System Logs
Learn how to read and analyze system logs to diagnose and troubleshoot issues in Oreon Linux.
SystemD Journal
Oreon uses systemd's journald for centralized logging. The journalctl command is your primary tool for accessing logs.
Essential Log Commands
Basic Journal Commands
# View all logs
journalctl
# Follow logs in real-time
journalctl -f
# Show only today's logs
journalctl --since today
# Show logs from last boot
journalctl -b
# Show last 50 lines
journalctl -n 50Service-Specific Logs
# Logs for specific service
journalctl -u NetworkManager
# Follow service logs
journalctl -fu sshd
# Show service errors only
journalctl -u httpd --priority=err
# Since specific time
journalctl --since "2024-01-01"Kernel Messages
# Current boot kernel messages
dmesg
# Follow kernel messages
dmesg -w
# Filter by facility
dmesg --facility=daemon
# Human readable timestamps
dmesg -TLog Priorities
emerg - System unusablealert - Action must be takencrit - Critical conditionserr - Error conditionswarning - Warning conditionsnotice - Normal significant conditioninfo - Informational messagesdebug - Debug-level messagesCommon Log Locations
| Log File | Content | Command |
|---|---|---|
/var/log/messages |
General system messages | tail -f /var/log/messages |
/var/log/secure |
Authentication and security | grep "Failed" /var/log/secure |
/var/log/dnf.log |
Package manager activity | tail /var/log/dnf.log |
/var/log/audit/audit.log |
SELinux and audit events | ausearch -m avc |
/var/log/boot.log |
Boot process messages | less /var/log/boot.log |
Troubleshooting Scenarios
Diagnosing Boot Problems
When your system fails to boot or boots slowly:
# Check boot logs from previous boot
journalctl -b -1
# Look for boot failures
journalctl --priority=err -b
# Check systemd services that failed
systemctl --failed
# Analyze boot time
systemd-analyze blameService Not Starting
When a service fails to start or keeps crashing:
# Check service status
systemctl status servicename
# View service logs
journalctl -u servicename
# See recent failures
journalctl -u servicename --since "1 hour ago"
# Follow logs while restarting
journalctl -fu servicename &
systemctl restart servicenameHardware Problems
For hardware detection and driver issues:
# Check for hardware errors
dmesg | grep -i error
# Look for firmware issues
dmesg | grep -i firmware
# Check USB device detection
journalctl -k | grep -i usb
# Monitor hardware events
udevadm monitorNetwork Connectivity
Troubleshooting network problems:
# NetworkManager logs
journalctl -u NetworkManager
# Check DHCP issues
journalctl | grep -i dhcp
# View firewall logs
journalctl -u firewalld
# Check for connection attempts
grep "wlan0" /var/log/messagesAdvanced Log Analysis
Filtering and Searching
# Search for specific text
journalctl | grep "error"
# Filter by time range
journalctl --since "2024-01-01 12:00:00" \
--until "2024-01-01 13:00:00"
# Filter by user
journalctl _UID=1000
# Multiple service logs
journalctl -u service1 -u service2Log Export and Storage
# Export logs to file
journalctl > system-logs.txt
# Export specific timeframe
journalctl --since today > today-logs.txt
# Check journal size
journalctl --disk-usage
# Clean old logs
sudo journalctl --vacuum-time=1monthLog Monitoring Tools
journalctl
Built-in systemd journal viewer
journalctl -f
tail
Monitor file changes in real-time
tail -f /var/log/messages
ausearch
Search audit logs for security events
ausearch -m avc
Log Rotation and Maintenance
Storage Management
Logs can consume significant disk space. Regular maintenance is important for system health.
Journal Configuration
# Edit journal config
sudo nano /etc/systemd/journald.conf
# Key settings:
SystemMaxUse=1G
MaxFileSec=1month
MaxRetentionSec=1year
# Restart journald
sudo systemctl restart systemd-journaldManual Cleanup
# Remove logs older than 1 week
sudo journalctl --vacuum-time=1week
# Keep only 500MB of logs
sudo journalctl --vacuum-size=500M
# Remove old rotated files
sudo find /var/log -name "*.old" -deletePro Tips
- • Use
journalctl -p errto quickly find error messages - • Combine multiple filters:
journalctl -u sshd --since yesterday - • Use
--no-pagerto prevent output from being piped through a pager - • Save frequently used commands as shell aliases