Default Journal Log Files Locations in Linux

There are two locations we are most likely to find the ‘systemd’ journal files in Linux Red Hat system. The default journal log files locations are:

/var/log/journal Persistent journals are stored in the default location of /var/log/journal, if it exists.

/run/log/journal Volatile journals are stored in the default directory of /run/log/journal, if the /var/log/journal directory does not exist.

A Linux system log files are files that contain messages about the system, including the kernel, services, and applications running on it. Without logs, troubleshooting would be much more difficult. Even with logs, you’re swimming in a sea of data. Knowing how to find what you’re looking for is important. 

There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks. The Linux command line journalctl is managing the journal log files.

The journalctl is a utility to query the systemd journal.

Journal Log Files Locations or Directories

A list of log files maintained by rsyslogd can be found in the /etc/rsyslog.conf configuration file. Most log files are located in the /var/log/ directory. Some applications such as httpd and samba have a directory within /var/log/ for their log files.

You may notice multiple files in the /var/log/ directory with numbers after them (for example, cron-20100906). These numbers represent a time stamp that has been added to a rotated log file. Log files are rotated so their file sizes do not become too large. The logrotate package contains a cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory.

Let’s checking a web server logs in the system.

grep httpd `find /var/log -maxdepth 1 -type f -print` | less

Checking the systemd logs with a narrower focus. Grepping sysemd logs from /var/log/messages with a pagination command less.

grep -i systemd /var/log/messages | less

Let’s check the entire /var/log directory for systemd logs.

grep systemd `find /var/log -maxdepth 1 -type f -print` | less

Using journalctl command to find logs in Linux.

journalctl -u httpd

You can use the slash to search through out the displayed logs with a specific service log.

journalctl -g systemd | less

Searching with multiple strings.

journalctl -g "httpd|systemd" | less

Searching with exact time which start with -S and -U for until.

journalctl -S 11:30:00 -U 12:50:00

A journalctl has an entry for each time we boot the system. Let’s see how may entries do we have or which boots are available.

journalctl --list-boots

Let’s read the boot entry 3.

journalctl -b 3

By default the systemd journal logs to memory in HREL8 in the location of /run/log/journal. We can make the journals persistent across reboots.

Note: For the RHCA8 exam everything is persistent. So it’s important that we should know how to make the journal logs persistent. When you working with journal, make sure you configure it.

How to look the journal configured in the system?

We can see by looking for the storage setting in /etc/systemd/journal.conf file.

[root@vma ~]# grep -i storage /etc/systemd/journald.conf 
#Storage=auto

By default it set to auto.

There are four different modes we can use:

• Volatile mode – /run/log/journal: Volatile is journal log data stored in memory only, and that is in the location /run/log/journal
• Persistent – /var/log/journal
• None – storage disabled, all data dropped.
• Auto – default – persistent if /var/log/journal exist, otherwise volatile.

If we wanted to make our journal persistent, all we would need to do with the auto setting is to make the directory /var/log/journal.

mkdir /var/log/journal

To flush the journal logs from /run/log/journal.

journalctl --flush

Do some changes in system and check the /var/log/journal directory for persistent logs.

ls -la /var/log/journal