Oracle Linux Basic Administration Series - Part 14 - How to Manage System Logs with journalctl and rsyslog in Oracle Linux

Logs are your system’s black box.

they record everything that happens under the hood: service activity, authentication, kernel messages, and more.

Oracle Linux uses two main logging systems:

• systemd-journald – modern binary log manager used with journalctl

• rsyslog – traditional text-based logging service

In this blog, you’ll learn how to:

• View and filter logs using journalctl

• Manage persistent systemd logs

• Understand and configure rsyslog

• Rotate and clean up log files

Step 1: View Logs with journalctl

The journalctl command displays logs from systemd  including boot messages and service logs.

View all logs:

sudo journalctl

Logs are shown from oldest to newest.To view the latest logs only:

sudo journalctl -r

Step 2: Follow Logs in Real Time

Like tail -f, you can follow logs live:

sudo journalctl -f

Example: Watch SSH logs as you connect:

sudo journalctl -u sshd -f

Step 3: Filter Logs by Service, Time, or Priority

View logs for a specific service:

sudo journalctl -u httpd

Filter by priority (e.g., errors only):

sudo journalctl -p err

View logs since yesterday:

sudo journalctl --since "yesterday"

Between specific times:

sudo journalctl --since "2025-11-09 08:00:00" --until "2025-11-09 10:00:00"

Combine filters:

sudo journalctl -u sshd -p warning --since today

Step 4: Make Journal Logs Persistent

By default, systemd-journald stores logs in memory (lost on reboot).To make logs persistent across reboots:

1. Create the persistent directory:

sudo mkdir -p /var/log/journal

1. Restart journald:

sudo systemctl restart systemd-journald

Now logs will be saved permanently under /var/log/journal/.

🧰 Step 5: Limit Journal Size

Check the current journal size:

journalctl --disk-usage

Limit size to 100MB:

sudo journalctl --vacuum-size=100M

Limit by time (e.g., keep 2 weeks of logs):

sudo journalctl --vacuum-time=2weeks

Step 6: Understanding rsyslog

rsyslog is the traditional Linux logging daemon that stores logs in plain text under /var/log/.

Check its status:

sudo systemctl status rsyslog

Restart if needed:

sudo systemctl restart rsyslog

Common log files:

View recent logs:

sudo tail -n 20 /var/log/messages

Step 7: Customize rsyslog Configuration

Main configuration file:

/etc/rsyslog.conf

Includes additional configs from:

/etc/rsyslog.d/

Example — send all kernel messages to a separate file:

sudo vim /etc/rsyslog.d/kernel.conf

Add:

kern.* /var/log/kernel.log

Save and restart:

sudo systemctl restart rsyslog

Step 8: Log Rotation with logrotate

Logs can grow large over time.logrotate automatically compresses and removes old logs.

Check its configuration:

/etc/logrotate.conf

Additional rules:

/etc/logrotate.d/

Force rotation manually:

sudo logrotate -f /etc/logrotate.conf

To check the last rotation status:

sudo cat /var/lib/logrotate/logrotate.status

Conclusion

You now know how to view, filter, and manage logs in Oracle Linux using both journalctl and rsyslog.

This skill is crucial for diagnosing problems, maintaining security, and auditing activity.

Next, we’ll finish the series with how to safely update and patch Oracle Linux ensuring your system stays secure and stable.