Welcome to Day 12 of the 30 Days of Linux Challenge. Today’s focus is one of the most vital but often overlooked skills in Linux system administration: log management.
In Red Hat-based systems, logs provide deep insights into your system’s health, security, and performance. Whether you're trying to diagnose a service that failed to start, tracking SSH login attempts, or confirming if a cron job ran — logs are your first source of truth.
📚 Table of Contents
- Why Log Management Matters
- Exploring journalctl (systemd Logs)
- Managing Journal Size and Retention
- Classic Logs in /var/log/
- Analyzing Logs with less, grep, tail
- Try It Yourself
- Why This Matters in the Real World
Why Log Management Matters
Logs are your black box — capturing every system event, error, login attempt, software installation, and scheduled task.
Without logs, you’re left guessing:
- Why did a service fail?
- Who accessed the system and when?
- Did a scheduled backup actually run?
- Were updates installed successfully?
On Red Hat Linux, two powerful logging mechanisms coexist:
-
systemd’sjournalctl(structured and searchable) - Classic plain-text logs in
/var/log/
Knowing how to read and manage both gives you full visibility and control.
Exploring journalctl (systemd Logs)
journalctl is the gateway to systemd's logging system. It aggregates logs from:
- System boot
- Services (like sshd, crond, firewalld)
- Kernel messages
- Applications using systemd's journal API
🔹View all logs:
journalctl
🔹 View logs from the current boot:
journalctl -b
🔹 Follow logs in real time:
journalctl -f
🔹 Show logs for a specific service:
journalctl -u sshd
journalctl -u firewalld
🔹 Filter by time:
journalctl --since "2023-11-01" --until "2023-11-02 03:00"
journalctl --since yesterday
journalctl --since "1 hour ago"
🔹 Filter by priority:
journalctl -p err
journalctl -p warning
Priority levels:
Level Meaning
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Info (default)
7 Debug
Managing Journal Size and Retention
Check how much disk space the journal is using:
journalctl --disk-usage
Reduce log size by time:
sudo journalctl --vacuum-time=7d
Reduce by size limit:
sudo journalctl --vacuum-size=200M
This is especially useful on VPS systems with limited storage.
Classic Logs in /var/log/
While journalctl is great, traditional log files are still widely used and easy to work with.
Log File Purpose
/var/log/messages General system events
/var/log/secure Authentication logs (SSH, sudo, etc.)
/var/log/yum.log Software installs & package updates
/var/log/boot.log Boot events
/var/log/cron Cron job output
/var/log/httpd/ Apache web server logs
/var/log/firewalld Firewall-related events
Analyzing Logs with less, grep, tail
These tools let you navigate logs efficiently:
View logs with less:
less /var/log/messages
less /var/log/secure
Search for keywords:
grep "Failed password" /var/log/secure
grep -i error /var/log/yum.log
Follow logs live (like journalctl -f):
tail -f /var/log/messages
Combine tools:
grep "sshd" /var/log/secure | tail -10
Try It Yourself
Here’s a sample session to explore and clean logs:
Journalctl basics
journalctl -xe
journalctl -u sshd
journalctl --since "2 days ago"
View logs on login attempts
grep "Failed" /var/log/secure
Check package install history
cat /var/log/yum.log
Clean old journal logs
sudo journalctl --vacuum-time=5d
Why This Matters in the Real World
Log mastery means:
- Faster debugging during outages
- Security auditing of user access
- System uptime monitoring
- Evidence for incident reports
In production environments, logs are often sent to central systems like ELK stack, Grafana Loki, or Red Hat Insights — but it starts with knowing how to read them locally.
