Logging With Journald In

RHEL7/CentOS7
Introduction

Centos/RHEL 7 comes with services which saves logging information. Some

services write their own logs directly to their log information files, e.g.
apache maintain their own logs. Some of the service maintain their logs
through systemctl. Systemctl is a services that take care of starting, stopping
or monitoring the status of a process. systemctl further communicates to
Journald which keep track on log information. “journalctl” is used to grep
log inforamtion from journald.

Rsyslog is the classical logging method. You may ask either we should use
journalctl or rsyslog to maintain our logging information. We can integrate
both rsyslog ans journald. The rsyslog messages will be sent to journald or
vice versa. The facility is not enabled by default.

Definition of Journal

Journal is a component of systemd. It capture log messages of kernel logs,

syslog messages, or error log messages. It collect them, index them and
makes availabe to the users. Journal are stored in /run/log/journal
directory.

Examples

Lets have a look on current log database:

[root@localhost ~]# journalctl

Output is almost like tail -f /var/log/messages
But, there are some remarkable difference, in journalctl lines having notices
or waning will be bold, timestamps are your local time zone, after every boot
a new line will be added to clarify that new log begins from now, errors will
be highlighted red.

See log message of current boot only

[root@localhost ~]# journalctl -b

Let us see some error messages.

[root@localhost ~]# journalctl -p err

To have last 10 events that happen, type

[root@localhost ~]# journalctl -f

See how must disk space is occupied by journal

[root@localhost ~]# journalctl --disk-usage

Journals take up 8.0M on disk.

To get data of previous day

[root@localhost ~]# journalctl --since yesterday

To get current system time zone.

[root@localhost ~]# timedatectl

Sample output

Local time: Tue 2015-08-18 02:32:14 TLT

Universal time: Mon 2015-08-17 17:32:14 UTC

RTC time: Mon 2015-08-17 17:32:14

Timezone: Asia/Dili (TLT, +0900)

 NTP enabled: yes

NTP synchronized: yes

RTC in local TZ: no

DST active: n/a

Change system time zone

List time zone

[root@localhost ~]# timedatectl list-timezones

Set time zone

[root@localhost ~]# timedatectl set-timezone Asia/Dili

Integration of Journald with Rsyslog

With the integration the rsyslog messages will be sent to journald or vice
versa. The facility is not enabled by default. To enable sending log messages
to journal rsyslog.conf is required to configure.
Edit /etc/rsyslog.conf

search for $ModLoad imuxsock and and $ModLoad imjournal

add $OmitLocalLoggin off in a new line

[root@localhost ~]# vim /etc/rsyslog.conf

Sample output

#rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-

*/rsyslog_conf.html

# If you experience problems, see

http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source

instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging

(e.g. via logger command)

$OmitLocalLoggin off

$ModLoad imjournal # provides access to the systemd journal

#$ModLoad imklog # reads kernel messages (the same are read from
journald)

#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514

# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

Save the file and exit.

Open /etc/rsyslog.d/listen.conf

[root@localhost ~]# vim /etc/rsyslog.d/listen.conf

Make sure following line is already present in the file, if not so then add this
line to the file.

$SystemLogSocketName /run/systemd/journal/syslog

Save & Exit