Introduction
Centos/RHEL 7 comes with services which saves logging information. Some services write their own logs directly to their log information files, e.g. apache maintain their own logs. Some of the service maintain their logs through systemctl. Systemctl is a services that take care of starting, stopping or monitoring the status of a process. systemctl further communicates to Journald which keep track on log information. “journalctl” is used to grep log inforamtion from journald.
Rsyslog is the classical logging method. You may ask either we should use journalctl or rsyslog to maintain our logging information. We can integrate both rsyslog ans journald. The rsyslog messages will be sent to journald or vice versa. The facility is not enabled by default.
Definition of Journal
Journal is a component of systemd. It capture log messages of kernel logs, syslog messages, or error log messages. It collect them, index them and makes availabe to the users. Journal are stored in /run/log/journal directory.
Examples
Lets have a look on current log database:
[root@localhost ~]# journalctl
Output is almost like tail -f /var/log/messages
But, there are some remarkable difference, in journalctl lines having notices or waning will be bold, timestamps are your local time zone, after every boot a new line will be added to clarify that new log begins from now, errors will be highlighted red.
See log message of current boot only
[root@localhost ~]# journalctl -b
Let us see some error messages.
[root@localhost ~]# journalctl -p err
To have last 10 events that happen, type
[root@localhost ~]# journalctl -f
See how must disk space is occupied by journal
[root@localhost ~]# journalctl --disk-usage Journals take up 8.0M on disk.
To get data of previous day
[root@localhost ~]# journalctl --since yesterday
To get current system time zone.
[root@localhost ~]# timedatectl
Sample output
Local time: Tue 2015-08-18 02:32:14 TLT Universal time: Mon 2015-08-17 17:32:14 UTC RTC time: Mon 2015-08-17 17:32:14 Timezone: Asia/Dili (TLT, +0900) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
Change system time zone
List time zone
[root@localhost ~]# timedatectl list-timezones
Set time zone
[root@localhost ~]# timedatectl set-timezone Asia/Dili
Integration of Journald with Rsyslog
With the integration the rsyslog messages will be sent to journald or vice versa. The facility is not enabled by default. To enable sending log messages to journal rsyslog.conf is required to configure.
Edit /etc/rsyslog.conf
search for $ModLoad imuxsock and and $ModLoad imjournal
add $OmitLocalLoggin off in a new line
[root@localhost ~]# vim /etc/rsyslog.conf
Sample output
#rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $OmitLocalLoggin off $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES ####
Save the file and exit.
Open /etc/rsyslog.d/listen.conf
[root@localhost ~]# vim /etc/rsyslog.d/listen.conf
Make sure following line is already present in the file, if not so then add this line to the file.
$SystemLogSocketName /run/systemd/journal/syslog
Save and exit.
Now, This will make connection b/w rsyslog and journald.
That’s it, Have fun!!
