Home / Logging

Log Management

systemd-journald, log rotation, persistent logging, and log analysis on RHEL 10.

systemd-journald

RHEL 10 uses systemd-journald as the system logging daemon. It collects logs from the kernel, systemd, and application services.

# View all logs
sudo journalctl

# View logs for a specific service
sudo journalctl -u sshd

# Follow logs in real time
sudo journalctl -u sshd -f

# Logs since last boot
sudo journalctl -b

# Logs from previous boot
sudo journalctl -b -1

# Priority filter (emerg=0..debug=7)
sudo journalctl -p err
sudo journalctl -p 3..4

# Time range filter
sudo journalctl --since '2 hours ago'
sudo journalctl --since '2026-05-01' --until '2026-05-02'

# Disk usage
sudo journalctl --disk-usage

# Vacuum by age or size
sudo journalctl --vacuum-time=7d
sudo journalctl --vacuum-size=500M

Persistent Logging

By default, journal logs are in memory and lost on reboot. Enable persistent storage to survive reboots.

# Enable persistent journal
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journald

# Verify
ls -la /var/log/journal/

Log Rotation

# Configure journal size limits in /etc/systemd/journald.conf:
# SystemMaxUse=500M
# SystemKeepFree=1G
# SystemMaxFileSize=100M
# MaxRetentionSec=1month
# MaxFileSec=1day

# For traditional syslog apps, logrotate handles rotation
# Config files: /etc/logrotate.d/

# Example logrotate config for custom app
sudo tee /etc/logrotate.d/myapp <<'EOF'
/var/log/myapp/*.log {
    daily
    rotate 7
    compress
    delaycompress
    missingok
    notifempty
    create 0640 myapp myapp
    sharedscripts
    postrotate
        systemctl reload myapp
    endscript
}
EOF

# Test rotation
sudo logrotate -d /etc/logrotate.d/myapp

# Force rotation
sudo logrotate -f /etc/logrotate.d/myapp

Rsyslog

# Install rsyslog for traditional syslog
sudo dnf install -y rsyslog
sudo systemctl enable --now rsyslog

# View traditional logs
cat /var/log/messages
cat /var/log/secure

# Remote logging (server)
# Edit /etc/rsyslog.conf:
# module(load="imtcp" port="514")
sudo systemctl restart rsyslog

# Remote logging (client)
sudo tee /etc/rsyslog.d/remote.conf <<'EOF'
*.* @@logserver.example.com:514
EOF
sudo systemctl restart rsyslog

Log Analysis

# Count log entries by service
sudo journalctl --no-pager | awk '{print $7}' | sort | uniq -c | sort -rn | head

# Find failed logins
sudo journalctl -u sshd | grep 'Failed password'

# Export logs to file
sudo journalctl -b > /tmp/last-boot.log

# Forward journal to rsyslog
# Enable in /etc/systemd/journald.conf:
# ForwardToSyslog=yes
📚 Reference

systemd-journald · Rsyslog