Logging

Use logs for auditing the system and troubleshooting problems caused by processes or the kernel. Logs of events are in text files kept in the /var/log directory. The systemd-journald and rsyslog services handle the syslog messages in RHEL.

Many programs use the syslog protocol to log events to the system. Find the most common syslog messages in /var/log/messages. The rsyslog service uses facilities and priorities of log messages to determine how to manage them and configured by rules in the /etc/rsyslog.conf.

The logrotate tool rotates log files to keep them from taking up too much space in the file system containing the /var/log directory.

Use the tail -f /path/to/file command to follow the output of a log file. Use the logger to send messages to the rsyslog service.

logger tesing
tail /var/log/messages

The systemd-journald service stores logging data in a structured, indexed binary file called the journal. Use the journalctl command to retrieve log messages from the journal.

journalctl -f

The journalctl command understands the debug, info, notice, warning, err, crit, alert, and emerg priority levels.

journalctl -p crit

To persist journals, change the configuration settings of the systemd-journald service in the /etc/systemd/journald.conf to Storage=persistent. The service will need a restart systemctl restart systemd-journald.

Summary

The systemd-journald and rsyslog services capture and write log messages to the appropriate files and the /var/log directory contains log files. Periodic rotation of log files prevent them from filling up the file system space. The systemd journals are temporary and do not persist across reboot.

Command References:

systemd-journald.service, rsyslogd, rsyslog.conf, logger, tail, logrotate, journalctl