Linux command – journalctl

傳統的 Linux 日誌檔 可分成兩類 核心日誌 (klogd) & 系統日誌 (syslogd) , 請參考 http://benjr.tw/22756

  • 核心日誌 (klogd)
    主要是儲存系統開機,以及一些核心與硬體溝通時的訊息,核心日誌存放在 /var/log/dmesg 或可使用 #dmesg 指令來查看.
  • 系統日誌 (syslogd),新版為 rsyslog – http://benjr.tw/34103
    開機後的訊息會依據設定檔 /etc/syslog.conf 的規劃來存放,大部分存放在 /var/log/messages.

SystemD 版本的 Linux 則是透過本身的 systemd-journald 來協助記錄系統日誌 (可以透過指令 #journalctl 來檢視).

[root@localhost ~]# pstree | grep -i system
systemd-+-ModemManager---2*[{ModemManager}]
        |-systemd-journal
        |-systemd-logind
        |-systemd-udevd

journalctl 是 systemd 的元件之一,主要負責管理日誌文件,直接執行 #journalctl 其執行結果等同搜尋 /var/log/ 內的資料.指令 #journalctl 還會把日誌檔中錯誤 (error) 等級或是更高級別的行列以紅色顯示,而通知 (notice) 和警告(warning) 等級的行列則是用粗體字體顯示.

不過 journalctl 的日誌檔是儲存在 /run/log/journal (/run 資料夾暫存在記憶體),下次開機就會消失.還是需要透過 rsyslog http://benjr.tw/34103 來儲存長期的系統日誌檔,並透過logrotate 來避免日誌擋過大.

常用的幾個參數

  • -k, –dmesg
    Show only kernel messages.
  • -b , –boot
    預設我們只會看到當次的開機狀態 (journalctl 的日誌檔是暫存在記憶體),如果要儲存起來可以修改設定檔 /etc/systemd/journald.conf ,儲存路徑為 /var/log/journal .

    [root@localhost ~]# mkdir -p /var/log/journal
    [root@localhost ~]# vi /etc/systemd/journald.conf
    . . .
    [Journal]
    Storage=persistent
    
    [root@localhost ~]# systemctl restart systemd-journald
    [root@localhost ~]# systemctl status systemd-journald
    ● systemd-journald.service - Journal Service
       Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled)
       Active: active (running) since Fri 2020-06-12 23:44:27 CST; 6s ago
         Docs: man:systemd-journald.service(8)
               man:journald.conf(5)
     Main PID: 2663 (systemd-journal)
       Status: "Processing requests..."
        Tasks: 1 (limit: 23794)
       Memory: 1.5M
       CGroup: /system.slice/systemd-journald.service
               └─2663 /usr/lib/systemd/systemd-journald
    
    Jun 12 23:44:27 localhost.localdomain systemd-journald[2663]: Journal started
    Jun 12 23:44:27 localhost.localdomain systemd-journald[2663]: System journal (/var/log/journal/c23f044e27314d09a>
    [root@localhost ~]# reboot
    Connection to 192.168.111.183 closed by remote host.
    Connection to 192.168.111.183 closed.
    
    Ben@Ben10 ~ % ssh root@192.168.111.183
    root@192.168.111.183's password: 
    Activate the web console with: systemctl enable --now cockpit.socket
    
    Last login: Fri Jun 12 23:43:19 2020 from 192.168.111.1
    [root@localhost ~]# journalctl --list-boots
    -1 cc6587f1266b4659860b571bac5edcbf Fri 2020-06-12 23:41:48 CST—Fri 2020-06-12 23:44:47 CST
     0 0e90e0f98fd94c5197d75423330e2db1 Fri 2020-06-12 23:45:15 CST—Fri 2020-06-12 23:45:38 CST
    [root@localhost ~]# ll /var/log/journal
    total 0
    drwxr-sr-x+ 2 root systemd-journal 28 Jun 12 23:43 c23f044e27314d09a5df7644acdd0cac
    [root@localhost ~]# 
    

    前面透過 journalctl –list-boots 可以看到 ID 以及其 Offset ,這時候我們就可以透過 -b [ID][+-offset] 來檢視那一次開機 LOG 的資料.
    -1 表示前一次的開機 LOG , -2 代表前兩次的開機 LOG ,以此類推.

    [root@localhost ~]# journalctl -b -1
    

    或是

    [root@localhost ~]# journalctl -b cc6587f1266b4659860b571bac5edcbf
    
  • -u, –unit
    Show messages for the specified systemd unit UNIT
    要看服務的狀態訊息,以前必須到 /var/log/ 下去看 syslog 或是其他相對應的 log 在從改成 systemd 之後,我們就可以透過 #systemctl status 來查看目前服務的狀態.

    root@ubuntu:~# systemctl status ssh
    ● ssh.service - OpenBSD Secure Shell server
       Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab
       Active: active (running) since Wed 2017-04-26 00:11:39 PDT; 27min ago
      Process: 2269 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCES
     Main PID: 932 (sshd)
        Tasks: 1
       Memory: 2.9M
          CPU: 133ms
       CGroup: /system.slice/ssh.service
               └─932 /usr/sbin/sshd -D
    
    Apr 26 00:20:02 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server.
    Apr 26 00:20:02 ubuntu sshd[932]: Received SIGHUP; restarting.
    Apr 26 00:20:02 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server.
    Apr 26 00:20:02 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22.
    Apr 26 00:20:02 ubuntu sshd[932]: Server listening on :: port 22.
    Apr 26 00:20:03 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server.
    Apr 26 00:20:03 ubuntu sshd[932]: Received SIGHUP; restarting.
    Apr 26 00:20:03 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server.
    Apr 26 00:20:03 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22.
    Apr 26 00:20:03 ubuntu sshd[932]: Server listening on :: port 22.
    

    不過只有最新的資料,如果要看完整的訊息可以透過指令 #journalctl -u
    -u : –unit , Show messages for the specified systemd unit UNIT

    root@ubuntu:~# journalctl -u ssh
    -- Logs begin at Wed 2017-04-26 00:11:34 PDT, end at Wed 2017-04-26 00:45:04 PDT
    Apr 26 00:11:39 ubuntu systemd[1]: Starting OpenBSD Secure Shell server...
    Apr 26 00:11:39 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22.
    Apr 26 00:11:39 ubuntu sshd[932]: Server listening on :: port 22.
    Apr 26 00:11:39 ubuntu systemd[1]: Started OpenBSD Secure Shell server.
    Apr 26 00:11:41 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server.
    Apr 26 00:11:41 ubuntu sshd[932]: Received SIGHUP; restarting.
    Apr 26 00:11:41 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server.
    Apr 26 00:11:41 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22.
    Apr 26 00:11:41 ubuntu sshd[932]: Server listening on :: port 22.
    Apr 26 00:11:42 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server.
    Apr 26 00:11:42 ubuntu sshd[932]: Received SIGHUP; restarting.
    Apr 26 00:11:42 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server.
    Apr 26 00:11:42 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22.
    Apr 26 00:11:42 ubuntu sshd[932]: Server listening on :: port 22.
    Apr 26 00:11:43 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server.
    Apr 26 00:11:43 ubuntu sshd[932]: Received SIGHUP; restarting.
    Apr 26 00:11:43 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server.
    Apr 26 00:11:43 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22.
    Apr 26 00:11:43 ubuntu sshd[932]: Server listening on :: port 22.
    Apr 26 00:11:49 ubuntu sshd[1715]: Accepted password for ben from 172.16.15.1 po
    Apr 26 00:11:49 ubuntu sshd[1715]: pam_unix(sshd:session): session opened for us
    Apr 26 00:20:02 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server.
    lines 1-23
    
  • -f, –follow
    如果要持續檢視記錄檔案內容可以使用這個參數,如同 tail -f 功能.

    [root@localhost ~]# journalctl -u sshd -f 
    -- Logs begin at Fri 2020-06-12 15:36:36 CST. --
    Jul 22 15:35:57 localhost.localdomain sshd[2857]: Accepted password for root from 192.168.111.1 port 51489 ssh2
    Jul 22 15:35:57 localhost.localdomain sshd[2857]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jul 22 17:15:36 localhost.localdomain systemd[1]: Stopping OpenSSH server daemon...
    Jul 22 17:15:36 localhost.localdomain systemd[1]: Stopped OpenSSH server daemon.
    -- Reboot --
    Aug 05 09:55:17 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
    Aug 05 09:55:17 localhost.localdomain sshd[968]: Server listening on 0.0.0.0 port 22.
    Aug 05 09:55:17 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
    Aug 05 09:55:17 localhost.localdomain sshd[968]: Server listening on :: port 22.
    Aug 05 10:06:07 localhost.localdomain sshd[3289]: Accepted password for root from 192.168.111.1 port 51905 ssh2
    Aug 05 10:06:07 localhost.localdomain sshd[3289]: pam_unix(sshd:session): session opened for user root by (uid=0)
    
  • -p, –priority=
    Filter output by message priorities or priority ranges (numeric/text) . “emerg” (0), “alert” (1),”crit” (2), “err” (3), “warning” (4), “notice” (5), “info” (6),”debug” (7).
    透過 journalctl 顯示錯誤等級在 “err” (3) 以上的資料,包含 “emerg” (0), “alert” (1),”crit” (2).

    [root@localhost ~]# journalctl -p 3
    -- Logs begin at 三 2018-06-13 22:05:06 EDT, end at 三 2018-06-13 22:08:39 EDT. --
     6月 13 22:05:07 localhost.localdomain kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
     6月 13 22:05:10 localhost.localdomain kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled!
     6月 13 22:05:17 localhost.localdomain systemd[1]: Failed to start Crash recovery kernel arming.
     6月 13 22:05:22 localhost.localdomain pulseaudio[1625]: [alsa-sink-ES1371/1] alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write.
     6月 13 22:05:22 localhost.localdomain pulseaudio[1625]: [alsa-sink-ES1371/1] alsa-sink.c: Most likely this is a bug in the ALSA driver 'snd_ens1371'. Please report this issue to the ALSA developers.
     6月 13 22:05:22 localhost.localdomain pulseaudio[1625]: [alsa-sink-ES1371/1] alsa-sink.c: We were woken up with POLLOUT set -- however a subsequent snd_pcm_avail() returned 0 or another value < min_avail.
     6月 13 22:05:25 localhost.localdomain spice-vdagent[1688]: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0
    

    下面的指令參數等同.

    [root@localhost ~]# journalctl -p err
    [root@localhost ~]# journalctl --priority=3
    [root@localhost ~]# journalctl --priority=err
    
  • -S, –since=, -U, –until=
    透過這個參數可以依據時間來檢視紀錄內容,格式為 2012-10-30 18:17:16 (沒指定時間時為 00:00:00) 或是使用 yesterday , today , tomorrow 等字串,前面可加上 – (表示當前時間之前的時間) 或是 + (表示當前時間之後的時間).

    [root@localhost ~]$ journalctl --since="2017-12-18 16:00:00"
    -- Logs begin at 一 2017-12-18 16:11:35 CST, end at 一 2017-12-18 16:16:49 CST. 
    12月 18 16:11:35 localhost.localdomain polkitd[687]: Registered Authentication A
    12月 18 16:11:35 localhost.localdomain bluetoothd[675]: Terminating
    12月 18 16:11:35 localhost.localdomain polkitd[687]: Unregistered Authentication
    12月 18 16:12:09 localhost.localdomain polkitd[687]: Registered Authentication A
    12月 18 16:12:09 localhost.localdomain systemd-journald[471]: Received SIGTERM f
    12月 18 16:12:09 localhost.localdomain systemd-journal[2763]: Journal started
    12月 18 16:12:09 localhost.localdomain systemd[1]: Starting Flush Journal to Per
    12月 18 16:12:09 localhost.localdomain polkitd[687]: Unregistered Authentication
    12月 18 16:12:09 localhost.localdomain systemd[1]: Started Flush Journal to Pers
    12月 18 16:16:49 localhost.localdomain dhclient[862]: DHCPREQUEST on eno16777736
    12月 18 16:16:49 localhost.localdomain dhclient[862]: DHCPACK from 172.16.15.254
    12月 18 16:16:49 localhost.localdomain dhclient[862]: bound to 172.16.15.132 -- 
    12月 18 16:16:49 localhost.localdomain nm-dispatcher[2816]: req:1 'dhcp4-change'
    12月 18 16:16:49 localhost.localdomain nm-dispatcher[2816]: req:1 'dhcp4-change'
    
    [root@localhost ~]$ journalctl --until="2017-12-18 16:16:00"
    -- Logs begin at 一 2017-12-18 16:11:35 CST, end at 一 2017-12-18 16:20:01 CST. 
    12月 18 16:11:35 localhost.localdomain polkitd[687]: Registered Authentication A
    12月 18 16:11:35 localhost.localdomain bluetoothd[675]: Terminating
    12月 18 16:11:35 localhost.localdomain polkitd[687]: Unregistered Authentication
    12月 18 16:12:09 localhost.localdomain polkitd[687]: Registered Authentication A
    12月 18 16:12:09 localhost.localdomain systemd[1]: Starting Flush Journal to Per
    12月 18 16:12:09 localhost.localdomain polkitd[687]: Unregistered Authentication
    12月 18 16:12:09 localhost.localdomain systemd[1]: Started Flush Journal to Pers
    
  • -o, –output=
    輸出格式可以選擇,有 short , short-full , short-iso , short-iso-precise , short-precise , short-monotonic , short-unix , verbose , export , json , json-pretty , json-sse , cat , with-unit.

如果要清除目前 journalctl 的 log ,可以透過下面的方式.

[root@localhost ~]$ find /run/log/journal -name "*.journal" | xargs sudo rm
[root@localhost ~]$ systemctl restart systemd-journald
[root@localhost ~]$ journalctl
-- Logs begin at 一 2017-12-18 16:29:54 CST, end at 一 2017-12-18 16:30:01 CST. --
12月 18 16:29:54 localhost.localdomain polkitd[687]: Registered Authentication Agent for unix-process:3013:153603 (system bus name :1.67 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_TW.UTF-8)
12月 18 16:29:54 localhost.localdomain systemd[1]: Stopping Flush Journal to Persistent Storage...
12月 18 16:29:54 localhost.localdomain systemd-journal[3000]: Journal stopped
12月 18 16:29:54 localhost.localdomain systemd-journal[3020]: Runtime journal is using 6.1M (max allowed 48.8M, trying to leave 73.2M free of 481.1M available → current limit 48.8M).
12月 18 16:29:54 localhost.localdomain systemd-journal[3020]: Runtime journal is using 6.1M (max allowed 48.8M, trying to leave 73.2M free of 481.1M available → current limit 48.8M).
12月 18 16:29:54 localhost.localdomain systemd-journald[3000]: Received SIGTERM from PID 1 (systemd).
12月 18 16:29:54 localhost.localdomain systemd-journal[3020]: Journal started
12月 18 16:29:54 localhost.localdomain systemd[1]: Starting Flush Journal to Persistent Storage...
12月 18 16:29:54 localhost.localdomain systemd[1]: Started Flush Journal to Persistent Storage.
12月 18 16:29:54 localhost.localdomain polkitd[687]: Unregistered Authentication Agent for unix-process:3013:153603 
沒有解決問題,試試搜尋本站其他內容