How to enable persistent logging for the systemd journal

Resolution

• There are two methods to enable persistent systemd journal logs in /var/log/journal.

Method 1

• Create the directory journal using the below command:

  # mkdir -p /var/log/journal
  

• Once the above directory is created the system will automatically start storing the logs at /var/log/journal once any loggable event is encountered in RHEL 7 & RHEL 8.

• After that run the below command only in RHEL 9 and RHEL 10:

  # journalctl --flush
  

Method 2

Step 1. Edit Journald configuration

• For RHEL 9 and below set the Storage parameter equals to persistent in /etc/systemd/journald.conf:

  # sed -i 's/#Storage=auto/Storage=persistent/' /etc/systemd/journald.conf
  

• In RHEL 10, location of main configuration files is changed to /usr/lib/systemd/ folder. Still in /etc/systemd/ folder override configurations can be placed like this.

  # cat /etc/systemd/journald.conf
  [Journal]
  Storage=persistent
  

• With the storage option persistent, data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.

Step 2 Varies depending on the RHEL version:

• On RHEL 7 & 8, restart the systemd-journald.service:

  # systemctl restart systemd-journald.service
  

• On RHEL 9 and RHEL 10:

  # systemctl restart systemd-journald.service
  # journalctl --flush
  

• Note: In RHEL 9, journalctl --flush is required after restarting the systemd-journald.service. This makes the journal work nicer with systems which have the root file system writable early, but still need to rearrange /var before journald should start writing and creating files to it, for example because ACLs need to be applied first, or because /var is to be mounted from another file system, NFS or tmpfs.

Additional Information

• You may decide if you need to keep or remove the rsyslog package installed on the system at this point, depending on your requirements.

• See man journalctl for more information on querying the journal database for specific logs.

• How to rotate systemd-journald log under /var/log/journal// or /run/log/journal//?

• Journal have capability to forward logs too. Refer to How to configure systemd journal remote logging