RH199 - ch12s05

Course update

An updated version of this course is available that uses a newer version of Red Hat Enterprise Linux in the lab environment. Therefore, the RHEL 9.0 version of the lab environment will retire on December 31, 2024. Please complete any work in this lab environment before it is removed on December 31, 2024. For the most up-to-date version of this course, we recommend moving to the RHEL 9.3 version.

Preface A: Introduction

Section A.1: RHCSA Rapid Track

Section A.2: Orientation to the Classroom Environment

Section A.3: Performing Lab Exercises

Chapter 1: Access Systems and Get Support

Section 1.1: Edit Text Files from the Shell Prompt

Section 1.2: Guided Exercise: Edit Text Files from the Shell Prompt

Section 1.3: Configure SSH Key-based Authentication

Section 1.4: Guided Exercise: Configure SSH Key-based Authentication

Section 1.5: Create a Diagnostics Report

Section 1.6: Guided Exercise: Create a Diagnostics Report

Section 1.7: Detect and Resolve Issues with Red Hat Insights

Section 1.8: Quiz: Detect and Resolve Issues with Red Hat Insights

Section 1.9: Summary

Chapter 2: Manage Files from the Command Line

Section 2.1: Describe Linux File System Hierarchy Concepts

Section 2.2: Quiz: Describe Linux File System Hierarchy Concepts

Section 2.3: Make Links Between Files

Section 2.4: Guided Exercise: Make Links Between Files

Section 2.5: Match File Names with Shell Expansions

Section 2.6: Quiz: Match File Names with Shell Expansions

Section 2.7: Lab: Manage Files from the Command Line

Section 2.8: Summary

Chapter 3: Manage Local Users and Groups

Section 3.1: Describe User and Group Concepts

Section 3.2: Quiz: Describe User and Group Concepts

Section 3.3: Gain Superuser Access

Section 3.4: Guided Exercise: Gain Superuser Access

Section 3.5: Manage Local User Accounts

Section 3.6: Guided Exercise: Manage Local User Accounts

Section 3.7: Manage Local Group Accounts

Section 3.8: Guided Exercise: Manage Local Group Accounts

Section 3.9: Manage User Passwords

Section 3.10: Guided Exercise: Manage User Passwords

Section 3.11: Lab: Manage Local Users and Groups

Section 3.12: Summary

Chapter 4: Control Access to Files

Section 4.1: Manage File System Permissions from the Command Line

Section 4.2: Guided Exercise: Manage File System Permissions from the Command Line

Section 4.3: Manage Default Permissions and File Access

Section 4.4: Guided Exercise: Manage Default Permissions and File Access

Section 4.5: Lab: Control Access to Files

Section 4.6: Summary

Chapter 5: Manage SELinux Security

Section 5.1: Change the SELinux Enforcement Mode

Section 5.2: Guided Exercise: Change the SELinux Enforcement Mode

Section 5.3: Control SELinux File Contexts

Section 5.4: Guided Exercise: Control SELinux File Contexts

Section 5.5: Adjust SELinux Policy with Booleans

Section 5.6: Guided Exercise: Adjust SELinux Policy with Booleans

Section 5.7: Investigate and Resolve SELinux Issues

Section 5.8: Guided Exercise: Investigate and Resolve SELinux Issues

Section 5.9: Lab: Manage SELinux Security

Section 5.10: Summary

Chapter 6: Tune System Performance

Section 6.1: Kill Processes

Section 6.2: Guided Exercise: Kill Processes

Section 6.3: Monitor Process Activity

Section 6.4: Guided Exercise: Monitor Process Activity

Section 6.5: Adjust Tuning Profiles

Section 6.6: Guided Exercise: Adjust Tuning Profiles

Section 6.7: Influence Process Scheduling

Section 6.8: Guided Exercise: Influence Process Scheduling

Section 6.9: Lab: Tune System Performance

Section 6.10: Summary

Chapter 7: Schedule Future Tasks

Section 7.1: Schedule Recurring User Jobs

Section 7.2: Guided Exercise: Schedule Recurring User Jobs

Section 7.3: Schedule Recurring System Jobs

Section 7.4: Guided Exercise: Schedule Recurring System Jobs

Section 7.5: Manage Temporary Files

Section 7.6: Guided Exercise: Manage Temporary Files

Section 7.7: Quiz: Schedule Future Tasks

Section 7.8: Summary

Chapter 8: Install and Update Software Packages

Section 8.1: Register Systems for Red Hat Support

Section 8.2: Quiz: Register Systems for Red Hat Support

Section 8.3: Install and Update Software Packages with DNF

Section 8.4: Guided Exercise: Install and Update Software Packages with DNF

Section 8.5: Enable DNF Software Repositories

Section 8.6: Guided Exercise: Enable DNF Software Repositories

Section 8.7: Lab: Install and Update Software Packages

Section 8.8: Summary

Chapter 9: Manage Basic Storage

Section 9.1: Mount and Unmount File Systems

Section 9.2: Guided Exercise: Mount and Unmount File Systems

Section 9.3: Add Partitions, File Systems, and Persistent Mounts

Section 9.4: Guided Exercise: Add Partitions, File Systems, and Persistent Mounts

Section 9.5: Manage Swap Space

Section 9.6: Guided Exercise: Manage Swap Space

Section 9.7: Lab: Manage Basic Storage

Section 9.8: Summary

Chapter 10: Manage Storage Stack

Section 10.1: Create and Extend Logical Volumes

Section 10.2: Guided Exercise: Create and Extend Logical Volumes

Section 10.3: Lab: Manage Storage Stack

Section 10.4: Summary

Chapter 11: Control Services and Boot Process

Section 11.1: Identify Automatically Started System Processes

Section 11.2: Guided Exercise: Identify Automatically Started System Processes

Section 11.3: Control System Services

Section 11.4: Guided Exercise: Control System Services

Section 11.5: Select the Boot Target

Section 11.6: Guided Exercise: Select the Boot Target

Section 11.7: Reset the Root Password

Section 11.8: Guided Exercise: Reset the Root Password

Section 11.9: Repair File-system Issues at Boot

Section 11.10: Guided Exercise: Repair File-system Issues at Boot

Section 11.11: Lab: Control the Boot Process

Section 11.12: Summary

Chapter 12: Analyze and Store Logs

Section 12.1: Describe System Log Architecture

Section 12.2: Quiz: Describe System Log Architecture

Section 12.3: Review Syslog Files

Section 12.4: Guided Exercise: Review Syslog Files

SectionSection 12.5: Review System Journal Entries

Section 12.6: Guided Exercise: Review System Journal Entries

Section 12.7: Preserve the System Journal

Section 12.8: Guided Exercise: Preserve the System Journal

Section 12.9: Maintain Accurate Time

Section 12.10: Guided Exercise: Maintain Accurate Time

Section 12.11: Lab: Analyze and Store Logs

Section 12.12: Summary

Chapter 13: Manage Networking

Section 13.1: Validate Network Configuration

Section 13.2: Guided Exercise: Validate Network Configuration

Section 13.3: Configure Networking from the Command Line

Section 13.4: Guided Exercise: Configure Networking from the Command Line

Section 13.5: Edit Network Configuration Files

Section 13.6: Guided Exercise: Edit Network Configuration Files

Section 13.7: Configure Hostnames and Name Resolution

Section 13.8: Guided Exercise: Configure Hostnames and Name Resolution

Section 13.9: Lab: Manage Networking

Section 13.10: Summary

Chapter 14: Access Network-Attached Storage

Section 14.1: Manage Network-Attached Storage with NFS

Section 14.2: Guided Exercise: Manage Network-Attached Storage with NFS

Section 14.3: Automount Network-Attached Storage

Section 14.4: Guided Exercise: Automount Network-Attached Storage

Section 14.5: Lab: Access Network-Attached Storage

Section 14.6: Summary

Chapter 15: Manage Network Security

Section 15.1: Manage Server Firewalls

Section 15.2: Guided Exercise: Manage Server Firewalls

Section 15.3: Control SELinux Port Labeling

Section 15.4: Guided Exercise: Control SELinux Port Labeling

Section 15.5: Lab: Manage Network Security

Section 15.6: Summary

Chapter 16: Run Containers

Section 16.1: Container Concepts

Section 16.2: Quiz: Container Concepts

Section 16.3: Deploy Containers

Section 16.4: Guided Exercise: Deploy Containers

Section 16.5: Manage Container Storage and Network Resources

Section 16.6: Guided Exercise: Manage Container Storage and Network Resources

Section 16.7: Manage Containers as System Services

Section 16.8: Guided Exercise: Manage Containers as System Services

Section 16.9: Lab: Run Containers

Section 16.10: Summary

Chapter 17: Comprehensive Review

Section 17.1: Comprehensive Review

Section 17.2: Lab: Fix Boot Issues and Maintain Servers

Section 17.3: Lab: Configure and Manage File Systems and Storage

Section 17.4: Lab: Configure and Manage Server Security

Section 17.5: Lab: Run Containers

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Review System Journal Entries

Objectives

Find and interpret entries in the system journal to troubleshoot problems or review system status.

Find Events on the System Journal

The systemd-journald service stores logging data in a structured, indexed binary file called a journal. This data includes extra information about the log event. For example, for syslog events, this information includes the priority of the original message and the facility, which is a value that the syslog service assigns to track the process that originated a message.

Important

In Red Hat Enterprise Linux, the memory-based /run/log directory holds the system journal by default. The contents of the /run/log directory are lost when the system is shut down. You can change the journald directory to a persistent location, which is discussed later in this chapter.

To retrieve log messages from the journal, use the journalctl command. You can use the journalctl command to view all messages in the journal, or to search for specific events based on options and criteria. If you run the command as root, then you have full access to the journal. Although regular users can also use the journalctl command, the system restricts them from seeing certain messages.

[root@host ~]# journalctl
...output omitted...
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Listening on PipeWire Multimedia System Socket.
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Starting Create User's Volatile Files and Directories...
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Listening on D-Bus User Message Bus Socket.
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Reached target Sockets.
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Finished Create User's Volatile Files and Directories.
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Reached target Basic System.
Mar 15 04:42:16 host.lab.example.com systemd[1]: Started User Manager for UID 0.
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Reached target Main User Target.
Mar 15 04:42:16 host.lab.example.com systemd[2127]: Startup finished in 90ms.
Mar 15 04:42:16 host.lab.example.com systemd[1]: Started Session 6 of User root.
Mar 15 04:42:16 host.lab.example.com sshd[2110]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 15 04:42:17 host.lab.example.com systemd[1]: Starting Hostname Service...
Mar 15 04:42:17 host.lab.example.com systemd[1]: Started Hostname Service.
lines 1951-2000/2000 (END) q

The journalctl command highlights important log messages; messages with the notice or warning priority are in bold text, whereas messages with the error priority or higher are in red text.

The key to successful use of the journal for troubleshooting and auditing is to limit journal searches to show only relevant output.

By default, the journalctl command -n option shows the last 10 log entries. You can adjust the number of log entries with an optional argument that specifies how many log entries to display. For example, to review the last five log entries, you can run the following journalctl command:

[root@host ~]# journalctl -n 5
Mar 15 04:42:17 host.lab.example.com systemd[1]: Started Hostname Service.
Mar 15 04:42:47 host.lab.example.com systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Mar 15 04:47:33 host.lab.example.com systemd[2127]: Created slice User Background Tasks Slice.
Mar 15 04:47:33 host.lab.example.com systemd[2127]: Starting Cleanup of User's Temporary Files and Directories...
Mar 15 04:47:33 host.lab.example.com systemd[2127]: Finished Cleanup of User's Temporary Files and Directories.

Similar to the tail command, the journalctl command -f option outputs the last 10 lines of the system journal and continues to output new journal entries when the journal appends them. To exit the journalctl command -f option, use the Ctrl+C key combination.

[root@host ~]# journalctl -f
Mar 15 04:47:33 host.lab.example.com systemd[2127]: Finished Cleanup of User's Temporary Files and Directories.
Mar 15 05:01:01 host.lab.example.com CROND[2197]: (root) CMD (run-parts /etc/cron.hourly)
Mar 15 05:01:01 host.lab.example.com run-parts[2200]: (/etc/cron.hourly) starting 0anacron
Mar 15 05:01:01 host.lab.example.com anacron[2208]: Anacron started on 2022-03-15
Mar 15 05:01:01 host.lab.example.com anacron[2208]: Will run job `cron.daily' in 29 min.
Mar 15 05:01:01 host.lab.example.com anacron[2208]: Will run job `cron.weekly' in 49 min.
Mar 15 05:01:01 host.lab.example.com anacron[2208]: Will run job `cron.monthly' in 69 min.
Mar 15 05:01:01 host.lab.example.com anacron[2208]: Jobs will be executed sequentially
Mar 15 05:01:01 host.lab.example.com run-parts[2210]: (/etc/cron.hourly) finished 0anacron
Mar 15 05:01:01 host.lab.example.com CROND[2196]: (root) CMDEND (run-parts /etc/cron.hourly)
^C
[root@host ~]#

To help to troubleshoot problems, you can filter the output of the journal by the priority of the journal entries. The journalctl command -p option shows the journal entries with a specified priority level (by name or by number) or higher. The journalctl command processes the debug, info, notice, warning, err, crit, alert, and emerg priority levels, in ascending priority order.

As an example, run the following journalctl command to list journal entries with the err priority or higher:

[root@host ~]# journalctl -p err
Mar 15 04:22:00 host.lab.example.com pipewire-pulse[1640]: pw.conf: execvp error 'pactl': No such file or direct
Mar 15 04:22:17 host.lab.example.com kernel: Detected CPU family 6 model 13 stepping 3
Mar 15 04:22:17 host.lab.example.com kernel: Warning: Intel Processor - this hardware has not undergone testing by Red Hat and might not be certif>
Mar 15 04:22:20 host.lab.example.com smartd[669]: DEVICESCAN failed: glob(3) aborted matching pattern /dev/discs/disc*
Mar 15 04:22:20 host.lab.example.com smartd[669]: In the system's table of devices NO devices found to scan

You can show messages for a specified systemd unit by using the journalctl command -u option and the unit name.

[root@host ~]# journalctl -u sshd.service
May 15 04:30:18 host.lab.example.com systemd[1]: Starting OpenSSH server daemon...
May 15 04:30:18 host.lab.example.com sshd[1142]: Server listening on 0.0.0.0 port 22.
May 15 04:30:18 host.lab.example.com sshd[1142]: Server listening on :: port 22.
May 15 04:30:18 host.lab.example.com systemd[1]: Started OpenSSH server daemon.
May 15 04:32:03 host.lab.example.com sshd[1796]: Accepted publickey for user1 from 172.25.250.254 port 43876 ssh2: RSA SHA256:1UGy...>
May 15 04:32:03 host.lab.example.com sshd[1796]: pam_unix(sshd:session): session opened for user user1(uid=1000) by (uid=0)
May 15 04:32:26 host.lab.example.com sshd[1866]: Accepted publickey for user2 from ::1 port 36088 ssh2: RSA SHA256:M8ik...
May 15 04:32:26 host.lab.example.com sshd[1866]: pam_unix(sshd:session): session opened for user user2(uid=1001) by (uid=0)
lines 1-8/8 (END) q

When looking for specific events, you can limit the output to a specific time frame. To limit the output to a specific time range, the journalctl command has the --since option and the --until option. Both options take a time argument in the "YYYY-MM-DD hh:mm:ss" format (the double quotation marks are required to preserve the space in the option).

The journalctl command assumes that the day starts at 00:00:00 when you omit the time argument. The command assumes the current day when you omit the day argument. Both options take yesterday, today, and tomorrow as valid arguments in addition to the date and time field.

As an example, run the following journalctl command to list all journal entries from today's records:

[root@host ~]# journalctl --since today
...output omitted...
Mar 15 05:04:20 host.lab.example.com systemd[1]: Started Session 8 of User student.
Mar 15 05:04:20 host.lab.example.com sshd[2255]: pam_unix(sshd:session): session opened for user student(uid=1000) by (uid=0)
Mar 15 05:04:20 host.lab.example.com systemd[1]: Starting Hostname Service...
Mar 15 05:04:20 host.lab.example.com systemd[1]: Started Hostname Service.
Mar 15 05:04:50 host.lab.example.com systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Mar 15 05:06:33 host.lab.example.com systemd[2261]: Starting Mark boot as successful...
Mar 15 05:06:33 host.lab.example.com systemd[2261]: Finished Mark boot as successful.
lines 1996-2043/2043 (END) q

Run the following journalctl command to list all journal entries from 2022-03-11 20:30:00 to 2022-03-14 10:00:00:

[root@host ~]# journalctl --since "2022-03-11 20:30" --until "2022-03-14 10:00"
...output omitted...

You can also specify all entries since a relative time to the present. For example, to specify all entries in the last hour, you can use the following command:

[root@host ~]# journalctl --since "-1 hour"
...output omitted...

Note

You can use other, more sophisticated time specifications with the --since and --until options. For some examples, see the systemd.time(7) man page.

In addition to the visible content of the journal, you can view additional log entries if you turn on the verbose output. You can use any displayed extra field to filter the output of a journal query. The verbose output is useful to reduce the output of complex searches for certain events in the journal.

[root@host ~]# journalctl -o verbose
Tue 2022-03-15 05:10:32.625470 EDT [s=e7623387430b4c14b2c71917db58e0ee;i...]
    _BOOT_ID=beaadd6e5c5448e393ce716cd76229d4
    _MACHINE_ID=4ec03abd2f7b40118b1b357f479b3112
    PRIORITY=6
    SYSLOG_FACILITY=3
    SYSLOG_IDENTIFIER=systemd
    _UID=0
    _GID=0
    _TRANSPORT=journal
    _CAP_EFFECTIVE=1ffffffffff
    TID=1
    CODE_FILE=src/core/job.c
    CODE_LINE=744
    CODE_FUNC=job_emit_done_message
    JOB_RESULT=done
    _PID=1
    _COMM=systemd
    _EXE=/usr/lib/systemd/systemd
    _SYSTEMD_CGROUP=/init.scope
    _SYSTEMD_UNIT=init.scope
    _SYSTEMD_SLICE=-.slice
    JOB_TYPE=stop
    MESSAGE_ID=9d1aaa27d60140bd96365438aad20286
    _HOSTNAME=host.lab.example.com
    _CMDLINE=/usr/lib/systemd/systemd --switched-root --system --deserialize 31
    _SELINUX_CONTEXT=system_u:system_r:init_t:s0
    UNIT=user-1000.slice
    MESSAGE=Removed slice User Slice of UID 1000.
    INVOCATION_ID=0e5efc1b4a6d41198f0cf02116ca8aa8
    JOB_ID=3220
    _SOURCE_REALTIME_TIMESTAMP=1647335432625470
lines 46560-46607/46607 (END) q

The following list shows some fields of the system journal that you can use to search for relevant lines to a particular process or event:

_COMM is the command name.
_EXE is the path to the executable file for the process.
_PID is the PID of the process.
_UID is the UID of the user that runs the process.
_SYSTEMD_UNIT is the systemd unit that started the process.

You can combine multiple system journal fields to form a granular search query with the journalctl command. For example, the following journalctl command shows all related journal entries to the sshd.service systemd unit from a process with PID 2110.

[root@host ~]# journalctl _SYSTEMD_UNIT=sshd.service _PID=2110
Mar 15 04:42:16 host.lab.example.com sshd[2110]: Accepted publickey for root from 172.25.250.254 port 46224 ssh2: RSA SHA256:1UGybTe52L2jzEJa1HLVKn9QUCKrTv3ZzxnMJol1Fro
Mar 15 04:42:16 host.lab.example.com sshd[2110]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

Note

For a list of journal fields, consult the systemd.journal-fields(7) man page.

References

journalctl(1), systemd.journal-fields(7), and systemd.time(7) man pages

For more information refer to the Troubleshooting Problems Using Log Files section in the Red Hat Enterprise Linux 9 Configuring Basic System Settings guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/configuring_basic_system_settings/index#troubleshooting-problems-using-log-files_getting-started-with-system-administration

Revision: rh199-9.0-4fecb06