Leaderboard ad

1.11.2016

Viewing logs with journalctl in Red Hat 7 and CentOS 7

In the past SystemV used syslog (or rsyslog) to log events to a log file. Many times there is a separate log file for each service.

With the switch to SystemD, Red Hat, Fedora, CentOS, etc. also introduced a new logging facility and tool called the journal.  This centralized the collection of logs and allowed administrators one simple robust tool and one location to inspect and manipulate log data.  Here we will cover some of the basics of journalctl, the program used to interface with the logs.

To simply view the logs on your system, you can execute the following command:

journalctl


This will display the logs with the oldest entries first.  Although this is simple, it is not very useful since we do not tend to read logs like a book.

By default journalctl displays the logs in a pager.  It shows you one page of logs requiring you to hit the space bar to proceed.  Also long log lines WILL NOT wrap, they will trail off the right side of the screen.  You can use the right arrow to see the rest of the line.

We will talk more about changing the way the logs are displayed in a different article.  Let's move on to some basic log viewing commands.

Diplaying Logs by Date

More than likely you are looking for an event. One way to find something is the logs is to display the logs from a certain time.  You can specify a single time and it will display all logs SINCE that time, or you can specify a time window.

To find all logs since December 25th 2015 at 07:00 PM you can run:

journalctl --since "2015-12-25 19:00:00"

To find all logs between December 25th 2015 and January 1st 2016:

journalctl --since "2015-12-25" --until "2016-1-1"

You can also use the more human friendly relative terms.  For example, to see all logs since yesterday:

journalctl --since yesterday

You also have the option to mix the absolute and relative terms:

journalctl --since "2015-12-25" --until "2 hours ago"

Displaying Logs by Unit or Service

Another way to find the logs you need would be to filter the results by unit (or service).  For example, if you want to see all the logs vsftpd (FTP software) produced you can specify that in the journalctl command like so:

journalctl -u vsftpd.service

You can mix in a time, or a time window to find logs from a specific service during a specific time.

To find all the vsftpd logs from December 5 2015 to January 8 2016 you can runt he following command:

journalctl -u vsftpd.service --since "2015-12-05 16:17:47" --until "2016-1-8 15:03:02"

You can also request logs from two different services at the same time.  This comes in handy when trying to get information about how two services are interacting or debugging an issue.

To see all the logs from vsftpd and firewalld you can run this command:

journalctl -u vsftpd.service -u firewalld.service

You can also specify a time in absolute, relative or any combination.

journalctl -u vsftpd.service -u firewalld.service --since "2 days ago"

Displaying Logs by User or Group

Other things you can do is find logs generated by a specific user (UID) or group (GUID).

For example, let's say I wanted to see all logs from the user "savona".  First I would find their UID like so:

[root@bighat ~]# id savona
uid=1000(savona) gid=1000(savona) groups=1000(savona)

Now that I know their UID is 1000, I can use the _UID filter in journalctl like so:

journalctl _UID=1000

And of course I can mix this with a time window:

journalctl _UID=1000 --since "2 days ago"

Displaying Logs by Process ID

You can also use _PID to search for process id, or _GUID for group id.

journalctl _PID=1221

Displaying Kernel Logs

Since all the logs are kept in one place, we can use the same tool (journalctl) to view just the kernel logs:

journalctl -k

The above command will show you all the kernel messages from the current boot. You can specify a different boot using the boot selection option like so:

journalctl -k -b 2

The above command will show you all the kernel messages from 2 boots ago.

Displaying Logs Since Last Boot

The boot selection option will work on it's own as well.  If you would like to see all the logs generated since the last boot up, simply give the -b option:

journalctl -b

Displaying Logs by Priority

You can also select to view logs by priority.  The journal uses the same syslog message levels:

0: emerg
1: alert
2: critical
3: error
4: warning
5: notice
6: info
7: debug

To see all logs from priority 4 (warning) and higher:

journalctl -p 4

To see all the logs from priority 3 (error) and higher since last boot:

journalctl -p 3 -b

And of course you can use time windows if you like:

journalctl -p 3 --since "2 days ago"

Tailing or Following the Log

In my opinion on for the most useful commands for viewing logs, follow allows you to view the log as they are bring written.  You may of used "tail -f" in the past.  The journalctl utility has the same function.

journalctl -f

Also, similar to tail, you can view the last 10 entries by using the -n option like so:

journalctl -n

Or you can see the last 50 entries by specifying a number of the "-n" option:

journalctl -n 50

You can also see the last 50 entries, then begin to follow by mixing the commands like so:

journalctl -n 50 -f

Finding Size of Logs / Log Maintenance

To find how much disk space is being used by the journal simply ask:

journalctl --disk-usage

If you are concerned about disk space, you can trim (remove oldest) the logs.

You can do this by specifying the amount of disk space you want to keep or the time you would like to keep.

For example, if you want to delete all logs and keep just 5GB of data:

journalctl --vacuum-size=5GB

If you want to keep only logs from the last year:

journalctl --vacuum-time=1years

Now you should have a decent idea of how to find the logs you are looking for (I just said that in the voice of Obi-Wan). If you have any questions or require further explanation, please feel free to sound off in the comments.

No comments:

Post a Comment