On RHEL 7/8, CentOS 7/8 and even Ubuntu (??), by default the journal log data is stored only in memory (/run/log/journal/ directory).

There are 2 ways to retain the journal log messages. The first one is to set the variable Storage to persistent in the /etc/systemd/journald.conf.

[Journal]
Storage=persistent

Then restart the systemd-journald service.

Another solution is simpler and it looks like it’s the recommended way of achieving this. All we have to do is to create a directory, /var/log/journal (with correct ownership and permission), and journald will automatically store the log messages there.

There are 2 methods that we can do this. The first one could be the method that you might want to use if you’re asked to do this in a RHEL exam as it’s actually taught in an official Red Hat course (RH342).

# mkdir /var/log/journal
# chown root:systemd-journal /var/log/journal
# chmod 2755 /var/log/journal

After the log folder is created, we need to tell journald to use the new location. We can restart the machine, or restart the systemd-journald service. However, if we’re asked to retain the “current” log message in memory, we should send a USR1 signal to the systemd-journald instead.

# killall -USR1 systemd-journald

Here is another command which does exactly the same thing as above but, I personally find it a bit easier to remember:

# killall -s SIGUSR1 systemd-journald

Now, you can check and verify that journald log messages have been moved from /run/log/journal to /var/log/journal. And you’re done.

Alright, and here is a better way to create the /var/log/journal/ directory in my opinion.

# mkdir /var/log/journal
# systemd-tempfiles --create --prefix /var/log/journal
# killall -s SIGUSR1 systemd-journald

The main difference of using the systemd-tempfiles instead of manually setting the ownership and permission on the /var/log/journal directory is that, the ACL also gets correctly set on the directory.

# getfacl /var/log/journal/
getfacl: Removing leading '/' from absolute path names
# file: var/log/journal/
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
group:wheel:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:adm:r-x
default:group:wheel:r-x
default:mask::r-x
default:other::r-x

Having said that, I’d still stick to the manual setting of directory ownership (root:systemd-journal) and permission (2755) if this task comes up in an RHEL based exam just to be safe.

Disclaimer: I haven’t taken the EX342 exam yet at this time of this blog post.

References: