This tutorial will walk you through how to find and read Linux log files, and configure the system logging daemon. First, open the Linux terminal as a root user. This will enable root privileges. The command displays all Linux log files, such as kern. These files contain the necessary information for the proper function of the operating system. Log files are accessed using root privileges.
By definition, root is the default account that has access to all Linux files. Note that log files are stored in plain text so they can be viewed by using the following standard commands:. Note: Check out our comprehensive guide on grep to learn how to use it with examples. Logs can tell a lot about the operations of a system. A good understanding of each type of file will help how to distinguish the respective logs. Systems log files are needed for Linux to work.
On its own, it contains the most significant amount of information about system functionality. The most common log files are:. A daemon log is a program that runs in the background and is essential for system operations. These logs have their own category of logs and are seen as the heart of the logging operations for any system.
Each file consists of a selector and an action entry field. The syslogd daemon can forward log messages as well. This can be useful for debugging purposes. Application logs store information relevant to any application that is executed.
These messages are identified by the presence of the cee: string. Then, mmjsonparse checks if the JSON structure is valid and then the message is parsed. In this example, the mmjsonparse module is loaded on the first line, then all messages are forwarded to it.
Currently, there are no configuration parameters available for mmjsonparse. You can shape the form of the final database output with use of templates. By default, rsyslog uses a template based on standard lumberjack field names. With this command, rsyslogd produces debugging information and prints it to the standard output. The -n stands for "no fork". You can modify debugging with environmental variables, for example, you can store the debug output in a log file.
Before starting rsyslogd , type the following on the command line:. Replace path with a desired location for the file where the debugging information will be logged.
Where 1 represents level of verbosity of the output message. This is a forward compatibility option because currently, only one level is provided. However, you must add this argument to run the validation. The Journal is a component of systemd that is responsible for viewing and management of log files.
It can be used in parallel, or in place of a traditional syslog daemon, such as rsyslogd. The Journal was developed to address problems connected with traditional logging. It is closely integrated with the rest of the system, supports various logging technologies and access management for the log files.
It creates and maintains binary files called journals based on logging information that is received from the kernel, from user processes, from standard output, and standard error output of system services or via its native API. These journals are structured and indexed, which provides relatively fast seek times. Journal entries can carry a unique identifier. The journald service collects numerous meta data fields for each log message.
The actual journal files are secured, and therefore cannot be manually edited. To access the journal logs, use the journalctl tool. For a basic view of the logs type as root :. An output of this command is a list of all log files generated on the system including messages generated by system components and by users. The following is an example output provided by the journalctl tool. When called without parameters, the listed entries begin with a time stamp, then the host name and application that performed the operation is mentioned followed by the actual message.
This example shows the first three entries in the journal log:. In many cases, only the latest entries in the journal log are relevant. The simplest way to reduce journalctl output is to use the -n option that lists only the specified number of most recent log entries:. Replace Number with the number of lines to be shown. When no number is specified, journalctl displays the ten most recent entries. The journalctl command allows controlling the form of the output with the following syntax:.
Replace form with a keyword specifying a desired form of output. There are several options, such as verbose , which returns full-structured entry items with all fields, export , which creates a binary stream suitable for backups and network transfer, and json , which formats entries as JSON data structures.
For the full list of keywords, see the journalctl 1 manual page. This example lists fields that identify a single log entry. For a complete description of all possible fields see the systemd. By default, Journal users without root privileges can only see log files generated by them. The system administrator can add selected users to the adm group, which grants them access to complete log files. To do so, type as root :. Here, replace username with a name of the user to be added to the adm group.
This user then receives the same output of the journalctl command as the root user. Note that access control only works when persistent storage is enabled for Journal. When called without parameters, journalctl shows the full list of entries, starting with the oldest entry collected. With the live view, you can supervise the log messages in real time as new entries are continuously printed as they appear. To start journalctl in live view mode, type:. This command returns a list of the ten most current log lines.
The journalctl utility then stays running and waits for new changes to show them immediately. The output of the journalctl command executed without parameters is often extensive, therefore you can use various filtering methods to extract information to meet your needs.
Log messages are often used to track erroneous behavior on the system. To view only entries with a selected or higher priority, use the following syntax:.
Here, replace priority with one of the following keywords or with a number : debug 7 , info 6 , notice 5 , warning 4 , err 3 , crit 2 , alert 1 , and emerg 0. To view only entries with error or higher priority, use:. If you reboot your system just occasionally, the -b will not significantly reduce the output of journalctl.
In such cases, time-based filtering is more helpful:. With --since and --until , you can view only log messages created within a specified time range. You can pass values to these options in form of date or time or both as shown in the following example.
Filtering options can be combined to reduce the set of results according to specific requests. For example, to view the warning or higher priority messages from a certain point in time, type:. For a complete description of meta data that systemd can store, see the systemd. This meta data is collected for each log message, without user intervention. Values are usually text-based, but can take binary and large values; fields can have multiple values assigned though it is not very common.
To view a list of unique values that occur in a specified field, use the following syntax:. Replace fieldname with a name of a field you are interested in. Replace fieldname with a name of a field and value with a specific value contained in that field.
As a result, only lines that match this condition are returned. As the number of meta data fields stored by systemd is quite large, it is easy to forget the exact name of the field of interest.
When unsure, type:. This shows a list of available field names. Tab completion based on context works on field names, so you can type a distinctive set of letters from a field name and then press Tab to complete the name automatically. Similarly, you can list unique values from a field. This serves as an alternative to journalctl -F fieldname.
Specifying two matches for the same field results in a logical OR combination of the matches. Entries matching value1 or value2 are displayed. If two matches for different field names are specified, they will be combined with a logical AND. Entries have to match both conditions to be shown. This command returns entries that match at least one of the conditions, not only those that match both of them.
To display entries created by avahi-daemon. You can apply the aforementioned filtering also in the live-view mode to keep track of the latest changes in the selected group of log entries:. This is sufficient to show recent log history with journalctl. This directory is volatile, log data is not saved permanently. Journal can then replace rsyslog for some users but see the chapter introduction. To enable persistent storage for Journal, create the journal directory manually as shown in the following example.
As root type:. As an alternative to the aforementioned command-line utilities, Red Hat Enterprise Linux 7 provides an accessible GUI for managing log messages. Most log files are stored in plain text format. You can view them with any text editor such as Vi or Emacs. Some log files are readable by all users on the system; however, root privileges are required to read most log files.
To view system log files in an interactive, real-time application, use the System Log. In order to use the System Log , first ensure the gnome-system-log package is installed on your system by running, as root :. For more information on installing packages with Yum, see Section 9. The application only displays log files that exist; thus, the list might differ from the one shown in Figure The System Log application lets you filter any existing log file. Adding or editing a filter lets you define its parameters as is shown in Figure When you have at least one filter defined, it can be selected from the Filters menu and it will automatically search for the strings you have defined in the filter and highlight or hide every successful match in the log file you are currently viewing.
When you select the Show matches only option, only the matched strings will be shown in the log file you are currently viewing. This will display the Open Log window where you can select the directory and file name of the log file you want to view. Figure Click on the Open button to open the file. The file is immediately added to the viewing list where you can select it and view its contents.
The System Log also allows you to open log files zipped in the. System Log monitors all opened logs by default. If a new line is added to a monitored log file, the log name appears in bold in the log list. If the log file is selected or displayed, the new lines appear in bold at the bottom of the log file.
Clicking on the messages log file displays the logs in the file with the new lines in bold. For more information on how to configure the rsyslog daemon and how to locate, view, and monitor log files, see the resources listed below. See Section 9. Before accessing the documentation, you must run the following command as root :. The rsyslog home page offers additional documentation, configuration examples, and video tutorials. Make sure to consult the documents relevant to the version you are using:.
Chapter Viewing and Managing Log Files. For example, the mail subsystem handles all mail-related syslog messages. FACILITY can be represented by one of the following keywords or by a numerical code : kern 0 , user 1 , mail 2 , daemon 3 , auth 4 , syslog 5 , lpr 6 , news 7 , cron 8 , authpriv 9 , ftp 10 , and local0 through local7 16 - To select all kernel syslog messages with any priority, add the following text into the configuration file: kern.
The optional exclamation point! Other Boolean operators are currently not supported in property-based filters. Table Property-based compare-operations Compare-operation Description contains Checks whether the provided string matches any part of the text provided by the property. To select syslog messages which contain the string error in their message text, use: :msg, contains, "error" The following filter selects syslog messages received from the host name host1 : :hostname, isequal, "host1" To select syslog messages which do not contain any mention of the words fatal and error with any or no text between them for example, fatal lib error , type: :msg,!
This can be a single action, or an arbitrary complex script enclosed in curly braces. Expression-based Filters The following expression contains two nested conditions. Saving syslog messages to log files The majority of actions specify to which log file a syslog message is saved.
DynamicFile where DynamicFile is a name of a predefined template that modifies output paths. Sending syslog messages over the network rsyslog allows you to send and receive syslog messages over the network. To use the TCP protocol, use two at signs with no space between them. Compression gain is automatically checked by rsyslogd , messages are compressed only if there is any compression gain and messages below 60 bytes are never compressed.
The HOST attribute specifies the host which receives the selected syslog messages. Sending syslog Messages over the Network The following are some examples of actions that forward syslog messages over the network note that all actions are preceded with a selector that selects all messages with any priority. The NAME attribute specifies the name of the output channel.
Output channels can write only into files, not pipes, terminal, or other kind of output. This value is specified in bytes. Output channel log rotation The following output shows a simple log rotation through the use of an output channel. Executing a Program In the following example, any syslog message with any priority is selected, formatted with the template template and passed as a parameter to the test-program program, which is then executed with the provided parameter:.
Specifying Multiple Actions In the following example, all kernel syslog messages with the critical priority crit are sent to user user1 , processed by the template temp and passed on to the test-program executable, and forwarded to The string argument is the actual template text.
A list of all available properties and their detailed description can be found in the rsyslog. Alternatively, regular expressions can be used to specify a range of characters. A list of all available property options and their detailed description can be found in the rsyslog. Similar directives include: daily monthly yearly.
This is the default option when mail is enabled. Using rulesets The following rulesets ensure different handling of remote messages coming from different ports. Message Flow in Rsyslog. FixedArray queue — the default mode for the main message queue, with a limit of 10, elements.
This type of queue uses a fixed, pre-allocated array that holds pointers to queue elements. Due to these pointers, even if the queue is empty a certain amount of memory is consumed.
However, FixedArray offers the best run time performance and is optimal when you expect a relatively low number of queued messages and high performance. LinkedList queue — here, all structures are dynamically allocated in a linked list, thus the memory is allocated only when needed. LinkedList queues handle occasional message bursts very well.
Reliable Forwarding of Log Messages to a Server Rsyslog is often used to maintain a centralized logging system, where log messages are forwarded to a server over the network. Forwarding To a Single Server Suppose the task is to forward log messages from the system to a server with host name example.
Forwarding To Multiple Servers The process of forwarding log messages to multiple servers is similar to the previous procedure:. Creating a New Directory for rsyslog Log Files. Using the New Syntax for rsyslog queues. Forwarding To a Single Server Using the New Syntax The following example is based on the procedure Forwarding To a Single Server in order to show the difference between the traditional sysntax and the rsyslog 7 syntax.
Configuring rsyslog on a Logging Server. Configure SELinux to Permit rsyslog Traffic on a Port If required to use a new port for rsyslog traffic, follow this procedure on the logging server and the clients.
Configuring firewalld Configure firewalld to allow incoming rsyslog traffic. Input Modules — Input modules gather messages from various sources.
The name of an input module always starts with the im prefix, such as imfile and imjournal. Output Modules — Output modules provide a facility to issue message to various targets such as sending across a network, storing in a database, or encrypting.
The name of an output module always starts with the om prefix, such as omsnmp , omrelp , and so on. Parser Modules — These modules are useful in creating custom parsing rules or to parse malformed messages. With moderate knowledge of the C programming language, you can create your own message parser. The name of a parser module always starts with the pm prefix, such as pmrfc , pmrfc , and so on.
Message Modification Modules — Message modification modules change content of syslog messages. Names of these modules start with the mm prefix.
Message Modification Modules such as mmanon , mmnormalize , or mmjsonparse are used for anonymization or normalization of messages. String Generator Modules — String generator modules generate strings based on the message content and strongly cooperate with the template feature provided by rsyslog.
The name of a string generator module always starts with the sm prefix, such as smfile or smtradfile. Library Modules — Library modules provide functionality for other loadable modules. These modules are loaded automatically by rsyslog when needed and cannot be configured by the user.
Create public key, private key and certificate file, see Section To enable TCP-only mode, use 1 port with the port number at which to start a listener, for example The anon setting means that the client is not authenticated.
Replace number to set the maximum number of sessions supported. This number is not limited by default. Create public key, private key and certificate file. For instructions, see Section This will happen each time the specified number of messages is reached. Replace path with a path to the state file. This file tracks the journal entry that was the last one processed. With seconds , you set the length of the rate limit interval. The default setting is 20, messages per seconds.
Rsyslog discards messages that come after the maximum burst within the time frame specified. With IgnorePreviousMessages you can ignore messages that are currently in Journal and import only new messages, which is used when there is no state file specified.
The default setting is off. Please note that if this setting is off and there is no state file, all messages in the Journal are processed, even if they were already processed in a previous rsyslog session. Specify port to select a non-standard port from the MongoDB server. The default port value is 0 and usually there is no need to change this parameter.
You can set your login details by replacing UID and password. Lines of error priority and higher are highlighted with red color and a bold font is used for lines with notice and warning priority the time stamps are converted for the local time zone of your system all logged data is shown, including rotated logs the beginning of a boot is tagged with a special line.
Example Output of journalctl The following is an example output provided by the journalctl tool. Aug 01 localhost kernel: Initializing cgroup subsys cpuset Aug 01 localhost kernel: Initializing cgroup subsys cpu [ Verbose journalctl Output To view full meta data about all entries, type: journalctl -o verbose [ Filtering by Priority To view only entries with error or higher priority, use: journalctl -p err.
Filtering by Time and Priority Filtering options can be combined to reduce the set of results according to specific requests. When unsure, type: journalctl and press the Tab key two times. Advanced filtering To display entries created by avahi-daemon.
Richer data is recorded for troubleshooting in a longer period of time For immediate troubleshooting, richer data is available after a reboot Server console currently reads data from journal, not log files. Even with persistent storage the amount of data stored depends on free memory, there is no guarantee to cover a specific time span More disk space is needed for logs. Managing Log Files in a Graphical Environment. System Log.
System Log - Filters. System Log - defining a filter. Name — Specifies the name of the filter. Regular Expression — Specifies the regular expression that will be applied to the log file and will attempt to match any possible strings of text in it. Effect Highlight — If checked, the found results will be highlighted with the selected color.
You may select whether to highlight the background or the foreground of the text. Hide — If checked, the found results will be hidden from the log file you are viewing. System Log - enabling a filter. System Log - adding a log file. System Log - new log alert. Username or Email Address. Remember Me. Sign Up For Our Newsletter. Linux Tutorials. Steven Vona , January 11, To simply view the logs on your system, you can execute the following command: journalctl This will display the logs with the oldest entries first.
Diplaying Logs by Date More than likely you are looking for an event. To find all logs since December 25th at PM you can run: journalctl --since " " To find all logs between December 25th and January 1st journalctl --since "" --until "" You can also use the more human friendly relative terms. For example, to see all logs since yesterday: journalctl --since yesterday You also have the option to mix the absolute and relative terms: journalctl --since "" --until "2 hours ago" Displaying Logs by Unit or Service Another way to find the logs you need would be to filter the results by unit or service.
For example, if you want to see all the logs vsftpd FTP software produced you can specify that in the journalctl command like so: journalctl -u vsftpd. To find all the vsftpd logs from December 5 to January 8 you can runt he following command: journalctl -u vsftpd. To see all the logs from vsftpd and firewalld you can run this command: journalctl -u vsftpd.
You can specify a different boot using the boot selection option like so: journalctl -k -b 2 The above command will show you all the kernel messages from 2 boots ago. If you would like to see all the logs generated since the last boot up, simply give the -b option: journalctl -b Displaying Logs by Priority You can also select to view logs by priority. The journal uses the same syslog message levels: 0: emerg 1: alert 2: critical 3: error 4: warning 5: notice 6: info 7: debug To see all logs from priority 4 warning and higher: journalctl -p 4 To see all the logs from priority 3 error and higher since last boot: journalctl -p 3 -b And of course you can use time windows if you like: journalctl -p 3 --since "2 days ago" Tailing or Following the Log In my opinion on for the most useful commands for viewing logs, follow allows you to view the log as they are bring written.
Tags display find grep journal journalctl journald log logs rsyslog search syslog systemd.
0コメント