q24-system-logs
Énoncé§
Solve this question on: web-srv1
- Write all
nginx.servicelog entries from the last boot into/opt/course/24/nginx.log. - Configure
systemd-journaldto store logs persistently across reboots. - List all kernel error messages since
2024-01-01into/opt/course/24/kernel-errors.log. - Limit the journal disk usage to a maximum of
200M.
Solution§
Step 1 — Service logs from current boot§
journalctl -u nginx.service -b 0 > /opt/course/24/nginx.logjournalctl cheat sheet:
| Flag | Meaning |
|---|---|
-u <unit> | filter by systemd unit |
-b / -b -1 / -b 0 | current boot / previous boot / current |
--list-boots | list available boots |
-p err | priority ≤ error (emerg, alert, crit, err, warning, notice, info, debug) |
-k | kernel messages only (= dmesg) |
-f | follow (like tail -f) |
--since "2024-01-01" --until "1h ago" | time-based filter |
-n 50 | last 50 lines |
-o json-pretty | output format |
--disk-usage | space used by journal |
--vacuum-size=200M / --vacuum-time=2weeks | shrink |
Step 2 — Make the journal persistent§
By default, on systems without /var/log/journal/, logs live in /run/log/journal/ (RAM, lost at reboot).
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journaldOr edit /etc/systemd/journald.conf:
[Journal]
Storage=persistent # persistent | volatile | auto | none
SystemMaxUse=200M
SystemMaxFileSize=50M
MaxRetentionSec=1monthThen sudo systemctl restart systemd-journald.
Step 3 — Kernel errors since a date§
journalctl -k -p err --since "2024-01-01" > /opt/course/24/kernel-errors.logStep 4 — Disk usage cap§
Either via the conf file above, or one-shot:
sudo journalctl --vacuum-size=200MTraditional log files§
Even with systemd, classic /var/log files often remain (via rsyslog):
| File | Content |
|---|---|
/var/log/messages (RHEL) / /var/log/syslog (Debian) | general system messages |
/var/log/secure (RHEL) / /var/log/auth.log (Debian) | authentication, sudo, sshd |
/var/log/kern.log | kernel ring buffer |
/var/log/dmesg | last boot kernel messages |
/var/log/audit/audit.log | auditd (SELinux denials) |
/var/log/boot.log | boot-time messages |
Rotation is handled by logrotate — configs under /etc/logrotate.d/. Force a run with sudo logrotate -f /etc/logrotate.conf.
—The Gardener