Why is the /var/log directory missing logs in my EC2 Amazon Linux 2023 instance?

Resolution

The rsyslog service maintains various log files in the /var/log directory. Amazon Linux 2 keeps this service for backward compatibility. By default, the rsyslog service isn't installed in Amazon Linux 2023. So, the corresponding files in the /var/log directory, such as /var/log/messages, are also not available in Amazon Linux 2023.

The default service manager in Amazon Linux 2 and Amazon Linux 2023 is systemd, which uses systemd-journald to create logs.

How to query systemd-journald

Unlike rsyslog, the systemd-journald service doesn't record information into files, such as messages, secure, maillog, and spooler. Instead, systemd-journald stores system information in /var/log/journal.

To query the journal, run the journalctl command. The following are examples of common queries:

Check all logs

$ journalctl

Check logs in reverse order

$ journalctl -r

Check logs for a specified time duration

To check logs within the last 10 minutes, run the following command:

$ journalctl --since -10min

To check logs between a specific timestamp, run the following command:

$ journalctl --since "2023-06-21 10:50:00" --until "2023-06-21 11:00:00"

Check logs that are specific to a service

$ journalctl -u sshd

Check logs based on log level of messages, including emerg, alert, crit, err

$ journalctl -p err

Turn on log files in the /var/log/ directory on Amazon Linux 2023

To install the rsyslog package on Amazon Linux 2023 and start the service, run the following commands:

# dnf install rsyslog
# systemctl enable rsyslog --now

To validate that the logs are written to the messages files, run the following test:

# logger test_line  
# grep "test_line" /var/log/messages
Jun 22 08:06:08 localhost root[1771]: test_line