Connect with us

Hi, what are you looking for?

Linux

How to Analyze Logs using Journalctl and Rsyslog on CentOS 8 / RHEL 8

In this tutorial we are going to analyze logs using journalctl and rsyslog on CentOS 8 / RHEL 8 . The main priority of any system administrator is to identify and analyze various logs using various tools. In this guide we will give you detailed info about Journalctl and Rsyslog on Linux System.

Journalctl

Mainly Log File is useful for troubleshooting and system issue (Linux). Journald is the service used for collecting and storing the logs data. The journald service is used to manage the system log, like kernel logs, syslog messages, boot messages, and running service message etc.

In the unix based systems the service journald implements the journal. Replace with rsyslog as a log management service. Journald collects the data from available sources and stored them in the binary format. To manage journald demon we have journalctl command. There were several command to manage and show logs.

Step – 1 : To List all  the logs from the oldest entry

[root@techbrown~]# journalctl

Step – 2 : To List all the logs from the oldest entry in Universal Time Coordinate

[root@techbrown~]# journalctl --utc

Step – 3 : To List all the logs from current boot

[root@techbrown~]# journalctl -b

Step – 4 : To List all the logs from older boot

[root@techbrown~]# journalctl -b -6

Step – 5 : To List the total boots of the system

This take some time.

Advertisement. Scroll to continue reading.
[root@techbrown~]# journalctl --list-boots

Step – 6 : To List all the logs from yesterday

[root@techbrown~]# journalctl --since yesterday

Step – 7 : To list all logs between specific time period

[root@techbrown~]# journalctl --since 15:00 --until "3 hour ago"

Step – 8 : To list all the logs between some specific time like day year and time

[root@techbrown~]# journalctl --since "2018-12-08 03:00" --until "2019-12-08 03:00"
[root@techbrown~]# journalctl --since "2018-12-08 11:59:00"

Step – 9 : To List all the logs by User ID

Syntax #journalctl [option] Field.

[root@techbrown~]# journalctl -F UID

option F is used to print all possible data value.

Step – 10 : To List all the logs by Group ID

[root@techbrown~]# journalctl -F _GID

Step – 11 : To List all the logs  by Process ID

[root@techbrown~]# journalctl -F _PID

Step – 12 : To List all the logs from from specific user ID

[root@techbrown~]# journalctl  -F _UID=5000

Step – 13 : To List all the logs from from specific user ID

[root@techbrown~]# journalctl _GID=115

Step – 14 : To List all the logs from from specific user ID

[root@techbrown~]# journalctl _PID=4256

Step – 15 : To List all the logs of an executable file or device

[root@techbrown~]# journalctl /mnt/

Step – 16 : To List all the kernel logs

[root@techbrown~]# journalctl -k

Step – 17 : To List all the kernel logs from older boot

[root@techbrown~]# journalctl -k -b -5

Step – 18 : To show the current Disk Usage of all journal files

[root@techbrown~]# journalctl --disk-usage

Step – 19 : To show the most recent journal entries

[root@techbrown~]# journalctl -f

Step – 20 : To show the recent logs entries

[root@techbrown~]# journalctl -n

Step – 21 : To show the specific recent log entries

[root@techbrown~]# journalctl -n 5

Step – 22 : To show the log entries of specific priority

There are several priorities –
emerg, alert, crit, error, warn, notice, info, debug.

[root@techbrown~]#journalctl -p warning

Step – 23 : To Display the logs in JSON format

Here, Option u is used to display the log entries for some specific systemd unit. Option o is used to format the output. There are several valid output format available like json, jsonpreety, cat, json-see, verbose, export, short-iso, short-precise,short-monotonic etc.

[root@techbrown~]# journalctl -u sshd -o json
[root@techbrown~]# journalctl -u sshd -o cat

The main configuration file for journald is /etc/systemd/journald.conf.

Advertisement. Scroll to continue reading.

Logs generated by journald is not persistently stored by default. Logs stored in /run/log/journal/ directory and get cleared when the system get reboot. To make the journald logs permanent and  persistent user. To create the /var/log/journal/ directory. So that the logs generated by journald will be stored in this directory. It will not get cleared on system reboot.

Step – 24 : Create a directory to store the log persistently

[root@techbrown~]# mkdir /var/log/journal

Step – 25 : Change the owner of this directory to root

[root@techbrown~]# chown root.systemd-journal /var/log/journal

Step – 26 : Give directory permission.

The permission  2755 means that every user can have read and access permission. The Owner and the member of files group having additionally write permission.

[root@techbrown~]# chmod 2755 /var/log/journal

Rsyslog

Rsyslog is the Rocket-fast System for LOG processing. Rsyslog is the popular log mechanism in mostly all Linux distributions. Basically in CentOS 8 and RHEL 8 Rsyslog is a default logging service.

Journald forwards all logs to rsyslog which stores them. In plain text files under /var/log/ directory. /etc/rsyslog.conf is the main configuration file for Rsyslog. There is rule lines are written to store log messages in the configuration file.

Advertisement. Scroll to continue reading.

In each rule line having two parts:

1. Selector field

Selector field is divided into two – “facility” and “priority“.

2. Action field

Specifies what action must be taken for the matched rule.

Important log files

1. Syslog messages are logging file

/var/log/messages

Advertisement. Scroll to continue reading.

2. Security and Authentication related logging file

/var/log/secure

3. Mail Server related logging file

/var/log/maillog

4. Crontab related logging file

/var/log/cron

5. Booting related logging file

/var/log/boot.log

Advertisement. Scroll to continue reading.

Conclusion: Finally we have learned about the journalctl and rsyslog on your Linux Distribution. We have also learned how you can use this command variously to analyze the logs. If you have any doubts in your mind feel free to comment the below section.

Comments
Advertisement
Advertisement
Advertisement

You May Also Like

Windows

How to auto upgrade JioFi firmware for JioFi 2 / JioFi 3 / JioFi 4 / JioFi 5 / JioFi 6 and other JioFi...

Windows

Internet is the most important public network for connecting to the WEB. For internet connection requirement the ISP is required as well as it...

Windows

How to download and install the Mobile Intel 4 Series Express Chipset Graphics Drivers for Windows 10.  Windows 10 is the one of the...

Windows

How to Install and Configure PCSX2 on Windows 10. The Windows 10 is the most recommended operating system for the Games. In stream platform...