This is an old revision of the document!
Locate And Interpret System Log Files And Journals
General Information
About this page/how-to/script.
Locate and interpret system log files and journals
Log file directory: /var/log/
Common Log Files
Log File | Description |
---|---|
/var/log/audit/audit.log | SELinux writes here; audit messages |
/var/log/boot.log | System startup logs |
/var/log/cron | Cron jobs log file |
/var/log/cups | Print service CUPS |
/var/log/dmesg | Kernel log messages |
/var/log/httpd/ | Apache web server |
/var/log/maillog | Mail related messages |
/var/log/messages | Most system messages written here. Generic log file. |
/var/log/secure | Authentication related messages |
/var/log/sssd | Authentication messages related to sssd service |
Common tools often used to view log files:
- less
- tail
- head
- cat
- zcat (for gzipped log files)
- grep
New Systemd Logging
- journald ⇒ systemd's service that collects and stores log data.
- journalctl ⇒ query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/
Show last 10 lines of log files
journalctl -n
- -n ⇒ shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10)
Show last 10 lines with further explanation
journalctl -xn
- -x ⇒ augment log lines with additional explanation lines
Show most recent messages and continue to follow log file
journalctl -f
- equivalent to “tail -f <logfile>”
Show all logs with a priority of “info”
journalctl -p info
Show all logs since yesterday
journalctl --since=yesterday
Show bootup process summary
systemd-analyze
Details of time each process took during boot
systemd-analyze blame
Turn Journal Persistent
On CentOS 7, by default, journald writes to /run/log/journal.
To make the journal persistent:
- Create a journal directory in /var/log
mkdir /var/log/journal
- Make systemd-journal the group owner and set GID permissions
- Option 1:
systemd-tmpfiles --create --prefix /var/log/journal
- Option 2:
chown :systemd-journal /var/log/journal chmod 2750 /var/log/journal
- Restart the journal service
systemctl restart systemd-journald