0

The main priority of any system administrator is to identify and analyze various logs using various tools. In this guide we will give you detailed info about Journalctl and Rsyslog on Linux System.

Journalctl

Mainly Log File is useful for troubleshooting and system issue (Linux). Journald is the service used for collecting and storing the logs data. The journald service is used to manage the system log, like kernel logs, syslog messages, boot messages, and running service message etc.

In the unix based systems the service journald implements the journal. Replace with rsyslog as a log management service. Journald collects the data from available sources and stored them in the binary format. To manage journald demon we have journalctl command. There were several command to manage and show logs.

Step – 1 : To List all  the logs from the oldest entry

[root@techbrown~]# journalctl

Step – 2 : To List all the logs from the oldest entry in Universal Time Coordinate

[root@techbrown~]# journalctl --utc

Step – 3 : To List all the logs from current boot

[root@techbrown~]# journalctl -b

Step – 4 : To List all the logs from older boot

[root@techbrown~]# journalctl -b -6

Step – 5 : To List the total boots of the system

This take some time.

[root@techbrown~]# journalctl --list-boots

Step – 6 : To List all the logs from yesterday

[root@techbrown~]# journalctl --since yesterday

Step – 7 : To list all logs between specific time period

[root@techbrown~]# journalctl --since 15:00 --until "3 hour ago"

Step – 8 : To list all the logs between some specific time like day year and time

[root@techbrown~]# journalctl --since "2018-12-08 03:00" --until "2019-12-08 03:00"
[root@techbrown~]# journalctl --since "2018-12-08 11:59:00"

Step – 9 : To List all the logs by User ID

Syntax #journalctl [option] Field.

[root@techbrown~]# journalctl -F UID

option F is used to print all possible data value.

Step – 10 : To List all the logs by Group ID

[root@techbrown~]# journalctl -F _GID

Step – 11 : To List all the logs  by Process ID

[root@techbrown~]# journalctl -F _PID

Step – 12 : To List all the logs from from specific user ID

[root@techbrown~]# journalctl  -F _UID=5000

Step – 13 : To List all the logs from from specific user ID

[root@techbrown~]# journalctl _GID=115

Step – 14 : To List all the logs from from specific user ID

[root@techbrown~]# journalctl _PID=4256

Step – 15 : To List all the logs of an executable file or device

[root@techbrown~]# journalctl /mnt/

Step – 16 : To List all the kernel logs

[root@techbrown~]# journalctl -k

Step – 17 : To List all the kernel logs from older boot

[root@techbrown~]# journalctl -k -b -5

Step – 18 : To show the current Disk Usage of all journal files

[root@techbrown~]# journalctl --disk-usage

Step – 19 : To show the most recent journal entries

[root@techbrown~]# journalctl -f

Step – 20 : To show the recent logs entries

[root@techbrown~]# journalctl -n

Step – 21 : To show the specific recent log entries

[root@techbrown~]# journalctl -n 5

Step – 22 : To show the log entries of specific priority

There are several priorities –
emerg, alert, crit, error, warn, notice, info, debug.

[root@techbrown~]#journalctl -p warning

Step – 23 : To Display the logs in JSON format

Here, Option u is used to display the log entries for some specific systemd unit. Option o is used to format the output. There are several valid output format available like json, jsonpreety, cat, json-see, verbose, export, short-iso, short-precise,short-monotonic etc.

[root@techbrown~]# journalctl -u sshd -o json
[root@techbrown~]# journalctl -u sshd -o cat

The main configuration file for journald is /etc/systemd/journald.conf.

Logs generated by journald is not persistently stored by default. Logs stored in /run/log/journal/ directory and get cleared when the system get reboot. To make the journald logs permanent and  persistent user. To create the /var/log/journal/ directory. So that the logs generated by journald will be stored in this directory. It will not get cleared on system reboot.

Step – 24 : Create a directory to store the log persistently

[root@techbrown~]# mkdir /var/log/journal

Step – 25 : Change the owner of this directory to root

[root@techbrown~]# chown root.systemd-journal /var/log/journal

Step – 26 : Give directory permission.

The permission  2755 means that every user can have read and access permission. The Owner and the member of files group having additionally write permission.

[root@techbrown~]# chmod 2755 /var/log/journal

Rsyslog

Rsyslog is the Rocket-fast System for LOG processing. Rsyslog is the popular log mechanism in mostly all Linux distributions. Basically in CentOS 8 and RHEL 8 Rsyslog is a default logging service.

Journald forwards all logs to rsyslog which stores them. In plain text files under /var/log/ directory. /etc/rsyslog.conf is the main configuration file for Rsyslog. There is rule lines are written to store log messages in the configuration file.

In each rule line having two parts:

1. Selector field

Selector field is divided into two – “facility” and “priority“.

2. Action field

Specifies what action must be taken for the matched rule.

Important log files

1. Syslog messages are logging file

/var/log/messages

2. Security and Authentication related logging file

/var/log/secure

3. Mail Server related logging file

/var/log/maillog

4. Crontab related logging file

/var/log/cron

5. Booting related logging file

/var/log/boot.log

That’s all for now.

Group Administration on CentOS / RHEL

Previous article

Rocket Review : The World’s Fastest Managed WordPress Hosting

Next article

You may also like

Comments

Leave a reply

Your email address will not be published. Required fields are marked *

More in Linux