Locate And Interpret System Log Files And Journals

General Information

Systemd introduces the journalctl command which interacts with the journald service. It is a method of viewing all log files at once and is not persistent across reboots by default. (In order to preserve traditional logging)

Log file directory: /var/log/

Common Log Files

Common tools often used to view log files:

• less
• tail
• head
• cat
• zcat (for gzipped log files)
• grep

Show bootup process summary

systemd-analyze

Details of time each process took during boot

systemd-analyze blame

New Systemd Logging

• journald ⇒ systemd's service that collects and stores log data.
• journalctl ⇒ query the systemd journal. This provides a single pane of glass to all logs that are typically spread out amongst several different files in /var/log/

Show last 10 lines of log files

journalctl -n

• -n ⇒ shows the most recent events, limiting the number of lines to the argument to -n (argument is optional and defaults to 10)

Show last 10 lines with further explanation

journalctl -xn

• -x ⇒ augment log lines with additional explanation lines

Show most recent messages and continue to follow log file

journalctl -f

• equivalent to “tail -f <logfile>”

Show all logs with a priority of “info”

journalctl -p info

Show all logs since yesterday

journalctl --since=yesterday

On CentOS 7, by default, journald writes to /run/log/journal.

To make the journal persistent:

• Create a journal directory in /var/log

  mkdir /var/log/journal

• Make systemd-journal the group owner and set GID permissions
  • Option 1:

    systemd-tmpfiles --create --prefix /var/log/journal

  • Option 2:

    chown :systemd-journal /var/log/journal
    chmod 2750 /var/log/journal

  • Hint: Check the /run/log/journal ownership and permissions. Make /var/log/journal the same.
• Restart the journal service

  systemctl restart systemd-journald