Applications and daemons in Linux will either send logs to syslog or write directly to log files (Apache does that). For years, various implementations of syslog (rsyslog, syslog-ng, sysklogd) have been the sole logging service. In RHEL7, with the rise of Systemd, there’s a new logging service which is a part of Systemd called Journal and Journald being its daemon. Rsyslog and Journal co-exist in RHEL7 and they can write to reach other.
The Journal is:
If you are wondering what the journal is, here’s an explanation in a few words to get you up to speed: the journal is a component of systemd, that captures Syslog messages, Kernel log messages, initial RAM disk and early boot messages as well as messages written to STDOUT/STDERR of all services, indexes them and makes this available to the user. It can be used in parallel, or in place of a traditional syslog daemon, such as rsyslog or syslog-ng. For more information, see the initial announcement.
Syslog stores messages from applications as is in text files. If the application is compromised and the hacker manipulates the message, syslog will store them as it is. Journal appends metadata (_PID, _UID) about the sending application to the incoming messages and stores in binary format. Therefore you can always trust what’s in the Journal. Also Journal log is structured (stored as key, value) and indexed which means searching and filtering is fast. You view syslog messages using traditional Unix utilities like cat, less. To view Journal logs, you need an utility called journalctl.
When you run “systemctl status service-name” you will see a couple lines of logs about the service. This is comes from the journal.
To learn more about Journal: