Locate And Interpret System Log Files And Journals

This is an old revision of the document!

General Information

About this page/how-to/script.

Log file directory: /var/log/

Common Log Files

Log File	Description
/var/log/audit/audit.log	SELinux writes here; audit messages
/var/log/boot.log	System startup logs
/var/log/cron	Cron jobs log file
/var/log/cups	Print service CUPS
/var/log/dmesg	Kernel log messages
/var/log/httpd/	Apache web server
/var/log/maillog	Mail related messages
/var/log/messages	Most system messages written here. Generic log file.
/var/log/secure	Authentication related messages
/var/log/sssd	Authentication messages related to sssd service

Common tools often used to view log files:

New Systemd Logging

journald ⇒ systemd's service that collects and stores log data.
journalctl ⇒ query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/

Show last 10 lines of log files

journalctl -n

-n ⇒ shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10)

Show last 10 lines with further explanation

journalctl -xn

Show most recent messages and continue to follow log file

journalctl -f

Show all logs with a priority of “info”

journalctl -p info

Show all logs since yesterday

journalctl --since=yesterday

Show bootup process summary

systemd-analyze

Details of time each process took during boot

systemd-analyze blame

On CentOS 7, by default, journald writes to /run/log/journal.

To make the journal persistent:

Make systemd-journal the group owner and set GID permissions

Option 1:

systemd-tmpfiles --create --prefix /var/log/journal

Option 2:

chown :systemd-journal /var/log/journal
chmod 2750 /var/log/journal

Locate and interpret system log files and journals