RH134 — Log analysis and storage

Goal

Document chapter 5 of RH134 v10.0 while studying it: understand how events are logged on RHEL, query them via syslog and journal, make the journal persistent, and keep time in sync.

Chapter content

What I practice (mental map)

Services / kernel / scripts
        ↓
   journald (journal)  ←→  rsyslog (/var/log/)
        ↓                        ↓
   journalctl              tail / grep / logger

Key labs and exercises

Syslog — messages-debug (5.4)

Rule in /etc/rsyslog.d/debug.conf (exact name with .conf):

*.debug /var/log/messages-debug

systemctl restart rsyslog
logger -p user.debug "Debug Message Test"
tail /var/log/messages-debug

See also glossary — messages-debug lab.

Journal — queries (5.5 / 5.6)

journalctl -p warning
journalctl -b
journalctl --list-boots
journalctl -u rsyslog -n 20 --no-pager
journalctl -xe

Persistent journal (5.7 / 5.8)

ls /var/log/journal/
journalctl --disk-usage
# Config: /etc/systemd/journald.conf → Storage=persistent (or auto)
sudo systemctl restart systemd-journald

Time synchronization (5.9)

timedatectl
chronyc tracking
systemctl status chronyd

Reference commands

rsyslogd -N1                              # validate rsyslog config
logger -p user.info "test message"
journalctl --vacuum-time=7d               # maintenance (admin)

Lab notes

(Fill in after 5.4, 5.6, and 5.8: configs changed, errors — e.g. debug-conf without .conf — and fixes.)

Next step

Finish quizzes 5.2 and labs with lab finish when done; paste key output from persistent journal and chrony here.