As you probably noticed RedHat as well as CentOS switched to systemd with version 7 of their operating system release. This also means that instead of looking at /var/log/messages you are supposed to use journcalctl to browse the messages of the operating system. One issue with that is that messages before the last reboot of your system will not be available, which is probably not want you want.
Lets say I started my RedHat linux system just now:
1 2 3 4 5 | Last login: Tue Dec 5 09:12:34 2017 from 192.168.22.1 [root@rhel7 ~]$ uptime 09:14:14 up 1 min, 1 user, load average: 0.33, 0.15, 0.05 [root@rhel7 ~]$ date Die Dez 5 09:14:15 CET 2017 |
Asking for any journal logs before that will not show anything:
1 2 3 4 5 6 7 8 | [root@rhel7 ~]$ journalctl --help | grep "--since" -S --since=DATE Show entries not older than the specified date [root@rhel7 ~]$ journalctl --since "2017-12-04 00:00:00" -- Logs begin at Die 2017-12-05 09:13:07 CET, end at Die 2017-12-05 09:14:38 CET. -- Dez 05 09:13:07 rhel7.localdomain systemd-journal[86]: Runtime journal is using 6.2M (max allowed 49.6M, trying to Dez 05 09:13:07 rhel7.localdomain kernel: Initializing cgroup subsys cpuset Dez 05 09:13:07 rhel7.localdomain kernel: Initializing cgroup subsys cpu Dez 05 09:13:07 rhel7.localdomain kernel: Initializing cgroup subsys cpuacct |
Nothing for yesterday, which is bad. The issue here is the default configuration:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | [root@rhel7 ~]$ cat /etc/systemd/journald .conf # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # Entries in this file show the compile time defaults. # You can change settings by editing this file. # Defaults can be restored by simply deleting this file. # # See journald.conf(5) for details. [Journal] #Storage=auto #Compress=yes #Seal=yes #SplitMode=uid #SyncIntervalSec=5m #RateLimitInterval=30s #RateLimitBurst=1000 #SystemMaxUse= #SystemKeepFree= #SystemMaxFileSize= #RuntimeMaxUse= #RuntimeKeepFree= #RuntimeMaxFileSize= #MaxRetentionSec= #MaxFileSec=1month #ForwardToSyslog=yes #ForwardToKMsg=no #ForwardToConsole=no #ForwardToWall=yes #TTYPath=/dev/console #MaxLevelStore=debug #MaxLevelSyslog=debug #MaxLevelKMsg=notice #MaxLevelConsole=info #MaxLevelWall=emerg |
“Storage=auto” means that the journal will only be persistent if this directory exists (it does not in the default setup):
1 2 | [root@rhel7 ~]$ ls /var/log/journal ls : cannot access /var/log/journal : No such file or directory |
As soon as this is created and the service is restarted the journal will be persistent and will survive a reboot:
1 2 3 4 5 6 7 8 9 10 11 | [root@rhel7 ~]$ mkdir /var/log/journal [root@rhel7 ~]$ systemctl restart systemd-journald.service total 4 drwxr-xr-x. 3 root root 46 5. Dez 09:15 . drwxr-xr-x. 10 root root 4096 5. Dez 09:15 .. drwxr-xr-x. 2 root root 28 5. Dez 09:15 a473db3bada14e478442d99da55345e0 [root@rhel7 ~]$ ls -al /var/log/journal/a473db3bada14e478442d99da55345e0/ total 8192 drwxr-xr-x. 2 root root 28 5. Dez 09:15 . drwxr-xr-x. 3 root root 46 5. Dez 09:15 .. -rw-r-----. 1 root root 8388608 5. Dez 09:15 system.journal |
Of course you should look at the other parameters that control the size of journal as well as rotation.