code bash>chown :systemd-journal /var/log/journal chmod 2750 /var/log/journal</code> * **Hint**: Check the /run/log/journal directory ownership and permissions. Make /var/log/journal the same. * Restart the journal service<code bash>systemctl restart systemd-journald</code> ---- linux_wiki/locate_and_interpret_system_log_files_and_journals.txt Last modified: 2019/05/25 23:50(external edit)