Configuring Logging

Using systemd-journald

• Fedora - journalctl
• Arch - systemd/Journal

Useful commands

systemctl status name.unit # easy access to the latest log messages
journalctl # prints entire journal (important in red)
journalctl -p err # shows only messages with a priority error and higher
journalctl -f # shows the last 10 lines and follows
journalctl -u name.unit # 
journalctl --since "-1 hour"
journalctl --since today 
journalctl -o verbose # 
journalctl -b # shows current boot log
journalctl -xb # add explanation to boot log messages
journalctl --list-boots # shows all boots that have been logged (persistent journal only)
journalctl -b 3 # shows messages from the third boot log only

Preserving the systemd journal

Check current journal settings

journalctl | grep -E 'Runtime Journal|System Journal'

Make the system journal logs persistent

grep 'Storage=' /usr/lib/systemd/journal.conf
mkdir /var/log/journal
systemctl restart systemd-journal-flush.service
ls /var/log/journal

Rsyslog

• Arch - rsyslog
• Fedora - rsyslog
• RHEL 10 - Configuring remote logging (rsyslog)

Logrotate

Arch - logrotate

Knowledge Check

1. Why are systemd logs non persistent by default?
2. Where are the systemd journal settings?
3. What are the storage options for the systemd journal?
4. How often are log files rotated by default?
5. How much of the filesystem size can be used by logs by default?
6. How much of the filesystem free size can be used by logs by default?
7. Where is the configuration file for rsyslog?
8. How should you modify the rsyslog configuration?
9. What does each logger line contain?
10. Where are the log rotate configuration files

Answers

1. Persistent logs are handled by the rsyslog service
2. /usr/lib/systemd/journal.conf
3. Storage options
   • auto: will write persistent logs to /var/log/journal if the directory exists, otherwise will write volatile logs to /run/log/journal
   • persistent: stores journals in /var/log/journal
   • volatile: stores journals in the temp /run/log/journal directory
   • none: doesn’t use any storage for the journal at all
4. Log files are rotated monthly by default
5. 10%
6. 15%
7. /etc/rsyslog.conf
8. Add drop-in files to /etc/rsyslog.d
9. Each logger line contains
   • facility
   • severity
   • destination
10. /etc/logrotate.conf and /etc/logrotate.d

Lab Exercise

1. Make sure the systemd journal is persistent
2. Create an entry in rsyslog that writes all messages with a severity of error or higher to /var/log/error
3. Ensure that /var/log/error is rotated on a monthly basis, and the last 12 logs are kept before they are rotated out

Solution

1. —

   mkdir /var/log/journal
   systemctl restart systemd-journal-flush.service

   or

   mkdir /var/log/journal
   journalctl --flush

2. —

   echo "*.err /var/log/error" >> /etc/rsyslog.d/error.conf
   systemctl restart rsyslog
   logger -p err "error message"
   tail /var/log/error

3. /etc/logrotate.d/error

   /var/log/error {
     monthly
     rotate 12
   }