Introduction
CentOS 7 comes with services which saves logging information. Some services write their own logs directly to their log information files, e.g. apache maintain their own logs. Some of the service maintain their logs through systemctl. Systemctl is a services that take care of starting, stopping or monitoring the status of a process. systemctl further communicates to journald which keep track on log information. journalctl is used to grep log information from journald.
rsyslog is the classical logging method. You may ask either we should use journalctl or rsyslog to maintain our logging information. We can integrate both rsyslog ans journald. The rsyslog messages will be sent to journald or vice versa. The facility is not enabled by default.
Definition of Journal
Journal is a component of systemd. It capture log messages of kernel logs, syslog messages, or error log messages. It collect them, index them and makes available to the users. Journal are stored in /run/log/journal directory.
Lets have a look on current log database:
When used alone, every journal entry that is in the system will be displayed within a pager (usually less) for you to browse. The oldest entries will be up top:
$ sudo journalctl
You will likely have pages and pages of data to scroll through, which can be tens or hundreds of thousands of lines long if systemd has been on your system for a long while. But, there are some remarkable difference, in journalctl lines having notices or waning will be bold, time-stamps are your local time zone, after every boot a new line will be added to clarify that new log begins from now, errors will be highlighted red.
See log message of current boot only
$ sudo journalctl -b
Let us see some error messages
$ sudo journalctl -p err
To have last 10 events that happen, type
$ sudo journalctl -f
See how must disk space is occupied by journal
$ sudo journalctl --disk-usage
Archived and active journals take up 16.0M in the file system.
To get data of previous day
$ sudo journalctl --since yesterdayTo get current system time zone
$ timedatectl
Local time: Fri 2017-06-16 17:06:35 +04
Universal time: Fri 2017-06-16 13:06:35 UTC
RTC time: Fri 2017-06-16 13:06:35
Time zone: Asia/Dubai (+04, +0400)
Network time on: yes
NTP synchronized: yes
RTC in local TZ: no
List system time zone
$ timedatectl list-timezones
Set system time zone
$ sudo timedatectl set-timezone Asia/Dubai
Integration of Journald with Rsyslog
With the integration the rsyslog messages will be sent to journald or vice versa. The facility is not enabled by default. To enable sending log messages to journal rsyslog.conf is required to configure.
Edit /etc/rsyslog.conf
search for $ModLoad imuxsock and and $ModLoad imjournal
add $OmitLocalLoggin off in a new line
[root@localhost ~]# vim /etc/rsyslog.conf
Sample output
#rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$OmitLocalLoggin off
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides –MARK– message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
Save the file and exit.
Open /etc/rsyslog.d/listen.conf
[root@localhost ~]# vim /etc/rsyslog.d/listen.conf
Make sure following line is already present in the file, if not so then add this line to the file.
$SystemLogSocketName /run/systemd/journal/syslog
Save and exit.
Now, This will make connection b/w rsyslog and journald.