Chapter 2. Troubleshooting problems by using log files

You can use information from log files for troubleshooting and monitoring system functions. Log files contain messages about the system, including the kernel and the services and applications running on it. The logging system in Red Hat Enterprise Linux is based on the built-in syslog protocol. Various programs then use syslog to record events and organize them into log files.

2.1. Services that handle syslog messages

The following services handle syslog messages:

The systemd-journald daemon

Collects messages from the following sources and forwards them to Rsyslog for further processing:

Kernel
Early stages of the boot process
Standard and error output of daemons as they start up and run
syslog

The Rsyslog service

Sorts syslog messages by type and priority and writes them to the files in the /var/log directory. The /var/log directory persistently stores the log messages.

2.2. Subdirectories that store syslog messages

The following subdirectories under the /var/log directory store syslog messages:

/var/log/messages: all syslog messages except the following
/var/log/secure: security and authentication-related messages and errors
/var/log/maillog: mail server-related messages and errors
/var/log/cron: log files related to periodically executed tasks
/var/log/boot.log: log files related to system startup

2.3. Commands for viewing logs

You can view and manage log files by using the Journal, which is a component of systemd. It addresses problems connected with traditional logging, is closely integrated with the rest of the system, and supports various logging technologies and access management for the log files.

You can use the journalctl command to view messages in the system journal, for example:

journalctl -b | grep kvm

$ journalctl -b | grep kvm
May 15 11:31:41 localhost.localdomain kernel: kvm-clock: Using msrs 4b564d01 and 4b564d00
May 15 11:31:41 localhost.localdomain kernel: kvm-clock: cpu 0, msr 76401001, primary cpu clock

Copy to Clipboard

Viewing system information

journalctl: Shows all collected journal entries.
journalctl FILEPATH: Shows logs related to a specific file. For example, the journalctl /dev/sda command displays logs related to the /dev/sda file system.
journalctl -b: Shows logs for the current boot.
journalctl -k -b -1: Shows kernel logs for the current boot.

Viewing information about specific services

journalctl -b _SYSTEMD_UNIT=<name.service>: Filters log to show entries matching the systemd service.
journalctl -b _SYSTEMD_UNIT=<name.service> _PID=<number>: Combines matches. For example, this command shows logs for systemd-units that match <name.service> and the PID <number>.
journalctl -b _SYSTEMD_UNIT=<name.service> _PID=<number> + _SYSTEMD_UNIT=<name2.service>: The plus sign (+) separator combines two expressions in a logical OR. For example, this command shows all messages from the <name.service> service process with the PID plus all messages from the <name2.service> service (from any of its processes).
journalctl -b _SYSTEMD_UNIT=<name.service> _SYSTEMD_UNIT=<name2.service>: This command shows all entries matching either expression, referring to the same field. Here, this command shows logs matching a systemd-unit <name.service> or a systemd-unit <name2.service>.

Viewing logs related to specific boots

journalctl --list-boots: Shows a tabular list of boot numbers, their IDs, and the timestamps of the first and last message pertaining to the boot. You can use the ID in the next command to view detailed information.
journalctl --boot=ID _SYSTEMD_UNIT=<name.service>: Shows information about the specified boot ID.

Chapter 2. Troubleshooting problems by using log files

2.1. Services that handle syslog messages

2.2. Subdirectories that store syslog messages

2.3. Commands for viewing logs

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links