Logging With Journald In RHEL7/CentOS7

Introduction

Centos/RHEL 7 comes with services which saves logging information. Some services write their own logs directly to their log information files, e.g. apache maintain their own logs. Some of the service maintain their logs through systemctl. Systemctl is a services that take care of starting, stopping or monitoring the status of a process. systemctl further communicates to Journald which keep track on log information. “journalctl” is used to grep log inforamtion from journald.

Rsyslog is the classical logging method. You may ask either we should use journalctl or rsyslog to maintain our logging information. We can integrate both rsyslog ans journald. The rsyslog messages will be sent to journald or vice versa. The facility is not enabled by default.

Definition of Journal

Journal is a component of systemd. It capture log messages of kernel logs, syslog messages, or error log messages. It collect them, index them and makes availabe to the users. Journal are stored in /run/log/journal directory.

Examples

Lets have a look on current log database:
[root@localhost ~]# journalctl

unxmen_(004)

Output is almost like tail -f /var/log/messages

unxmen_(002)

But, there are some remarkable difference, in journalctl lines having notices or waning will be bold, timestamps are your local time zone, after every boot a new line will be added to clarify that new log begins from now, errors will be highlighted red.

See log message of current boot only
[root@localhost ~]# journalctl -b

unxmen_(005)

Let us see some error messages.
[root@localhost ~]# journalctl -p err

unxmen_(006)

To have last 10 events that happen, type
[root@localhost ~]# journalctl -f

unxmen_(007)

See how must disk space is occupied by journal
[root@localhost ~]# journalctl --disk-usage
Journals take up 8.0M on disk.
 To get data of previous day
[root@localhost ~]# journalctl --since yesterday

unxmen_(008)

To get current system time zone.
[root@localhost ~]# timedatectl
Sample output
 Local time: Tue 2015-08-18 02:32:14 TLT
 Universal time: Mon 2015-08-17 17:32:14 UTC
 RTC time: Mon 2015-08-17 17:32:14
 Timezone: Asia/Dili (TLT, +0900)
 NTP enabled: yes
 NTP synchronized: yes
 RTC in local TZ: no
 DST active: n/a
Change system time zone
List time zone
[root@localhost ~]# timedatectl list-timezones
unxmen_(009)
Set time zone
[root@localhost ~]# timedatectl set-timezone Asia/Dili

Integration of Journald with Rsyslog

With the integration the rsyslog messages will be sent to journald or vice versa. The facility is not enabled by default.  To enable sending log messages to journal  rsyslog.conf is required to configure.

Edit /etc/rsyslog.conf

search for $ModLoad imuxsock and and $ModLoad imjournal

add $OmitLocalLoggin off in a new line

[root@localhost ~]# vim /etc/rsyslog.conf
Sample output
#rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$OmitLocalLoggin off
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
Save the file and exit.

Open /etc/rsyslog.d/listen.conf

[root@localhost ~]# vim /etc/rsyslog.d/listen.conf

Make sure following line is already present in the file, if not so then add this line to the file.

$SystemLogSocketName /run/systemd/journal/syslog
Save and exit.

Now, This will make connection b/w rsyslog and journald.

That’s it, Have fun!!