4. Operate Running Systems
πRed Hat Certified System Administrator (RHCSA β EX200)
This section is very important for the RHCSA exam. In real IT environments, logs are used to:
- Troubleshoot service failures
- Identify login problems
- Detect security issues
- Investigate system crashes
- Verify whether a service started correctly
As a system administrator, you must know:
- Where logs are stored
- How to read them
- How to filter them
- How to check systemd journals
- How to identify errors inside logs
This topic focuses mainly on rsyslog and systemd journal (journald).
1. What Are Log Files?
A log file is a text file that records system events.
Linux automatically records:
- User logins and logouts
- Service start/stop messages
- Hardware events
- Security messages
- Application errors
These logs help administrators understand what happened on the system.
2. Traditional Log Files Location
Most traditional log files are stored in:
/var/log/
You must remember this directory for the exam.
To list log files:
ls /var/log
3. Important Log Files in /var/log
Below are the most important logs for RHCSA:
3.1 /var/log/messages
- General system messages
- Service start/stop logs
- Non-critical system events
View it:
less /var/log/messages
Search inside:
/sshd
3.2 /var/log/secure
- Authentication logs
- SSH login attempts
- sudo usage
- Failed password attempts
Very important for security troubleshooting.
Example:
less /var/log/secure
To see failed login attempts:
grep "Failed password" /var/log/secure
3.3 /var/log/boot.log
- Boot-time messages
- Services that started during boot
View:
less /var/log/boot.log
3.4 /var/log/dmesg
- Kernel ring buffer messages
- Hardware-related logs
View:
less /var/log/dmesg
Or:
dmesg
4. Understanding Log File Format
A typical log line looks like:
Jun 10 10:15:32 server1 sshd[1234]: Failed password for root from 192.168.1.10
Breakdown:
| Part | Meaning |
|---|---|
| Jun 10 10:15:32 | Date and time |
| server1 | Hostname |
| sshd | Service name |
| [1234] | Process ID |
| Message | Actual event |
For RHCSA, you must be able to:
- Identify the service name
- Identify whether it is an error
- Understand what happened
5. Log Levels (Severity Levels)
Logs have different severity levels.
From lowest to highest priority:
| Level | Meaning |
|---|---|
| debug | Debugging info |
| info | General information |
| notice | Normal but important |
| warning | Something unusual |
| err | Error occurred |
| crit | Critical issue |
| alert | Immediate action needed |
| emerg | System unusable |
These levels help filter logs.
6. rsyslog Service
Traditional logging service in RHEL is:
rsyslog
Check status:
systemctl status rsyslog
Configuration file:
/etc/rsyslog.conf
Additional configs:
/etc/rsyslog.d/
In RHCSA, you are not deeply tested on configuration, but you should know:
- It manages log file storage
- It writes logs into
/var/log/
7. systemd Journal (journald)
Modern RHEL systems use:
systemd-journald
This stores logs in a binary format.
To view journal logs, use:
journalctl
This is extremely important for the exam.
8. Basic journalctl Usage
8.1 View All Logs
journalctl
8.2 View Recent Logs
journalctl -n 20
Last 20 lines.
8.3 Follow Logs in Real Time
journalctl -f
Similar to:
tail -f /var/log/messages
8.4 Show Logs for a Specific Service
Example for ssh:
journalctl -u sshd
This is commonly tested.
8.5 Show Logs Since Boot
journalctl -b
Previous boot:
journalctl -b -1
Very important for troubleshooting boot issues.
8.6 Filter by Time
Since today:
journalctl --since today
Since specific time:
journalctl --since "2026-03-03 10:00:00"
Between times:
journalctl --since "10:00" --until "11:00"
8.7 Filter by Priority Level
Show only errors:
journalctl -p err
Show warning and above:
journalctl -p warning
8.8 Show Logs for Specific User
journalctl _UID=1000
8.9 Kernel Logs Only
journalctl -k
Same as:
dmesg
9. Persistent vs Volatile Journal Storage
By default, journal logs may be stored in:
/run/log/journal/
This is volatile (lost after reboot).
To make logs persistent:
Create directory:
mkdir /var/log/journal
Restart journald:
systemctl restart systemd-journald
Now logs are stored in:
/var/log/journal/
For the exam:
- Know the difference between volatile and persistent logging.
10. Practical Troubleshooting Scenarios (Exam-Oriented)
You may face tasks like:
Scenario 1:
A service is not starting.
Solution:
systemctl status httpd
journalctl -u httpd
Look for:
- Permission denied
- Port already in use
- Configuration error
Scenario 2:
User cannot login via SSH.
Solution:
journalctl -u sshd
Or:
grep sshd /var/log/secure
Look for:
- Failed password
- Account locked
- SELinux denial
Scenario 3:
System boot problem.
Solution:
journalctl -b
Or previous boot:
journalctl -b -1
11. Useful Log Viewing Commands
These commands are also important:
View file page by page:
less filename
Search:
grep "error" filename
Real-time view:
tail -f filename
Count occurrences:
grep -c "Failed" /var/log/secure
12. Exam Tips for RHCSA
For this section, make sure you can:
β Locate log files in /var/log/
β Use journalctl correctly
β Filter by service
β Filter by time
β Filter by priority
β View previous boot logs
β Identify login failures
β Identify service start failures
β Understand basic log message format
13. Difference Between rsyslog and journald
| Feature | rsyslog | journald |
|---|---|---|
| Format | Plain text | Binary |
| Location | /var/log/* | /run/log/journal or /var/log/journal |
| Tool | cat, less | journalctl |
| Modern RHEL default | Yes (with journald integration) | Yes |
In RHEL:
- journald collects logs
- rsyslog can forward them to text files
14. Commands You Must Practice
Practice these until comfortable:
journalctl
journalctl -u sshd
journalctl -b
journalctl -b -1
journalctl -p err
journalctl --since today
journalctl -f
grep Failed /var/log/secure
less /var/log/messages
Final Summary
To pass this RHCSA section, you must:
- Understand where logs are stored
- Read and interpret log messages
- Use
journalctleffectively - Identify authentication failures
- Identify service errors
- Investigate boot problems
- Filter logs correctly
Logging is one of the most important skills of a Linux system administrator.
If a service fails or a user reports a problem, the first place to check is the logs.
