傳統的 Linux 日誌檔 可分成兩類 核心日誌 (klogd) & 系統日誌 (syslogd) , 請參考 https://benjr.tw/22756
- 核心日誌 (klogd)
主要是儲存系統開機,以及一些核心與硬體溝通時的訊息,核心日誌存放在 /var/log/dmesg 或可使用 #dmesg 指令來查看. - 系統日誌 (syslogd),新版為 rsyslog – https://benjr.tw/34103
開機後的訊息會依據設定檔 /etc/syslog.conf 的規劃來存放,大部分存放在 /var/log/messages.
SystemD 版本的 Linux 則是透過本身的 systemd-journald 來協助記錄系統日誌 (可以透過指令 #journalctl 來檢視).
[root@localhost ~]# pstree | grep -i system
systemd-+-ModemManager---2*[{ModemManager}]
|-systemd-journal
|-systemd-logind
|-systemd-udevd
journalctl 是 systemd 的元件之一,主要負責管理日誌文件,直接執行 #journalctl 其執行結果等同搜尋 /var/log/ 內的資料.指令 #journalctl 還會把日誌檔中錯誤 (error) 等級或是更高級別的行列以紅色顯示,而通知 (notice) 和警告(warning) 等級的行列則是用粗體字體顯示.
不過 journalctl 的日誌檔是儲存在 /run/log/journal (/run 資料夾暫存在記憶體),下次開機就會消失.還是需要透過 rsyslog https://benjr.tw/34103 來儲存長期的系統日誌檔,並透過logrotate 來避免日誌擋過大.
常用的幾個參數
- -k, –dmesg
Show only kernel messages. - -b , –boot
預設我們只會看到當次的開機狀態 (journalctl 的日誌檔是暫存在記憶體),如果要儲存起來可以修改設定檔 /etc/systemd/journald.conf ,儲存路徑為 /var/log/journal .[root@localhost ~]# mkdir -p /var/log/journal [root@localhost ~]# vi /etc/systemd/journald.conf . . . [Journal] Storage=persistent
[root@localhost ~]# systemctl restart systemd-journald [root@localhost ~]# systemctl status systemd-journald ● systemd-journald.service - Journal Service Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled) Active: active (running) since Fri 2020-06-12 23:44:27 CST; 6s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Main PID: 2663 (systemd-journal) Status: "Processing requests..." Tasks: 1 (limit: 23794) Memory: 1.5M CGroup: /system.slice/systemd-journald.service └─2663 /usr/lib/systemd/systemd-journald Jun 12 23:44:27 localhost.localdomain systemd-journald[2663]: Journal started Jun 12 23:44:27 localhost.localdomain systemd-journald[2663]: System journal (/var/log/journal/c23f044e27314d09a> [root@localhost ~]# reboot Connection to 192.168.111.183 closed by remote host. Connection to 192.168.111.183 closed.Ben@Ben10 ~ % ssh root@192.168.111.183 root@192.168.111.183's password: Activate the web console with: systemctl enable --now cockpit.socket Last login: Fri Jun 12 23:43:19 2020 from 192.168.111.1 [root@localhost ~]# journalctl --list-boots -1 cc6587f1266b4659860b571bac5edcbf Fri 2020-06-12 23:41:48 CST—Fri 2020-06-12 23:44:47 CST 0 0e90e0f98fd94c5197d75423330e2db1 Fri 2020-06-12 23:45:15 CST—Fri 2020-06-12 23:45:38 CST [root@localhost ~]# ll /var/log/journal total 0 drwxr-sr-x+ 2 root systemd-journal 28 Jun 12 23:43 c23f044e27314d09a5df7644acdd0cac [root@localhost ~]#
前面透過 journalctl –list-boots 可以看到 ID 以及其 Offset ,這時候我們就可以透過 -b [ID][+-offset] 來檢視那一次開機 LOG 的資料.
-1 表示前一次的開機 LOG , -2 代表前兩次的開機 LOG ,以此類推.[root@localhost ~]# journalctl -b -1
或是
[root@localhost ~]# journalctl -b cc6587f1266b4659860b571bac5edcbf
- -u, –unit
Show messages for the specified systemd unit UNIT
要看服務的狀態訊息,以前必須到 /var/log/ 下去看 syslog 或是其他相對應的 log 在從改成 systemd 之後,我們就可以透過 #systemctl status 來查看目前服務的狀態.root@ubuntu:~# systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab Active: active (running) since Wed 2017-04-26 00:11:39 PDT; 27min ago Process: 2269 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCES Main PID: 932 (sshd) Tasks: 1 Memory: 2.9M CPU: 133ms CGroup: /system.slice/ssh.service └─932 /usr/sbin/sshd -D Apr 26 00:20:02 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server. Apr 26 00:20:02 ubuntu sshd[932]: Received SIGHUP; restarting. Apr 26 00:20:02 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server. Apr 26 00:20:02 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22. Apr 26 00:20:02 ubuntu sshd[932]: Server listening on :: port 22. Apr 26 00:20:03 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server. Apr 26 00:20:03 ubuntu sshd[932]: Received SIGHUP; restarting. Apr 26 00:20:03 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server. Apr 26 00:20:03 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22. Apr 26 00:20:03 ubuntu sshd[932]: Server listening on :: port 22.不過只有最新的資料,如果要看完整的訊息可以透過指令 #journalctl -u
-u : –unit , Show messages for the specified systemd unit UNITroot@ubuntu:~# journalctl -u ssh -- Logs begin at Wed 2017-04-26 00:11:34 PDT, end at Wed 2017-04-26 00:45:04 PDT Apr 26 00:11:39 ubuntu systemd[1]: Starting OpenBSD Secure Shell server... Apr 26 00:11:39 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22. Apr 26 00:11:39 ubuntu sshd[932]: Server listening on :: port 22. Apr 26 00:11:39 ubuntu systemd[1]: Started OpenBSD Secure Shell server. Apr 26 00:11:41 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server. Apr 26 00:11:41 ubuntu sshd[932]: Received SIGHUP; restarting. Apr 26 00:11:41 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server. Apr 26 00:11:41 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22. Apr 26 00:11:41 ubuntu sshd[932]: Server listening on :: port 22. Apr 26 00:11:42 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server. Apr 26 00:11:42 ubuntu sshd[932]: Received SIGHUP; restarting. Apr 26 00:11:42 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server. Apr 26 00:11:42 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22. Apr 26 00:11:42 ubuntu sshd[932]: Server listening on :: port 22. Apr 26 00:11:43 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server. Apr 26 00:11:43 ubuntu sshd[932]: Received SIGHUP; restarting. Apr 26 00:11:43 ubuntu systemd[1]: Reloaded OpenBSD Secure Shell server. Apr 26 00:11:43 ubuntu sshd[932]: Server listening on 0.0.0.0 port 22. Apr 26 00:11:43 ubuntu sshd[932]: Server listening on :: port 22. Apr 26 00:11:49 ubuntu sshd[1715]: Accepted password for ben from 172.16.15.1 po Apr 26 00:11:49 ubuntu sshd[1715]: pam_unix(sshd:session): session opened for us Apr 26 00:20:02 ubuntu systemd[1]: Reloading OpenBSD Secure Shell server. lines 1-23
- -f, –follow
如果要持續檢視記錄檔案內容可以使用這個參數,如同 tail -f 功能.[root@localhost ~]# journalctl -u sshd -f -- Logs begin at Fri 2020-06-12 15:36:36 CST. -- Jul 22 15:35:57 localhost.localdomain sshd[2857]: Accepted password for root from 192.168.111.1 port 51489 ssh2 Jul 22 15:35:57 localhost.localdomain sshd[2857]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 22 17:15:36 localhost.localdomain systemd[1]: Stopping OpenSSH server daemon... Jul 22 17:15:36 localhost.localdomain systemd[1]: Stopped OpenSSH server daemon. -- Reboot -- Aug 05 09:55:17 localhost.localdomain systemd[1]: Starting OpenSSH server daemon... Aug 05 09:55:17 localhost.localdomain sshd[968]: Server listening on 0.0.0.0 port 22. Aug 05 09:55:17 localhost.localdomain systemd[1]: Started OpenSSH server daemon. Aug 05 09:55:17 localhost.localdomain sshd[968]: Server listening on :: port 22. Aug 05 10:06:07 localhost.localdomain sshd[3289]: Accepted password for root from 192.168.111.1 port 51905 ssh2 Aug 05 10:06:07 localhost.localdomain sshd[3289]: pam_unix(sshd:session): session opened for user root by (uid=0)
- -p, –priority=
Filter output by message priorities or priority ranges (numeric/text) . “emerg” (0), “alert” (1),”crit” (2), “err” (3), “warning” (4), “notice” (5), “info” (6),”debug” (7).
透過 journalctl 顯示錯誤等級在 “err” (3) 以上的資料,包含 “emerg” (0), “alert” (1),”crit” (2).[root@localhost ~]# journalctl -p 3 -- Logs begin at 三 2018-06-13 22:05:06 EDT, end at 三 2018-06-13 22:08:39 EDT. -- 6月 13 22:05:07 localhost.localdomain kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through 6月 13 22:05:10 localhost.localdomain kernel: piix4_smbus 0000:00:07.3: SMBus Host Controller not enabled! 6月 13 22:05:17 localhost.localdomain systemd[1]: Failed to start Crash recovery kernel arming. 6月 13 22:05:22 localhost.localdomain pulseaudio[1625]: [alsa-sink-ES1371/1] alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write. 6月 13 22:05:22 localhost.localdomain pulseaudio[1625]: [alsa-sink-ES1371/1] alsa-sink.c: Most likely this is a bug in the ALSA driver 'snd_ens1371'. Please report this issue to the ALSA developers. 6月 13 22:05:22 localhost.localdomain pulseaudio[1625]: [alsa-sink-ES1371/1] alsa-sink.c: We were woken up with POLLOUT set -- however a subsequent snd_pcm_avail() returned 0 or another value < min_avail. 6月 13 22:05:25 localhost.localdomain spice-vdagent[1688]: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0
下面的指令參數等同.
[root@localhost ~]# journalctl -p err [root@localhost ~]# journalctl --priority=3 [root@localhost ~]# journalctl --priority=err
- -S, –since=, -U, –until=
透過這個參數可以依據時間來檢視紀錄內容,格式為 2012-10-30 18:17:16 (沒指定時間時為 00:00:00) 或是使用 yesterday , today , tomorrow 等字串,前面可加上 – (表示當前時間之前的時間) 或是 + (表示當前時間之後的時間).[root@localhost ~]$ journalctl --since="2017-12-18 16:00:00" -- Logs begin at 一 2017-12-18 16:11:35 CST, end at 一 2017-12-18 16:16:49 CST. 12月 18 16:11:35 localhost.localdomain polkitd[687]: Registered Authentication A 12月 18 16:11:35 localhost.localdomain bluetoothd[675]: Terminating 12月 18 16:11:35 localhost.localdomain polkitd[687]: Unregistered Authentication 12月 18 16:12:09 localhost.localdomain polkitd[687]: Registered Authentication A 12月 18 16:12:09 localhost.localdomain systemd-journald[471]: Received SIGTERM f 12月 18 16:12:09 localhost.localdomain systemd-journal[2763]: Journal started 12月 18 16:12:09 localhost.localdomain systemd[1]: Starting Flush Journal to Per 12月 18 16:12:09 localhost.localdomain polkitd[687]: Unregistered Authentication 12月 18 16:12:09 localhost.localdomain systemd[1]: Started Flush Journal to Pers 12月 18 16:16:49 localhost.localdomain dhclient[862]: DHCPREQUEST on eno16777736 12月 18 16:16:49 localhost.localdomain dhclient[862]: DHCPACK from 172.16.15.254 12月 18 16:16:49 localhost.localdomain dhclient[862]: bound to 172.16.15.132 -- 12月 18 16:16:49 localhost.localdomain nm-dispatcher[2816]: req:1 'dhcp4-change' 12月 18 16:16:49 localhost.localdomain nm-dispatcher[2816]: req:1 'dhcp4-change'
[root@localhost ~]$ journalctl --until="2017-12-18 16:16:00" -- Logs begin at 一 2017-12-18 16:11:35 CST, end at 一 2017-12-18 16:20:01 CST. 12月 18 16:11:35 localhost.localdomain polkitd[687]: Registered Authentication A 12月 18 16:11:35 localhost.localdomain bluetoothd[675]: Terminating 12月 18 16:11:35 localhost.localdomain polkitd[687]: Unregistered Authentication 12月 18 16:12:09 localhost.localdomain polkitd[687]: Registered Authentication A 12月 18 16:12:09 localhost.localdomain systemd[1]: Starting Flush Journal to Per 12月 18 16:12:09 localhost.localdomain polkitd[687]: Unregistered Authentication 12月 18 16:12:09 localhost.localdomain systemd[1]: Started Flush Journal to Pers
- -o, –output=
輸出格式可以選擇,有 short , short-full , short-iso , short-iso-precise , short-precise , short-monotonic , short-unix , verbose , export , json , json-pretty , json-sse , cat , with-unit.
如果要清除目前 journalctl 的 log ,可以透過下面的方式.
[root@localhost ~]$ find /run/log/journal -name "*.journal" | xargs sudo rm [root@localhost ~]$ systemctl restart systemd-journald [root@localhost ~]$ journalctl -- Logs begin at 一 2017-12-18 16:29:54 CST, end at 一 2017-12-18 16:30:01 CST. -- 12月 18 16:29:54 localhost.localdomain polkitd[687]: Registered Authentication Agent for unix-process:3013:153603 (system bus name :1.67 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_TW.UTF-8) 12月 18 16:29:54 localhost.localdomain systemd[1]: Stopping Flush Journal to Persistent Storage... 12月 18 16:29:54 localhost.localdomain systemd-journal[3000]: Journal stopped 12月 18 16:29:54 localhost.localdomain systemd-journal[3020]: Runtime journal is using 6.1M (max allowed 48.8M, trying to leave 73.2M free of 481.1M available → current limit 48.8M). 12月 18 16:29:54 localhost.localdomain systemd-journal[3020]: Runtime journal is using 6.1M (max allowed 48.8M, trying to leave 73.2M free of 481.1M available → current limit 48.8M). 12月 18 16:29:54 localhost.localdomain systemd-journald[3000]: Received SIGTERM from PID 1 (systemd). 12月 18 16:29:54 localhost.localdomain systemd-journal[3020]: Journal started 12月 18 16:29:54 localhost.localdomain systemd[1]: Starting Flush Journal to Persistent Storage... 12月 18 16:29:54 localhost.localdomain systemd[1]: Started Flush Journal to Persistent Storage. 12月 18 16:29:54 localhost.localdomain polkitd[687]: Unregistered Authentication Agent for unix-process:3013:153603
沒有解決問題,試試搜尋本站其他內容