Linux System Logs

From Ever changing code

SystemV logging mechanics

These are systems that uses init. They log into flat files usually

  • /var/log/messages
  • /var/log/syslog

The file size is managed by Logrotate.

Systemd - logginng

Systemd systems have journald demon running that gather information from kernel and other sources into one binary file(s).

vi /etc/systemd/journald.conf
SystemMaxUse #max journal file size, by default 10% of a file system but max 4Gb
SystemKeepFree #how much space should be left free, default min free is 15% but min 4Gb
Storage #persistent save to storage, volatile saves logs at /run/log/
man systemd.journal-fields #fields information
# -x add explanatory text from a message catalogue
# -e go to end of the logs/catalogue

systemctl status systemd-journald
journalctl #reads logs
journalctl --vacuum-size=100M #shrink logs to 100M
journalctl --vacuum-time=1month #keep last 1month worth logs
journalctl --disk-usage
journalctl --verify   #checks integrity
PASS: /run/log/journal/0f141dd26a334ab6be80141b91356675/system.journal
journalctl -p err   #filter log levels, eg: crit; long --priority=
journalctl -b #show logs since startup
journalctl -b -1 #logs from a previous day
journalctl --list-boots #show boot up occurances
journalctl --since "201705-10 12:00"
journalctl --since yesterday --until now
journalctl -u apache2.service --since yesterday --until now #show logs related only to a specific service
journalctl $(which cntlm) #show a application log
journalctl -k (--dmesg)#kernel log, use -b for previous sessions, -n kernel events only eg. modprob,dpms
journalctl -b -p err --no-pager > journal.txt #export logs to flat text file
journalctl -f #continuous logs tailing