As you probably noticed RedHat as well as CentOS switched to systemd with version 7 of their operating system release. This also means that instead of looking at /var/log/messages you are supposed to use journcalctl to browse the messages of the operating system. One issue with that is that messages before the last reboot of your system will not be available, which is probably not want you want.
Lets say I started my RedHat linux system just now:
Last login: Tue Dec 5 09:12:34 2017 from 192.168.22.1 [[email protected] ~]$ uptime 09:14:14 up 1 min, 1 user, load average: 0.33, 0.15, 0.05 [[email protected] ~]$ date Die Dez 5 09:14:15 CET 2017
Asking for any journal logs before that will not show anything:
[[email protected] ~]$ journalctl --help | grep "--since" -S --since=DATE Show entries not older than the specified date [[email protected] ~]$ journalctl --since "2017-12-04 00:00:00" -- Logs begin at Die 2017-12-05 09:13:07 CET, end at Die 2017-12-05 09:14:38 CET. -- Dez 05 09:13:07 rhel7.localdomain systemd-journal: Runtime journal is using 6.2M (max allowed 49.6M, trying to Dez 05 09:13:07 rhel7.localdomain kernel: Initializing cgroup subsys cpuset Dez 05 09:13:07 rhel7.localdomain kernel: Initializing cgroup subsys cpu Dez 05 09:13:07 rhel7.localdomain kernel: Initializing cgroup subsys cpuacct
Nothing for yesterday, which is bad. The issue here is the default configuration:
[[email protected] ~]$ cat /etc/systemd/journald.conf # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # Entries in this file show the compile time defaults. # You can change settings by editing this file. # Defaults can be restored by simply deleting this file. # # See journald.conf(5) for details. [Journal] #Storage=auto #Compress=yes #Seal=yes #SplitMode=uid #SyncIntervalSec=5m #RateLimitInterval=30s #RateLimitBurst=1000 #SystemMaxUse= #SystemKeepFree= #SystemMaxFileSize= #RuntimeMaxUse= #RuntimeKeepFree= #RuntimeMaxFileSize= #MaxRetentionSec= #MaxFileSec=1month #ForwardToSyslog=yes #ForwardToKMsg=no #ForwardToConsole=no #ForwardToWall=yes #TTYPath=/dev/console #MaxLevelStore=debug #MaxLevelSyslog=debug #MaxLevelKMsg=notice #MaxLevelConsole=info #MaxLevelWall=emerg
“Storage=auto” means that the journal will only be persistent if this directory exists (it does not in the default setup):
[[email protected] ~]$ ls /var/log/journal ls: cannot access /var/log/journal: No such file or directory
As soon as this is created and the service is restarted the journal will be persistent and will survive a reboot:
[[email protected] ~]$ mkdir /var/log/journal [[email protected] ~]$ systemctl restart systemd-journald.service total 4 drwxr-xr-x. 3 root root 46 5. Dez 09:15 . drwxr-xr-x. 10 root root 4096 5. Dez 09:15 .. drwxr-xr-x. 2 root root 28 5. Dez 09:15 a473db3bada14e478442d99da55345e0 [[email protected] ~]$ ls -al /var/log/journal/a473db3bada14e478442d99da55345e0/ total 8192 drwxr-xr-x. 2 root root 28 5. Dez 09:15 . drwxr-xr-x. 3 root root 46 5. Dez 09:15 .. -rw-r-----. 1 root root 8388608 5. Dez 09:15 system.journal
Of course you should look at the other parameters that control the size of journal as well as rotation.