The main priority of any system administrator is to identify and analyze various logs using various tools. In this guide we will give you detailed info about Journalctl and Rsyslog on Linux System.


Mainly Log File is useful for troubleshooting and system issue (Linux). Journald is the service used for collecting and storing the logs data. The journald service is used to manage the system log, like kernel logs, syslog messages, boot messages, and running service message etc.

In the unix based systems the service journald implements the journal. Replace with rsyslog as a log management service. Journald collects the data from available sources and stored them in the binary format. To manage journald demon we have journalctl command. There were several command to manage and show logs.

Step – 1 : To List all  the logs from the oldest entry

[[email protected]~]# journalctl

Step – 2 : To List all the logs from the oldest entry in Universal Time Coordinate

[[email protected]~]# journalctl --utc

Step – 3 : To List all the logs from current boot

[[email protected]~]# journalctl -b

Step – 4 : To List all the logs from older boot

[[email protected]~]# journalctl -b -6

Step – 5 : To List the total boots of the system

This take some time.

[[email protected]~]# journalctl --list-boots

Step – 6 : To List all the logs from yesterday

[[email protected]~]# journalctl --since yesterday

Step – 7 : To list all logs between specific time period

[[email protected]~]# journalctl --since 15:00 --until "3 hour ago"

Step – 8 : To list all the logs between some specific time like day year and time

[[email protected]~]# journalctl --since "2018-12-08 03:00" --until "2019-12-08 03:00"
[[email protected]~]# journalctl --since "2018-12-08 11:59:00"

Step – 9 : To List all the logs by User ID

Syntax #journalctl [option] Field.

[[email protected]~]# journalctl -F UID

option F is used to print all possible data value.

Step – 10 : To List all the logs by Group ID

[[email protected]~]# journalctl -F _GID

Step – 11 : To List all the logs  by Process ID

[[email protected]~]# journalctl -F _PID

Step – 12 : To List all the logs from from specific user ID

[[email protected]~]# journalctl  -F _UID=5000

Step – 13 : To List all the logs from from specific user ID

[[email protected]~]# journalctl _GID=115

Step – 14 : To List all the logs from from specific user ID

[[email protected]~]# journalctl _PID=4256

Step – 15 : To List all the logs of an executable file or device

[[email protected]~]# journalctl /mnt/

Step – 16 : To List all the kernel logs

[[email protected]~]# journalctl -k

Step – 17 : To List all the kernel logs from older boot

[[email protected]~]# journalctl -k -b -5

Step – 18 : To show the current Disk Usage of all journal files

[[email protected]~]# journalctl --disk-usage

Step – 19 : To show the most recent journal entries

[[email protected]~]# journalctl -f

Step – 20 : To show the recent logs entries

[[email protected]~]# journalctl -n

Step – 21 : To show the specific recent log entries

[[email protected]~]# journalctl -n 5

Step – 22 : To show the log entries of specific priority

There are several priorities –
emerg, alert, crit, error, warn, notice, info, debug.

[[email protected]~]#journalctl -p warning

Step – 23 : To Display the logs in JSON format

Here, Option u is used to display the log entries for some specific systemd unit. Option o is used to format the output. There are several valid output format available like json, jsonpreety, cat, json-see, verbose, export, short-iso, short-precise,short-monotonic etc.

[[email protected]~]# journalctl -u sshd -o json
[[email protected]~]# journalctl -u sshd -o cat

The main configuration file for journald is /etc/systemd/journald.conf.

Logs generated by journald is not persistently stored by default. Logs stored in /run/log/journal/ directory and get cleared when the system get reboot. To make the journald logs permanent and  persistent user. To create the /var/log/journal/ directory. So that the logs generated by journald will be stored in this directory. It will not get cleared on system reboot.

Step – 24 : Create a directory to store the log persistently

[[email protected]~]# mkdir /var/log/journal

Step – 25 : Change the owner of this directory to root

[[email protected]~]# chown root.systemd-journal /var/log/journal

Step – 26 : Give directory permission.

The permission  2755 means that every user can have read and access permission. The Owner and the member of files group having additionally write permission.

[[email protected]~]# chmod 2755 /var/log/journal


Rsyslog is the Rocket-fast System for LOG processing. Rsyslog is the popular log mechanism in mostly all Linux distributions. Basically in CentOS 8 and RHEL 8 Rsyslog is a default logging service.

Journald forwards all logs to rsyslog which stores them. In plain text files under /var/log/ directory. /etc/rsyslog.conf is the main configuration file for Rsyslog. There is rule lines are written to store log messages in the configuration file.

In each rule line having two parts:

1. Selector field

Selector field is divided into two – “facility” and “priority“.

2. Action field

Specifies what action must be taken for the matched rule.

Important log files

1. Syslog messages are logging file


2. Security and Authentication related logging file


3. Mail Server related logging file


4. Crontab related logging file


5. Booting related logging file


That’s all for now.

Group Administration on CentOS / RHEL

Previous article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *

More in Linux