Default Journal Log Files Locations in Linux
There are two locations we are most likely to find the ‘systemd’ journal files in Linux Red Hat system. The default journal log files locations are:
/var/log/journal
Persistent journals are stored in the default location of /var/log/journal, if it exists.
/run/log/journal
Volatile journals are stored in the default directory of /run/log/journal, if the /var/log/journal directory does not exist.
A Linux system log files are files that contain messages about the system, including the kernel, services, and applications running on it. Without logs, troubleshooting would be much more difficult. Even with logs, you’re swimming in a sea of data. Knowing how to find what you’re looking for is important.
There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks. The Linux command line journalctl
is managing the journal log files.
The journalctl
is a utility to query the systemd journal.
Journal Log Files Locations or Directories
A list of log files maintained by rsyslogd
can be found in the /etc/rsyslog.conf
configuration file. Most log files are located in the /var/log/
directory. Some applications such as httpd
and samba
have a directory within /var/log/
for their log files.
You may notice multiple files in the /var/log/
directory with numbers after them (for example, cron-20100906
). These numbers represent a time stamp that has been added to a rotated log file. Log files are rotated so their file sizes do not become too large. The logrotate
package contains a cron task that automatically rotates log files according to the /etc/logrotate.conf
configuration file and the configuration files in the /etc/logrotate.d/
directory.
Let’s checking a web server logs in the system.
grep httpd `find /var/log -maxdepth 1 -type f -print` | less
Checking the systemd logs with a narrower focus. Grepping sysemd logs from /var/log/messages with a pagination command less
.
grep -i systemd /var/log/messages | less
Let’s check the entire /var/log directory for systemd logs.
grep systemd `find /var/log -maxdepth 1 -type f -print` | less
Using journalctl command to find logs in Linux.
journalctl -u httpd
You can use the slash to search through out the displayed logs with a specific service log.
journalctl -g systemd | less
Searching with multiple strings.
journalctl -g "httpd|systemd" | less
Searching with exact time which start with -S and -U for until.
journalctl -S 11:30:00 -U 12:50:00
A journalctl has an entry for each time we boot the system. Let’s see how may entries do we have or which boots are available.
journalctl --list-boots
Let’s read the boot entry 3.
journalctl -b 3
By default the systemd journal logs to memory in HREL8 in the location of /run/log/journal
. We can make the journals persistent across reboots.
Note: For the RHCA8 exam everything is persistent. So it’s important that we should know how to make the journal logs persistent. When you working with journal, make sure you configure it.
How to look the journal configured in the system?
We can see by looking for the storage setting in /etc/systemd/journal.conf
file.
[root@vma ~]# grep -i storage /etc/systemd/journald.conf
#Storage=auto
By default it set to auto.
There are four different modes we can use:
- Volatile mode – /run/log/journal: Volatile is journal log data stored in memory only, and that is in the location
/run/log/journal
- Persistent –
/var/log/journal
- None – storage disabled, all data dropped.
- Auto – default – persistent if /var/log/journal exist, otherwise volatile.
If we wanted to make our journal persistent, all we would need to do with the auto setting is to make the directory /var/log/journal
.
mkdir /var/log/journal
To flush the journal logs from /run/log/journal.
journalctl --flush
Do some changes in system and check the /var/log/journal directory for persistent logs.
ls -la /var/log/journal